Summary As proposed, the Cloud and AI Development Act (CADA) strengthens civil protection and crisis preparedness by mandating that Member States and Union entities conduct risk assessments to determine the appropriate Union assurance level for cloud services supporting emergency management, civil protection coordination, and disaster response. The proposal explicitly aligns with the Preparedness Union Strategy, identifying dependence on critical digital infrastructure as a systemic risk. By requiring that these critical functions be served by cloud services at the appropriate sovereignty level (typically levels 2, 3, or 4), CADA would aim to prevent third-country legal extraterritoriality or unilateral decisions from disrupting essential crisis response capabilities.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a direct regulatory link between cloud computing sovereignty and the European Union's broader resilience and preparedness objectives. The legislative text frames the current reliance on non-EU cloud providers not merely as a market inefficiency, but as a strategic vulnerability that could compromise the Union's ability to respond to crises.

The Preparedness Union Strategy and Systemic Risk

The explanatory memorandum of the CADA proposal explicitly states that the regulation supports the objectives of the Preparedness Union Strategy. This strategy identifies "dependence on critical digital infrastructure as a systemic risk" and calls for a "whole-of-government approach to ensuring the continuity of essential services in crisis scenarios."

CADA contributes directly to the digital preparedness dimension of that Strategy. The memorandum clarifies that the sovereignty framework established by the Regulation, and in particular the risk assessment mechanism in Article 29, ensures that "the cloud and AI services underpinning emergency management, civil protection coordination and disaster response operations are provided at the appropriate Union assurance level."

This framing treats the cloud infrastructure supporting civil protection as critical digital infrastructure. The proposal notes that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers," which exposes European users to risks related to "operational discontinuity." In the context of civil protection, such discontinuity could be catastrophic, potentially preventing the coordination of rescue efforts or the secure handling of sensitive disaster data.

Article 29: Risk Assessments for Public Order

The core mechanism for protecting civil protection services is Article 29 of the CADA proposal. This article obliges Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

Article 29(1) requires these assessments to identify activities that contribute to public order in:

  • Sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2).
  • Areas including national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

While "civil protection" is not explicitly listed as a standalone category in the text of Article 29(1)(a), the explanatory memorandum and the context of the Preparedness Union Strategy clarify that civil protection coordination and disaster response operations are critical functions that must be assessed for their contribution to public order. The risk assessment is designed to capture activities where service disruption or unauthorized data access would "undermine public order."

Under Article 29(2), Member States and Union entities must consider at least the following aspects in their assessments:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  • The potential impact on public order.
  • The risk of unlawful access to such data by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

Procurement Obligations and Assurance Levels

Once a risk assessment determines that a civil protection activity has public order relevance, Article 30(3) triggers mandatory procurement requirements. Contracting authorities must only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4.

This ensures that the cloud services supporting crisis management are subject to strict sovereignty criteria, which include:

  • Data Localization: Customer data must remain exclusively within the Union (Annex II, 2.1(c), 3.1(c), 4.1(c)).
  • No Third-Country Control: For levels 3 and 4, providers must not be subject to the control of a third country, unless a specific derogation under Article 18 applies (Annex II, 3.1(g), 4.1(g)).
  • Cybersecurity Certification: Services must obtain a European cybersecurity certificate of at least assurance level 'substantial' (for levels 2 and 3) or 'high' (for level 4) under the relevant certification scheme (Annex II, 2.1(e), 3.1(e), 4.1(e)).
  • Personnel Requirements: For levels 3 and 4, personnel must be Union citizens, and where appropriate, hold national security clearance (Annex II, 3.1(d), 4.1(d)).

Article 29(6) provides a transition mechanism: if the risk assessment requires migration to another cloud service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability.

Systemic Risk and Critical Digital Infrastructure

CADA frames the cloud infrastructure supporting civil protection as part of the Union's critical digital infrastructure. The proposal's explanatory memorandum highlights that the current landscape is characterized by a pronounced dependence on a limited pool of third-country providers. This dependence exposes European users to risks related to operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision.

For civil protection, such disruptions could be catastrophic. The proposal aims to mitigate these risks by:

  1. Harmonizing Sovereignty Criteria: Providing a single EU-wide sovereignty framework with four assurance levels, allowing for consistent protection of critical data.
  2. Ensuring Operational Autonomy: Requiring that infrastructure, assets, and personnel for higher assurance levels are located in the Union and free from third-country control.
  3. Facilitating Resilient Procurement: Enabling contracting authorities to leverage their buying power to lower dependencies, including through the use of sector-specific EU-added-value award criteria (Article 32) and common procurement frameworks.

By treating cloud services for civil protection as critical infrastructure, CADA ensures that these services are not just commercially viable but also strategically secure. The proposal complements the NIS2 Directive, which improves cybersecurity risk management for critical entities, by adding a layer of sovereignty assurance that addresses non-technical risks such as legal extraterritoriality and political coercion.

What this means for you

For public-sector and procurement officers responsible for civil protection, emergency management, or disaster response systems, CADA introduces mandatory steps to ensure the sovereignty of your cloud infrastructure.

  1. Conduct Risk Assessments: You must participate in or lead the risk assessments required by Article 29. Identify all cloud-based services used for emergency management and civil protection coordination. Assess the sensitivity of the data processed (e.g., location data of responders, victim information, critical infrastructure status) and the potential impact of service disruption or unauthorized access by third countries.
  2. Determine Assurance Levels: Based on the risk assessment, determine the required Union assurance level. Given the critical nature of civil protection, these activities will likely be deemed to have public order relevance, requiring at least Union assurance level 2, 3, or 4.
  3. Update Procurement Requirements: Revise your cloud procurement specifications to mandate services recognized at the appropriate assurance level. You cannot procure services that do not meet this threshold if the risk assessment indicates public order relevance.
  4. Verify Provider Recognition: Ensure that any cloud provider you select has been formally recognized by the national competent authority as offering the required assurance level. Check the central repository established under Article 22 for recognized services.
  5. Plan for Migration: If your current cloud services do not meet the required assurance level, plan for migration. Article 29(6) allows for a reasonable transition period, which shall not exceed 12 months, taking into account technical feasibility and data portability.

Common misconceptions

"CADA replaces NIS2 cybersecurity requirements." No. CADA complements NIS2. While NIS2 focuses on technical cybersecurity risk management, CADA addresses broader sovereignty concerns, including data localization, third-country control, and legal extraterritoriality. A service can be NIS2-compliant but not meet CADA's Union assurance levels if it is controlled by a third-country entity.

"Only defense and law enforcement need high assurance levels." No. The risk assessment under Article 29 covers a broad range of public order activities. Civil protection and disaster response are explicitly mentioned in the explanatory memorandum as critical functions that require appropriate assurance levels to prevent harm to public order.

"All cloud services for civil protection must be at the highest assurance level (Level 4)." No. The required level is determined by the risk assessment. Most public services do not require the highest level. Level 4 is reserved for the most sensitive data and activities. The risk assessment ensures proportionality, allowing for Level 2 or 3 if appropriate for the specific civil protection use case.

"CADA prohibits the use of all non-EU cloud providers." No. CADA does not ban non-EU providers outright. However, for services requiring Union assurance levels 2, 3, or 4, strict criteria apply. For Level 3, the Commission may recognize third countries that provide sufficient safeguards (Article 18). For Level 4, providers must not be subject to third-country control. Non-EU providers can only offer Level 1 services unless they meet specific exemption criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.