How does CADA affect public administration and government bodies?

Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally reshape how public administrations and government bodies procure cloud computing services and AI systems by mandating a new sovereignty framework. Under Article 30, all contracting authorities must procure, as a minimum baseline, cloud services recognized at Union assurance level 1. For activities identified as contributing to the preservation of public order—such as national security, defense, justice, or law enforcement—authorities would be strictly obligated to procure only services recognized at Union assurance levels 2, 3, or 4. Determining which activities fall into these categories requires mandatory risk assessments under Article 29, to be conducted by Member States and Union entities within one year of the regulation's entry into force.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a structured, risk-based approach to public sector cloud procurement, aiming to reduce the EU's dependence on non-European providers and safeguard public order. For public administration and government bodies, the most significant changes revolve around the introduction of "Union assurance levels" and the mandatory risk assessments that dictate which level applies to specific activities. This framework creates a tiered system where the stringency of procurement requirements scales with the sensitivity of the public function being performed.

The Minimum Baseline: Union Assurance Level 1

Under Article 30(2) of the CADA proposal, a universal minimum standard is established for all public sector procurement of cloud computing services. The text explicitly states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services that have been recognized as having Union assurance level 1.

This means that for routine administrative tasks, general IT infrastructure, or non-sensitive data processing, public authorities cannot simply choose the cheapest or most convenient cloud provider. They must select providers that have been formally recognized as meeting the criteria for Union assurance level 1. As defined in Annex II of the proposal, Level 1 requires that the provider is established in the Union, its infrastructure and assets (including those of subcontractors) are located in the Union, and customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise. Furthermore, the provider must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors.

Protecting Public Order: Levels 2, 3, and 4

For more sensitive operations, the baseline requirement increases significantly. Article 30(3) specifies that contracting authorities, including entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4.

What constitutes "public order" is not left to individual interpretation but is defined by specific sectors and activities. Under Article 29(1), these include:

• Sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) (critical infrastructure such as energy, transport, banking, and health).
• National security and internal security.
• External border management.
• Defense.
• Justice and law enforcement, including the prevention, investigation, detection, and prosecution of criminal offenses.

For these high-stakes activities, the sovereignty requirements are significantly stricter, as detailed in Annex II:

• Level 2 requires that the audited provider and subcontractors are established in the Union, with infrastructure, assets, and personnel located in the Union. It mandates a European cybersecurity certificate of at least assurance level "substantial" (not "high", which is reserved for Level 4) and prohibits data generated by the service from being used to train AI systems operated by third countries.
• Level 3 adds the requirement that personnel, including those of subcontractors, must be Union citizens (with national security clearance where handling classified information is required). It also allows for the hosting of EU classified information.
• Level 4 imposes the highest security standards, requiring a European cybersecurity certificate of at least assurance level "high" and ensuring that sensitive data identified following a risk assessment remains exclusively within the Union.

The Role of Risk Assessments: Article 29

The bridge between a public body's activities and the required assurance level is the risk assessment mechanism outlined in Article 29. Member States and Union entities are obligated to carry out these risk assessments by one year after the regulation enters into force, and thereafter every two years or whenever necessary.

These assessments must:

1. Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order in the sectors listed above.
2. Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

When conducting these assessments, authorities must consider the sensitivity, criticality, and magnitude of the non-personal and personal data processed, the risk of unlawful access by a third country, and the risk of service disruption. The Commission will provide guidance and templates to ensure consistency across the Union. If a risk assessment determines that a migration to a different, more secure cloud service is required, Article 29(6) mandates that the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and data portability.

Procurement Flexibility and Exceptions

While Article 30 sets strict rules, it does allow for limited derogations to prevent operational paralysis. Article 30(4) permits contracting authorities to decide not to procure services with a recognized Union assurance level if:

• The subject matter of the tender cannot be supplied by recognized services available in the central repository, and no adequate or reasonable alternative exists (provided this absence is not the result of an artificial narrowing of parameters).
• The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders.
• Applying the requirements would require the contracting authority to procure services at disproportionate cost.

These exceptions are intended to be exceptional and require careful justification, ensuring that the push for sovereignty does not compromise essential public services where no compliant alternative currently exists.

What this means for you

For procurement officers, IT directors, and public administration leaders, the implementation of CADA as proposed would require a comprehensive audit of current cloud contracts and a restructuring of procurement strategies.

1. Map Your Activities to Assurance Levels You must categorize your organization's cloud usage immediately. Which systems handle routine administrative data (requiring Level 1), and which support critical public order functions (requiring Levels 2–4)? This classification will drive your procurement requirements. You cannot assume that a general-purpose cloud contract covers all needs; high-security activities will require specialized, sovereign-compliant services.

2. Prepare for Mandatory Risk Assessments Your organization will need to conduct and document risk assessments as per Article 29. This is not a one-time exercise but a biennial requirement. You should begin aligning your internal risk management frameworks with the criteria set out in the proposal, particularly regarding data sensitivity and third-country access risks. Remember that the Commission has the power to review these assessments and specify assurance levels if it deems a Member State's assessment inadequate.

3. Review Current Contracts for Compliance If your current cloud providers do not hold recognition for the required Union assurance levels, you will need to plan for migration. The proposal allows up to 12 months for migration if a risk assessment triggers a change in assurance level. Start engaging with your current providers to understand their path to recognition, or begin the tendering process for compliant alternatives. Note that for Level 2, providers must obtain a "substantial" cybersecurity certification, while Level 4 requires a "high" certification.

4. Leverage the EuroCloud Federation The proposal establishes the EuroCloud Federation (under Article 34) to facilitate the sharing of public sector cloud capacities. Procurement officers should monitor this initiative, as it may offer a pathway to access sovereign cloud resources through cross-border cooperation, potentially reducing costs and increasing bargaining power for smaller Member States.

5. Update Procurement Documentation Your tender documents will need to explicitly require Union assurance level recognition. You will need to verify that bidders have been recognized by a national competent authority and are listed in the central repository established by the Commission. Additionally, Article 32 allows you to include "Union added value" as a non-price award criterion (up to 15% of the evaluation), enabling you to award points for contributions to the EU digital supply chain, further incentivizing sovereign solutions.

Common misconceptions

Misconception 1: All public sector cloud use requires the highest security level. Reality: CADA adopts a proportionate approach. Only activities contributing to public order (as defined in Article 29) require Levels 2–4. Routine administrative tasks only require Level 1. This prevents unnecessary costs and complexity for low-risk operations.

Misconception 2: The AI Act's rules replace CADA's procurement requirements. Reality: The AI Act regulates the safety and fundamental rights compliance of AI systems themselves. CADA focuses on the sovereignty and operational resilience of the cloud infrastructure hosting those systems. They are complementary; you must comply with both. CADA's assurance levels do not exempt you from AI Act obligations, nor does the AI Act provide sovereignty guarantees.

Misconception 3: I can continue using my current non-EU hyperscaler if I sign a GDPR-compliant contract. Reality: GDPR compliance is necessary but not sufficient for CADA. The proposal explicitly addresses the gap between data protection and sovereignty. Even with Standard Contractual Clauses, a non-EU provider may not meet the infrastructure, personnel, and data localization requirements of Union assurance levels, especially for public order activities. For Level 3, personnel must be Union citizens; for Level 4, the provider must not be subject to third-country control.

Misconception 4: Risk assessments are purely internal and optional. Reality: Article 29 makes risk assessments mandatory for Member States and Union entities. Furthermore, the Commission will review these assessments and can adopt implementing acts to specify required assurance levels if it deems a Member State's assessment inadequate. Consistency across the Union is a key objective.

Misconception 5: Level 3 and Level 4 both require "high" cybersecurity certification. Reality: Only Level 4 requires a European cybersecurity certificate of at least assurance level "high". Level 2 and Level 3 require a certificate of at least assurance level "substantial". This distinction is critical for providers aiming to serve different tiers of public sector activities.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• EuroCloud Federation: How CADA enables public bodies to share sovereign cloud
• What are high-risk cloud dependencies for public bodies under CADA?
• How does CADA affect EU institutions, agencies and bodies?
• Does CADA require multi-cloud strategies for public bodies?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines

This is general information about a draft EU regulation, not legal advice.