Summary As proposed, the Cloud and AI Development Act (CADA) directly operationalises the EU's Preparedness Union Strategy by legally mandating the mitigation of a specific systemic risk: dependence on critical digital infrastructure. The proposal's explanatory memorandum explicitly states that the sovereignty framework, and in particular the risk assessment mechanism in Article 29, contributes directly to the "digital preparedness dimension" of the Strategy. This ensures that cloud and AI services underpinning emergency management, civil protection coordination, and disaster response are provided at the appropriate Union assurance level, thereby safeguarding operational continuity during crises.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the Preparedness Union Strategy is not merely complementary; it is structural. The Preparedness Union Strategy identifies "dependence on critical digital infrastructure as a systemic risk" and calls for a "whole-of-government approach to ensuring the continuity of essential services in crisis scenarios." CADA provides the specific legislative instrument to execute this call to action within the cloud and AI ecosystem.

The Strategic Link: From Policy to Legal Obligation

The CADA explanatory memorandum clarifies that the proposal "supports the objectives of the Preparedness Union Strategy." While the Strategy sets the political and strategic direction, CADA establishes the binding legal framework to achieve it. The memorandum notes that the sovereignty framework established by the Regulation "contributes directly to the digital preparedness dimension of that Strategy by ensuring that the cloud and AI services underpinning emergency management, civil protection coordination and disaster response operations are provided at the appropriate Union assurance level."

This linkage transforms the Strategy's high-level goals into enforceable procurement and operational requirements. By mandating that critical public functions rely on cloud services that have been audited and recognised for their sovereignty, CADA ensures that the EU's digital resilience is not dependent on the voluntary goodwill of providers but on a verified, tiered assurance system.

Article 29: The Engine of Digital Preparedness

The core mechanism through which CADA fulfils the Preparedness Union Strategy is Article 29, titled "Risk assessments." This article imposes a rigorous, recurring obligation on Member States and Union entities to evaluate their reliance on cloud services against the backdrop of public order and crisis continuity.

1. Mandatory and Recurring Assessments

Under Article 29(1), Member States and Union entities must carry out risk assessments by the date of entry into force plus one year, and thereafter "every two years, or whenever necessary." This biennial cycle ensures that digital preparedness is a dynamic, ongoing process rather than a static compliance checkbox. The assessments must identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order."

2. Scope: Emergency Management and Civil Protection

The scope of these assessments is explicitly aligned with the crisis-management focus of the Preparedness Union Strategy. Article 29(1)(a) requires the identification of activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive) and in specific areas including "national security, internal security, external border management, defence, justice or law enforcement." Crucially, the text also encompasses the broader spectrum of crisis response, ensuring that activities related to "emergency management, civil protection coordination and disaster response operations" are captured.

3. Determining the Appropriate Assurance Level

The primary output of the Article 29 assessment is the determination of the required Union assurance level. The assessment must "determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities." This ensures a proportionate approach: not every emergency function requires the highest tier of sovereignty, but those that doβ€”such as those handling classified information or critical coordination during a disasterβ€”must be matched with services recognised at Level 3 or 4.

4. Commission Methodology and Oversight

To ensure consistency across the Union, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. This methodology will explicitly "specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence." Furthermore, Article 29(5) grants the Commission the power to intervene: if it concludes that a Member State's identified assurance level is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts to specify the required level. This creates a centralised safety net for digital preparedness.

5. Factors for Assessment

In conducting these assessments, Article 29(2) mandates that Member States and Union entities consider:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  • The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

These factors directly address the "systemic risk" identified in the Preparedness Union Strategy, focusing on the dual threats of foreign interference and operational discontinuity.

From Assessment to Procurement: Ensuring Continuity

The risk assessment under Article 29 is not an end in itself; it is the prerequisite for compliant procurement. Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

This creates a closed loop of preparedness:

  1. Identify Risk: The Article 29 assessment identifies emergency management activities as critical to public order.
  2. Set Standard: The assessment determines that Level 3 or 4 is required to mitigate the risk of disruption or foreign access.
  3. Procure Resilience: The authority is legally barred from procuring Level 1 services for these activities, ensuring that the infrastructure supporting crisis response is sovereign and resilient.

Additionally, Article 29(9) requires Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" as part of their procurement, further enhancing resilience by avoiding single points of failure.

What this means for you

For legal counsel, compliance officers, and public procurement managers, the intersection of CADA and the Preparedness Union Strategy creates a new, non-negotiable layer of due diligence for any cloud service supporting crisis management or civil protection.

  • Initiate the Article 29 Process Immediately: As soon as CADA enters into force, you must begin the process of mapping your organisation's activities to the public order criteria. Do not wait for the one-year deadline. Identify all functions related to emergency management, civil protection, and disaster response.
  • Conduct the Biennial Risk Assessment: Establish a formal, documented process to assess the sensitivity of data and the risk of service disruption for these functions. This assessment must be repeated every two years and updated "whenever necessary" if the threat landscape or your operational needs change.
  • Align Procurement with Assurance Levels: Your procurement teams must be trained to understand that the outcome of the Article 29 assessment dictates the minimum assurance level for tender specifications. If your assessment concludes that a function is critical to public order, you cannot award a contract for a Level 1 service. You must verify that the provider holds a valid recognition for Level 2, 3, or 4.
  • Prepare for Commission Review: Be ready to submit your risk assessment results to the Commission within three months of completion (Article 29(4)). Ensure your methodology aligns with the Commission's implementing acts to avoid the risk of the Commission mandating a higher assurance level for your activities.
  • Consider Multi-Cloud Strategies: Given the emphasis on continuity, evaluate whether a multi-vendor or multi-cloud approach is necessary to mitigate the risk of a single provider failure during a crisis, as suggested by Article 29(9).

Common misconceptions

"The Preparedness Union Strategy is just a policy document, so CADA is optional." No. While the Strategy itself is a policy framework, CADA is a proposed Regulation that would create binding legal obligations. The Article 29 risk assessments and the subsequent procurement mandates in Article 30 are enforceable legal requirements that give "teeth" to the Strategy's objectives.

"All emergency services automatically require the highest assurance level (Level 4)." Not necessarily. Article 29 requires a risk-based approach. The appropriate level (2, 3, or 4) must be determined by the specific risk assessment for each activity. While some critical functions (e.g., those handling classified information) will require Level 4, others may only require Level 2 or 3. The Commission's methodology will guide this proportionality.

"Risk assessments are a one-time exercise." Incorrect. Article 29(1) explicitly mandates that assessments be carried out "every two years, or whenever necessary." The dynamic nature of cyber threats and crisis scenarios means this is a continuous compliance obligation.

"CADA only affects the technical teams, not legal or procurement." CADA fundamentally shifts the legal and procurement landscape. The Article 29 assessment is a legal prerequisite for procurement. Failure to conduct the assessment or to procure at the mandated assurance level would constitute an infringement of the Regulation, exposing the entity to penalties under Article 24.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.