Summary Under the proposed Cloud and AI Development Act (CADA), data sensitivity is the primary determinant for selecting the correct cloud sovereignty assurance level. Article 29(2)(a) mandates that Member States and Union entities assess the "sensitivity, criticality, and magnitude" of both personal and non-personal data to determine the risk to public order. As clarified in Recital 63, this assessment must account for data categories defined under the GDPR, NIS2 Directive, and DORA. The outcome dictates whether a public body must procure baseline Union Assurance Level 1 services or higher-tier Levels 2, 3, or 4 services, which carry stricter requirements for personnel citizenship, infrastructure location, and third-party control.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework where the required level of trust in a cloud provider is not static but dynamic, based on a formal risk assessment. The core of this mechanism is Article 29, which obliges Member States and Union entities to identify which public sector activities contribute to the preservation of public order and to determine the appropriate Union Assurance Level (UAL) for those activities.

The Legal Mandate: Article 29(2)(a)

The specific criteria for evaluating data within this framework are explicitly set out in Article 29(2)(a). When conducting the risk assessment, the competent authority "shall consider at least the following aspects":

"the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects;"

This provision creates a dual-track evaluation requirement:

  1. Non-Personal Data: The assessment focuses on the sensitivity (how damaging disclosure would be), criticality (how essential the data is for operations), and magnitude (the volume or scale of the data). Crucially, the assessment must weigh these factors against the "potential impact on public order." This moves beyond traditional confidentiality concerns to include national security, economic stability, and operational continuity.
  2. Personal Data: For personal data, the assessment mirrors the risk-based approach of the GDPR but adds a sovereignty dimension. It requires evaluating the "nature, scope, context and purpose of processing" and the "risk of varying likelihood and severity for the rights and freedoms of data subjects."

Recital 63: Defining the Data Categories

While Article 29 sets the legal obligation, Recital 63 of the proposal provides the interpretative guidance on what constitutes "sensitive" or "critical" data in the CADA context. It explicitly states:

"In their risk assessments, Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment. Such processing may include ordinary business information, commercially sensitive information, operationally critical data, personal data within the meaning of Regulation (EU) 2016/679, and data that is subject to sector-specific obligations under Union law, including Directive (EU) 2022/2555 and Regulation (EU) 2022/2554."

Recital 63 categorizes data into distinct risk profiles that influence the assurance level:

  • Ordinary Business Information: Data with low sensitivity and criticality. If this is the only data processed, the activity likely does not contribute to public order preservation, pointing toward Union Assurance Level 1.
  • Commercially Sensitive Information: Data where disclosure could harm economic interests or competitive positioning. This increases the sensitivity score.
  • Operationally Critical Data: Data whose loss, corruption, or unavailability would disrupt essential services. High criticality here is a strong driver for Levels 2, 3, or 4.
  • Personal Data: Defined by the GDPR. The risk assessment must consider the severity of harm to data subjects.
  • Sector-Specific Data: Data subject to strict regulatory regimes, specifically referencing the NIS2 Directive (cybersecurity for essential entities) and DORA (digital operational resilience for the financial sector).

The Recital further notes that divergent national approaches to classifying these categories could undermine the single market. Consequently, the Commission is empowered to provide "centrally coordinated guidance" to map these data categories to the appropriate Union Assurance Levels, ensuring harmonization across the EU.

Interaction with GDPR, NIS2, and DORA

CADA does not replace existing data protection or cybersecurity laws; rather, it layers a sovereignty assessment on top of them. The risk assessment under Article 29 must integrate findings from these frameworks:

1. GDPR (Regulation (EU) 2016/679)

For personal data, the "sensitivity" assessment under CADA aligns with the GDPR's concept of special categories of data (Article 9) and the principles of data minimization and purpose limitation. Recital 63 explicitly references "personal data within the meaning of Regulation (EU) 2016/679."

  • Impact: If a cloud service processes special category data (e.g., health, biometric, or political data), the "risk of varying likelihood and severity for the rights and freedoms of data subjects" is inherently high. This high risk to fundamental rights often correlates with a high risk to public order, likely necessitating Union Assurance Level 3 or 4, which mandate stricter controls on personnel (Union citizenship) and infrastructure location.

2. NIS2 Directive (Directive (EU) 2022/2555)

Recital 63 cites data subject to obligations under NIS2. NIS2 classifies entities as "essential" or "important" based on the criticality of the services they provide (e.g., energy, transport, health, digital infrastructure).

  • Impact: If a public sector body processes data related to an essential service, the "criticality" of that non-personal data is elevated. Under CADA, this heightened criticality contributes directly to the risk score. If the data is deemed critical to the preservation of public order, the entity must procure services at Levels 2, 3, or 4, which require independent third-party audits and guarantees against third-country control.

3. DORA (Regulation (EU) 2022/2554)

Similarly, DORA imposes rigorous ICT risk management requirements on financial entities. While CADA primarily targets public procurement, the "magnitude" and "sensitivity" of financial data processed by public authorities (e.g., tax authorities, financial regulators) must be assessed in light of DORA's resilience standards.

  • Impact: Data subject to DORA is treated as highly critical. The risk assessment must account for the systemic importance of financial data. A failure in the cloud infrastructure hosting such data could threaten financial stability, a core component of public order. This typically triggers a requirement for Union Assurance Level 3 or 4.

The Outcome: From Sensitivity to Assurance Level

The result of this data sensitivity assessment is the selection of the required Union Assurance Level, which then dictates procurement obligations under Article 30:

  • Low Sensitivity/Criticality: If the risk assessment concludes that the activity does not contribute to the preservation of public order (e.g., processing ordinary administrative data), the entity must procure services recognized at Union Assurance Level 1. This level requires a self-assessment of conformity and basic establishment in the Union.
  • High Sensitivity/Criticality: If the assessment identifies that the activity does contribute to the preservation of public order (e.g., defense, justice, law enforcement, or critical infrastructure data), the entity must procure services recognized at Union Assurance Levels 2, 3, or 4.
    • Level 2: Requires independent audits, "substantial" cybersecurity certification, and guarantees against third-country control.
    • Level 3: Adds requirements for Union citizenship for personnel (conditional on public body requirements) and allows for third-country control only via specific Commission derogations (Article 18).
    • Level 4: The highest tier, requiring "high" cybersecurity certification, mandatory Union citizenship for all personnel, and a strict prohibition on third-country control.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the CADA proposal introduces a critical new due diligence step that bridges data protection and national security.

  1. Conduct Formal Risk Assessments: By one year after CADA's entry into force (and every two years thereafter), your organization must conduct a risk assessment under Article 29. You cannot rely solely on legacy data classification policies. You must explicitly document the "sensitivity, criticality, and magnitude" of the data processed in the cloud, specifically addressing the "potential impact on public order."
  2. Map Data to Assurance Levels: Use the forthcoming Commission guidance (referenced in Recital 63) to map your data categories to the appropriate Union Assurance Level. If you process operationally critical data (NIS2/DORA scope) or special category personal data (GDPR Article 9), expect to require Union Assurance Level 3 or 4.
  3. Review Vendor Contracts and Audits: Ensure your cloud providers can demonstrate compliance with the required Assurance Level. For Levels 2–4, this requires independent third-party audits and a "positive" audit opinion. For Level 1, a self-assessment statement of conformity is sufficient, but only if your risk assessment confirms low public order impact.
  4. Coordinate with Data Protection Officers (DPOs): Since the assessment involves personal data sensitivity, collaborate closely with your DPO. The CADA risk assessment should align with any existing Data Protection Impact Assessments (DPIAs) to avoid duplication and ensure consistency with GDPR obligations, while adding the necessary "public order" and "sovereignty" lens.
  5. Prepare for Penalties: Member States must lay down penalties for infringements of Title IV, Chapter I (Article 24). While the specific fines are set nationally, they must be "effective, proportionate and dissuasive." Non-compliance with the risk assessment obligation could lead to significant administrative fines and the invalidation of procurement procedures.

Common misconceptions

Misconception 1: Data sensitivity only matters for personal data. Reality: Article 29(2)(a) explicitly requires the assessment of "non-personal data" based on its sensitivity, criticality, and magnitude. Commercial secrets, state secrets, and operational data are critical to public order and sovereignty, even if they do not relate to identifiable individuals.

Misconception 2: CADA replaces GDPR risk assessments. Reality: CADA complements GDPR. Recital 63 states that CADA criteria "should not affect obligations of cross-border cooperation provided by Union law." You must still conduct DPIAs under GDPR. However, the CADA risk assessment adds a "public order" and "sovereignty" lens that GDPR does not cover.

Misconception 3: All public sector data requires the highest assurance level. Reality: The framework is risk-based. Recital 52 notes that "most public services would not require the highest levels of assurance." Only activities identified as contributing to the preservation of public order (e.g., defense, justice, critical infrastructure) require Levels 2–4. Ordinary administrative data may only require Level 1.

Misconception 4: Sensitivity is a static classification. Reality: Article 29 requires risk assessments to be updated "every two years, or whenever necessary." Changes in the nature of data processing, new threats, or changes in the public order context may require re-evaluating the sensitivity and criticality of your data.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.