Summary The proposed Cloud and AI Development Act (CADA) requires public sector bodies to conduct risk assessments that explicitly evaluate the processing of personal data alongside sovereignty risks. Article 29(2)(a) mandates that these assessments consider the "nature, scope, context and purpose of processing of personal data" and the "risk of varying likelihood and severity for the rights and freedoms of data subjects." This process is designed to run in parallel with, and be consistent with, obligations under Regulation (EU) 2016/679 (GDPR). As clarified in Recital 63, technical and organisational measures implemented to satisfy CADA's sovereignty criteria can be incorporated into GDPR-mandated agreements to demonstrate compliance with both regimes simultaneously.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework. A cornerstone of this framework is the obligation for Member States and Union entities to conduct risk assessments to determine the appropriate "Union assurance level" (Levels 1–4) for their cloud computing services. While the primary objective of these assessments is to safeguard public order and operational autonomy, the proposal explicitly integrates data protection considerations into the sovereignty calculus.

The Legal Basis: Recital 63 and the Non-Preemption of GDPR

The interaction between CADA and the General Data Protection Regulation (GDPR) is not one of replacement but of layering. Recital 63 of the CADA proposal provides the definitive guidance on this relationship. It states that the criteria under the Union assurance levels "should not affect obligations of cross-border cooperation provided by Union law."

Crucially, the recital clarifies the operational link between the two regulations:

"Where cloud computing services are used to process personal data, Regulation (EU) 2016/679 provides for an obligation to agree on organisational and technical measures to comply with that Regulation."

It further explains that specific measures required by CADA to ensure personal data is processed in line with the proposal "could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met."

This establishes a dual-compliance strategy. CADA does not create a separate, conflicting set of data protection rules; rather, it identifies specific sovereignty-related technical and organisational measures (TOMs) that, when implemented, can serve as evidence of compliance with GDPR's security requirements (Article 32) while simultaneously satisfying CADA's assurance criteria.

Article 29(2)(a): The Core Assessment Requirement

The mechanism for integrating data protection into the sovereignty risk assessment is found in Article 29(2)(a). This provision dictates the specific factors that Member States and Union entities must consider when carrying out their risk assessments.

The text of Article 29(2)(a) requires the assessment to cover:

"the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects;"

This language is deliberately aligned with the risk-based approach of the GDPR, particularly the requirements for Data Protection Impact Assessments (DPIAs) under Article 35. By mandating an evaluation of the "rights and freedoms of data subjects," CADA ensures that the pursuit of technological sovereignty does not come at the expense of individual privacy rights.

The assessment must evaluate two distinct but interconnected dimensions:

  1. Public Order and Sovereignty: The sensitivity and criticality of non-personal data (e.g., state secrets, critical infrastructure data) and the potential impact on public order.
  2. Data Subject Rights: The "nature, scope, context and purpose" of personal data processing, and specifically the "risk of varying likelihood and severity" for data subjects. This includes risks such as unauthorized access by third-country actors, which could lead to both a breach of sovereignty (operational autonomy) and a violation of privacy rights.

Technical and Organisational Measures: A Unified Approach

Recital 63 offers a practical pathway for compliance officers to avoid duplicative efforts. It suggests that the specific technical and organisational measures required by CADA to ensure personal data is processed in line with the proposal can be embedded directly into the mandatory agreements required by GDPR.

For example:

  • Data Residency and Access Controls: CADA's higher assurance levels (2, 3, and 4) require that customer data remain exclusively within the Union and that access is restricted to Union citizens or residents. Implementing these strict residency and access controls satisfies CADA's sovereignty criteria. Simultaneously, these measures serve as robust "appropriate technical and organisational measures" under GDPR Article 32 to ensure the security of processing.
  • Subcontractor Oversight: CADA imposes strict criteria on subcontractors regarding their establishment, location, and absence of third-country control. Ensuring that subcontractors meet these criteria not only fulfills CADA's supply chain requirements but also addresses GDPR's requirement for processors to provide sufficient guarantees (Article 28).

By aligning these measures, public sector bodies can use a single set of contractual clauses and technical controls to demonstrate compliance with both the sovereignty framework of CADA and the data protection obligations of the GDPR.

The Role of Subcontractors and Supply Chain Risks

Both regulations place significant responsibility on the primary cloud provider regarding the supply chain. Under GDPR, the controller must ensure that processors and sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures. CADA's Union assurance levels (particularly Levels 2–4) impose even stricter criteria on subcontractors, including requirements for their establishment in the Union, the location of their infrastructure, and the absence of third-country control.

When conducting the CADA risk assessment under Article 29, public sector bodies must evaluate the provider's ability to enforce sovereignty-compliant TOMs across its entire supply chain. If a subcontractor fails to meet CADA's sovereignty criteria (e.g., being subject to third-country control), it may also fail to meet the rigorous security standards expected under GDPR for high-risk processing. This creates a scenario where a failure in sovereignty compliance could trigger a dual compliance failure under both CADA and GDPR.

Alignment with GDPR Data Protection Impact Assessments (DPIAs)

For public sector bodies, the CADA risk assessment under Article 29 will often overlap with the GDPR requirement to conduct a DPIA under Article 35 for processing likely to result in a high risk to the rights and freedoms of natural persons. Given that many public sector activities involving cloud services (e.g., healthcare, law enforcement, social security) involve special category data or large-scale processing, DPIAs are frequently mandatory.

Compliance officers should view the CADA risk assessment as an opportunity to integrate sovereignty risks into the existing DPIA workflow. The "risk to rights and freedoms" evaluated in the CADA assessment (Article 29(2)(a)) can feed directly into the DPIA's risk analysis. This avoids duplication of effort and ensures that both legal bases are satisfied through a single, comprehensive risk management process. The frequency of these assessments is also aligned; Article 29(1) requires risk assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary, mirroring the ongoing nature of GDPR compliance.

What this means for you

For in-house counsel and compliance officers in the public sector, the integration of CADA and GDPR risk assessments presents a strategic opportunity to streamline data governance.

1. Update Your Risk Assessment Methodologies Your existing risk assessment frameworks must be updated to include the specific factors outlined in Article 29(2)(a) of CADA. This means explicitly documenting the "sensitivity, criticality, and magnitude" of data, with a specific focus on the "likelihood and severity for the rights and freedoms of data subjects." Ensure your risk registers capture both data protection risks (e.g., privacy breaches) and sovereignty risks (e.g., third-country access) as interconnected threats.

2. Harmonize Technical and Organisational Measures (TOMs) Do not treat CADA and GDPR security requirements as separate silos. When negotiating with cloud providers, draft TOMs that satisfy both regimes. For instance, if CADA's Union Assurance Level 3 requires that data remains exclusively within the Union, ensure your GDPR Data Processing Agreement (DPA) includes strict data residency clauses and audit rights to verify this. Use Recital 63 as your legal basis to argue that these combined measures fulfill obligations under both regulations.

3. Scrutinize Subcontractor Chains CADA's higher assurance levels (2–4) impose strict criteria on subcontractors. Your due diligence process must extend beyond the primary provider to its sub-processors. Verify that subcontractors are subject to the same TOMs and that there are no third-country control issues that could compromise both sovereignty and GDPR-compliant security.

4. Prepare for Overlapping Audits Regulators may audit your compliance with both GDPR and CADA. By aligning your documentation, you can present a unified view of your risk management. Ensure that your records of processing activities (ROPA) under GDPR are consistent with the information provided in your CADA risk assessments. This consistency will demonstrate a robust, holistic approach to data governance.

5. Monitor Delegated Acts The Commission will issue implementing acts specifying the methodology for CADA risk assessments (Article 29(3)). Stay alert to these developments, as they will provide detailed templates and guidance. These may further clarify how to map GDPR concepts onto the CADA framework, potentially simplifying compliance.

Common misconceptions

Misconception 1: CADA replaces GDPR for cloud services. Reality: CADA does not replace GDPR. Recital 63 explicitly states that CADA's criteria do not affect obligations under Union law, including GDPR. Both regulations apply simultaneously. CADA adds a layer of sovereignty requirements focused on public order and operational autonomy, while GDPR focuses on individual rights and data protection.

Misconception 2: Only personal data matters in CADA risk assessments. Reality: Article 29(2)(a) requires the assessment of both non-personal and personal data. The "sensitivity, criticality, and magnitude" of non-personal data (e.g., state secrets, critical infrastructure data) are also key factors. However, the specific mention of "rights and freedoms of data subjects" ensures that personal data risks are given dedicated attention.

Misconception 3: GDPR-compliant cloud providers automatically meet CADA requirements. Reality: GDPR compliance does not guarantee CADA compliance. A provider may meet GDPR's security standards but still be subject to third-country control laws (e.g., the US CLOUD Act) that conflict with CADA's sovereignty criteria. CADA requires specific assurances regarding the absence of third-country control and the location of infrastructure, which go beyond standard GDPR obligations.

Misconception 4: Risk assessments are a one-time exercise. Reality: Article 29(1) requires risk assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. This is a continuous obligation, similar to the ongoing nature of GDPR compliance. Changes in the cloud provider's structure, new threats, or changes in the nature of data processed may trigger a need for an updated assessment.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.