CADA vs EHDS

Summary The proposed Cloud and AI Development Act (CADA) does not regulate the use of health data—that is the domain of the European Health Data Space (EHDS). Instead, CADA governs the infrastructure hosting that data. As proposed in COM(2026) 502 final, CADA establishes a mandatory "Union cloud computing sovereignty framework" requiring public sector bodies to procure cloud services at specific "Union assurance levels" (1–4) based on risk assessments. For health data, Article 29 mandates a risk assessment to determine if the activity contributes to "public order." If so, Article 30(3) would require procurement of services at Level 2, 3, or 4, imposing strict criteria on personnel citizenship, third-country control, and cybersecurity certification. Compliance with EHDS data-sharing rules does not automatically satisfy CADA's infrastructure sovereignty requirements; in-house counsel must navigate both layers.

Detail

The interaction between the Cloud and AI Development Act (CADA) and the European Health Data Space (EHDS) represents a critical intersection of data governance and infrastructure sovereignty. While the EHDS (Regulation (EU) 2024/...) focuses on the rights to access and exchange health data for primary (care) and secondary (research, policy) use, CADA addresses the underlying cloud computing services that process and store this data. The two instruments are complementary: EHDS defines what data can be shared and for what purpose, while CADA defines where and on what infrastructure that data must be hosted to safeguard Union public order.

CADA's Operational Mandate for Health Data

CADA explicitly identifies healthcare as a strategic sector for AI adoption and data reuse. Under Article 4(7), the Cloud and AI Leadership Initiatives pursue "operational objective 7," which includes:

• "accelerating the technological development and uptake of AI models and systems in critical public sector domains"; and
• "facilitat[ing] secure, privacy-enhancing health data reuse for AI models and tools in healthcare."

This provision aligns CADA with the EHDS's goal of enabling secondary use of health data. However, CADA does not grant access rights or define data categories; rather, it ensures that the cloud infrastructure supporting these activities meets rigorous sovereignty standards. The proposal aims to reduce dependencies on non-EU providers, ensuring that critical health data remains under Union control.

The Sovereignty Framework: From Risk Assessment to Procurement

The mechanism linking CADA to EHDS data is the Union cloud computing sovereignty framework established in Article 16. This framework defines four "Union assurance levels" (1–4), with Level 1 as the baseline and Level 4 as the highest tier of sovereignty and security. The applicable level is not determined by the data type alone (e.g., "health data") but by the activity's contribution to public order.

Article 29 mandates that Member States and Union entities conduct risk assessments to determine the required assurance level. These assessments must identify public sector activities that "contribute to the preservation of public order," explicitly including sectors falling under Annex I or II of the NIS2 Directive (which encompasses healthcare) and areas such as national security and internal security.

The compliance logic for health data hosted in the cloud proceeds as follows:

1. Risk Assessment (Article 29): Public authorities managing health data (e.g., national health institutes, public hospitals, or entities acting on their behalf) must assess the "sensitivity, criticality, and magnitude" of the data processed. They must evaluate the risk of unlawful access by third countries and the risk of service disruption.
2. Determination of Assurance Level: Based on this assessment, the authority determines if the activity requires Union assurance Level 1, 2, 3, or 4. Recital 62 notes that "Union assurance levels 3 and 4 should allow for the secure hosting of EU classified information," suggesting that highly sensitive health data (e.g., genomic data, pandemic response data) may trigger these higher tiers.
3. Procurement Obligation (Article 30):
   • Article 30(2): Entities whose activities are not identified as contributing to public order must use services recognized as having Union assurance Level 1.
   • Article 30(3): Contracting authorities whose activities are identified as contributing to public order (which may include critical health infrastructure) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

Specific Criteria for Health Data Hosting

If a risk assessment under Article 29 determines that hosting specific EHDS data contributes to public order, the cloud provider must meet the cumulative criteria of the relevant assurance level as set out in Annex II. These criteria are significantly stricter than standard cybersecurity certifications:

• Union Assurance Level 2:

  • Establishment & Location: The provider and subcontractors must be established in the Union, with infrastructure, assets, and personnel located in the Union (Annex II, 2.1(a)-(b)).
  • Data Usage: Data generated by the service "are not used to train or fine-tune any AI system operated by a third country" (Annex II, 2.1(f)).
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" (Annex II, 2.1(e)). Note: Under CADA, "substantial" is the standard for L2 and L3; only L4 requires "high".
  • Personnel: Personnel requirements are conditional. Annex II, 2.1(d) states: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available."

• Union Assurance Level 3:

  • Personnel: Unlike Level 2, Level 3 imposes a mandatory requirement. Annex II, 3.1(d) states: "the personnel... are Union citizens and where appropriate, the personnel must also have the necessary national security clearance."
  • Third-Country Control: The provider must not be subject to third-country control, unless a derogation under Article 18 applies. Article 18 allows the Commission to recognize a third country as providing sufficient assurances for Level 3 if it meets specific criteria (e.g., adequacy decision, no extraterritorial control). Note: The draft text in Annex II 3.1(g) references "Article 19" for this derogation; this is a drafting slip in the proposal. The correct cross-reference is Article 18.
  • Cybersecurity: Requires a certificate of at least assurance level "substantial" (Annex II, 3.1(e)).

• Union Assurance Level 4:

  • Cybersecurity: Requires a certificate of at least assurance level "high" (Annex II, 4.1(e)).
  • Control: Strict prohibition on third-country control with no derogation mechanism mentioned for this level.
  • Personnel: Mandatory Union citizenship and security clearance (Annex II, 4.1(d)).

Penalties and Enforcement

Non-compliance with CADA's sovereignty framework carries significant risks. Article 24 requires Member States to lay down rules on penalties for infringements by cloud service providers. These penalties must be "effective, proportionate and dissuasive." Factors for imposing penalties include the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained.

Crucially, Article 24(3) grants recipients of cloud services the right to "seek... compensation from cloud computing service providers for any damage or loss suffered due to an infringement." For in-house counsel, this means that procuring a cloud service with an incorrect assurance level for EHDS-hosted health data could expose the public body to liability for damages, in addition to potential administrative fines imposed by national authorities.

What this means for you

For in-house counsel, compliance officers, and public procurement teams in the healthcare sector, the interaction between CADA and EHDS creates a dual-layer compliance obligation. You must satisfy the data-sharing rules of the EHDS while simultaneously ensuring the infrastructure meets CADA's sovereignty tiers.

1. Conduct the Article 29 Risk Assessment Immediately

Do not assume all health data requires the highest tier. You must formally assess whether your specific activity (e.g., "secondary use of genomic data for pandemic research") contributes to the "preservation of public order" as defined in Article 29(1).

• Action: Document the sensitivity, criticality, and magnitude of the data.
• Outcome: If the activity is deemed critical to public order, you are legally barred from using Level 1 providers under Article 30(3). You must procure Level 2, 3, or 4.

2. Verify Provider Recognition and Assurance Levels

Check the central repository established under Article 22 to confirm your cloud provider's recognized status.

• Level 2 Check: Ensure the provider has a "substantial" cybersecurity certificate and that their personnel screening is conditional on your specific requirements.
• Level 3 Check: If your risk assessment mandates Union citizenship for personnel, verify the provider has a workforce of Union citizens. Confirm whether they rely on an Article 18 derogation for third-country control (if applicable).
• Level 4 Check: If your data is classified or highly sensitive, verify the provider holds a "high" cybersecurity certificate and has no third-country control.

3. Audit the Supply Chain for AI Training Restrictions

A critical constraint for health data under CADA is the prohibition on using data to train third-country AI systems. Annex II (Levels 2, 3, and 4) explicitly states that data generated by the service "are not used to train or fine-tune any AI system operated by a third country."

• Action: Review your cloud provider's terms of service and audit reports to ensure they have implemented technical and contractual measures to prevent this. This is a specific requirement for the higher assurance levels that goes beyond standard GDPR compliance.

4. Align Procurement Cycles with Deadlines

Member States must carry out risk assessments by the date of entry into force plus one year, and thereafter every two years (Article 29(1)).

• Action: Ensure your procurement cycles align with these national assessments. If a Member State updates its risk assessment and reclassifies a health activity as "public order," you may be required to migrate to a higher assurance level within a "reasonable transition period that shall not exceed 12 months" (Article 29(6)).

Common misconceptions

"Complying with EHDS means complying with CADA." Incorrect. The EHDS governs the legal basis for data access and sharing. CADA governs the sovereignty and security of the cloud infrastructure. You can be fully compliant with EHDS data-sharing rules but non-compliant with CADA if your cloud provider lacks the required Union assurance level for your specific risk profile.

"All health data requires Union Assurance Level 4." Not necessarily. The required tier depends entirely on the risk assessment under Article 29. Routine administrative health data might only require Level 1 (if not deemed public order), while critical infrastructure or sensitive research data may require Level 3 or 4. The assessment is activity-specific, not data-type specific.

"CADA replaces GDPR for health data." No. CADA complements data protection laws. Recital 63 clarifies that "the criteria under the Union assurance levels should not affect obligations of cross-border cooperation provided by Union law," including the GDPR. Both sets of rules apply concurrently. CADA adds a layer of sovereignty requirements on top of GDPR's data protection obligations.

"L3 cybersecurity certification is 'high'." Incorrect. Under Annex II, Level 2 and Level 3 both require a European cybersecurity certificate of at least assurance level "substantial" (Annex II, 2.1(e) and 3.1(e)). Only Level 4 requires a certificate of at least assurance level "high" (Annex II, 4.1(e)).

"Third-country derogations are under Article 19." The draft text in Annex II, 3.1(g) references "Article 19" for the derogation allowing third-country control at Level 3. This is a drafting slip in the proposal. The correct mechanism for recognizing third countries is established in Article 18.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• EHDS vs CADA: Does health data compliance cover cloud sovereignty?
• How does CADA support AI-driven health data reuse compatibly with EHDS?
• Does health data under EHDS need a CADA sovereignty tier?
• Why does CADA call the Data Act an 'enabler'?

This is general information about a draft EU regulation, not legal advice.