Summary Under the proposed Cloud and AI Development Act (CADA), public hospitals and healthcare providers would face new procurement rules prioritizing "Union assurance levels" for cloud services. Specifically, Article 30 mandates that contracting authorities must assess risks to public order; if healthcare activities are deemed critical, they must procure cloud services recognized at Union assurance levels 2, 3, or 4, rather than the baseline level 1. This aims to safeguard sensitive patient data and ensure operational autonomy. Crucially, Recital 24 identifies healthcare as a sector involving "critical data," while Recital 62 links the required assurance levels to the preservation of public order in sectors like healthcare falling under the NIS2 Directive.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a structural shift in EU digital policy, moving from general market harmonization to explicit technological sovereignty. For the healthcare sector, this is particularly consequential. Hospitals and health systems manage some of the most sensitive personal data in existence while relying on continuous, uninterrupted digital services for patient care. The proposal seeks to ensure that the infrastructure underpinning these services is resilient against third-country interference.

Healthcare as a Strategic Sector: Recitals 19, 24, and 62

CADA explicitly identifies healthcare as a domain where digital resilience is not merely a technical requirement but a strategic imperative.

Recital 19 highlights the transformative potential of AI in healthcare, noting that the Cloud and AI Leadership Initiatives should facilitate the development, testing, and deployment of AI models in the sector. It emphasizes that these advancements should "improve the accuracy of clinical decisions and transform the pharmaceutical sector," while ensuring "security and data protection." This recital frames healthcare as a priority for the supply-side initiatives of the Act.

However, the demand-side sovereignty argument is anchored in Recital 24. This recital explicitly states that the uptake of cloud computing services provided by European providers is necessary to ensure technological autonomy, "particularly in sectors such as healthcare and education which involve the processing of critical data." This specific phrasing elevates healthcare from a general public service to a sector where data sovereignty is a prerequisite for operational security.

Most critically for procurement obligations, Recital 62 provides the operational logic for the assurance levels. It states that risk assessments must determine which Union assurance level is appropriate "due to their importance in preserving public order in sectors falling under Directive (EU) 2022/2555 [NIS2]." Since healthcare is explicitly listed in Annex I of the NIS2 Directive, Recital 62 confirms that healthcare activities are the primary candidates for the higher assurance levels (2, 3, and 4) required to preserve public order.

Procurement Obligations Under Article 30

The most direct impact on public hospitals comes from Title IV, Chapter II, Section 1, specifically Article 30, which governs public procurement of cloud computing services.

1. The Baseline Requirement (Union Assurance Level 1)

Article 30(2) establishes a minimum standard for all public sector bodies. It states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having a "Union assurance level 1."

Under Annex II, Section 1, Level 1 requires:

  • The provider is established in the Union.
  • Infrastructure and customer data remain exclusively within the Union (unless explicitly required otherwise by the public body).
  • Compliance with state-of-the-art cybersecurity standards.
  • Full transparency regarding subcontractors.

2. The Critical Sector Requirement (Union Assurance Levels 2–4)

The decisive provision for healthcare is Article 30(3). It mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2)β€”which explicitly includes healthcareβ€”must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4.

This creates a tiered compliance landscape:

  • Level 2: Requires the provider and subcontractors to be established in the Union, with infrastructure and personnel located there. It mandates a European cybersecurity certificate of at least "substantial" assurance (Annex II, 2.1(e)). Crucially, it prohibits using customer data to train or fine-tune AI systems operated by third countries (Annex II, 2.1(f)).
  • Level 3: Adds stricter personnel requirements. Annex II, 3.1(d) mandates that personnel, including those of subcontractors, must be Union citizens and, where appropriate, hold national security clearances. It allows for the secure hosting of EU classified information.
  • Level 4: The highest tier, requiring a cybersecurity certificate of at least "high" assurance (Annex II, 4.1(e)). It ensures that sensitive data identified through risk assessment remains exclusively within the Union and prohibits third-country control entirely.

3. The Role of Risk Assessment (Article 29)

Article 30 does not automatically classify all hospital activities as "public order" critical. Instead, it relies on the risk assessments mandated by Article 29. Member States and Union entities must carry out these assessments to identify which specific public sector activities contribute to the preservation of public order.

Article 29(1) requires these assessments to identify activities in sectors falling under NIS2 Annex I or II. Article 29(2) requires the assessment to consider:

  • The sensitivity, criticality, and magnitude of non-personal data.
  • The nature, scope, and purpose of processing personal data.
  • The risk of unlawful access by a third country.
  • The risk of service disruption.

For a public hospital, this means that while a public-facing informational website might fall under Level 1, systems handling electronic health records (EHR), telemedicine platforms, or critical care infrastructure are likely to be flagged in the national risk assessment as requiring Level 2, 3, or 4 assurance.

Interaction with the European Health Data Space (EHDS)

CADA operates alongside the proposed European Health Data Space (EHDS) Regulation. While the EHDS focuses on facilitating the secondary use of health data for research and policy, CADA provides the sovereign infrastructure layer necessary to execute that vision securely.

Recital 22 notes that AI models should be used to support better decision-making in critical public domains like healthcare, facilitating data reuse "while ensuring security and data protection." CADA's sovereignty framework complements the EHDS by ensuring that when health data is reused across borders or by different entities, it is hosted on cloud services that meet higher Union assurance levels. This ensures the data remains under EU jurisdiction and is not accessible to third-country authorities, thereby aligning with the EHDS's goal of fostering trust in health data reuse.

Third-Country Control and Article 18

A critical nuance for healthcare providers is the treatment of third-country control. Article 18 allows the Commission to adopt implementing acts identifying third countries where providers subject to that third country's control may be audited for Union assurance level 3.

However, this is a derogation. Annex II, Section 3.1(g) states the general rule: providers must not be subject to third-country control. The Article 18 mechanism is the exception, allowing Level 3 eligibility only if the Commission has adopted a specific implementing act for that country.

For Level 4, there is no such derogation. Annex II, Section 4.1(g) explicitly states that for Level 4, the provider and subcontractors must not be subject to the control of a third country. This absolute exclusion means that for the highest tier of healthcare data protection, providers controlled by non-EU jurisdictions (even those with adequacy decisions) are ineligible unless they structurally separate their EU operations to the point of losing third-country control.

What this means for you

For public-sector procurement officers, hospital administrators, and IT directors, CADA introduces a new layer of due diligence in cloud contracting.

1. Review Your Cloud Contracts Immediately You must evaluate current and future cloud computing contracts against the proposed Union assurance levels. If your hospital uses a non-EU hyperscaler for core patient data systems, you need to determine if that service can achieve Union assurance level 2 or higher. This may require the provider to undergo independent third-party audits (as per Article 20) and demonstrate strict data localization and personnel controls.

2. Prepare for National Risk Assessments Your organization will need to participate in or adhere to the national risk assessments mandated by Article 29. Proactively classify your digital services. Systems that are merely informational may only need Level 1, but any system processing sensitive patient data or supporting critical clinical operations will likely be classified as contributing to public order, triggering the higher assurance requirements.

3. Plan for Migration If your current providers cannot meet Union assurance levels 2–4, you may face a migration requirement. Article 29(6) states that where a risk assessment requires migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and continuity of service. Start planning exit strategies and data portability measures now.

4. Leverage the EuroCloud Federation Consider the European public sector cloud federation (EuroCloud Federation) established under Article 34. This mechanism allows public sector bodies to share idle cloud capacity and services. For hospitals, this could offer a cost-effective way to access sovereign, high-assurance cloud infrastructure without building it from scratch.

Common misconceptions

Misconception 1: CADA bans all non-European cloud providers. This is incorrect. CADA does not ban non-EU providers outright. Under Article 18, the Commission can recognize third countries as providing sufficient assurances for Union assurance level 3 if they meet strict criteria (e.g., adequacy decisions, no extraterritorial data access laws). However, for Level 4, providers must not be subject to third-country control. Most non-EU hyperscalers will likely struggle to meet Levels 2–4 without significant structural changes to their EU subsidiaries.

Misconception 2: All healthcare data requires the highest level of security. No. CADA uses a risk-based approach. Article 29 requires Member States to determine which specific activities contribute to public order. A hospital's public website may only need Level 1 assurance, while its electronic health record (EHR) system may require Level 3. The distinction depends on the sensitivity of the data and the criticality of the service as determined by the national risk assessment.

Misconception 3: CADA replaces GDPR. CADA complements, not replaces, the GDPR. The GDPR governs the processing of personal data and individual rights. CADA governs the sovereignty, security, and operational autonomy of the cloud infrastructure hosting that data. A hospital must comply with both: GDPR for data protection principles, and CADA for the infrastructure's trustworthiness and location.

Misconception 4: Private healthcare providers are exempt. While Article 30 specifically targets contracting authorities (public sector), Article 31 allows private sector entities in critical sectors (like those listed in NIS2 Annex I) to conduct similar impact assessments. Furthermore, the market signal from public procurement will likely pressure private providers to offer sovereign-compliant services to remain competitive in the healthcare market.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.