How does the Article 29 risk assessment determine procurement obligations under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the Article 29 risk assessment is the mandatory legal gateway that dictates the minimum sovereignty level a public body must procure. By evaluating whether specific activities contribute to preserving public order, the assessment triggers a binary split in procurement obligations: activities not linked to public order must use Union assurance level 1 (Article 30(2)), while activities identified as contributing to public order are legally required to procure only services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)). This mechanism ensures that procurement requirements are proportionate to the actual risk to the Union's public order.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereign cloud framework designed to mitigate the EU's dependence on third-country providers and protect critical public functions. The operational heart of this framework is the strict interplay between the risk assessment obligations in Article 29 and the resulting procurement mandates in Article 30. For contracting authorities, the Article 29 assessment is not a voluntary best practice but the definitive legal trigger that defines the technical and sovereignty specifications for any cloud contract.

The Article 29 Risk Assessment: The Decision Engine

Article 29(1) imposes a strict, recurring obligation on Member States and Union entities to conduct risk assessments. These assessments must be completed within one year of the Regulation's entry into force and repeated every two years, or whenever necessary. The primary purpose of this assessment is to identify public sector activities that use or will use cloud computing services and determine whether those activities contribute to the preservation of public order.

The scope of "public order" under Article 29(1)(a) is explicitly defined and broad. It encompasses sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as specific areas including national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

When conducting this assessment, Article 29(2) requires authorities to consider a specific set of risk factors:

• The sensitivity, criticality, and magnitude of the non-personal data processed.
• The nature, scope, context, and purpose of processing personal data, including the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The outcome of this analysis is a determination of which Union assurance level (1, 2, 3, or 4) is appropriate for the identified activities. This determination serves as the direct bridge to procurement obligations.

Feeding into Article 30: The Procurement Split

The risk assessment directly feeds into Article 30, which sets out the binding procurement rules for contracting authorities. The regulation creates a clear binary split based on the results of the Article 29 assessment:

1. The Baseline: Union Assurance Level 1 (Article 30(2)) If the risk assessment determines that a public sector body's activities have not been identified as contributing to the preservation of public order, the obligation is lighter but still mandatory. Under Article 30(2), these entities must use cloud computing services that have been recognised as having a Union assurance level 1. This level serves as the minimum baseline for all public sector cloud usage, ensuring a consistent standard of sovereignty and security across the Union, even for less critical operations.

2. The Enhanced Requirement: Union Assurance Levels 2, 3, or 4 (Article 30(3)) If the risk assessment identifies activities that do contribute to the preservation of public order (e.g., defence, justice, critical infrastructure), Article 30(3) imposes a stricter mandate. Contracting authorities in these sectors must only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4. The specific level (2, 3, or 4) is determined by the granularity of the risk assessment conducted under Article 29, which maps the specific sensitivity of the data and the criticality of the service to the appropriate assurance tier.

Mitigating Risk and Ensuring Continuity

The process is dynamic, not static. Article 29(6) acknowledges that risk assessments may necessitate migration from one cloud provider to another to meet the newly required assurance level. In such cases, Member States or Union entities must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability requirements.

Furthermore, Article 29(5) provides a crucial safeguard for harmonisation: if the Commission concludes, after reviewing a Member State's risk assessment, that the identified assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required Union assurance levels. This ensures a uniform application of the framework across the EU, preventing Member States from under-assessing risks in critical sectors.

Practical Implications for Procurement Documents

For procurement officers, the Article 29 assessment results must be explicitly reflected in tender documents. When drafting technical specifications for cloud services:

• If the activity is non-public-order (per Article 29), the tender must require the bidder to hold a valid recognition for Union assurance level 1 (as per Article 30(2)).
• If the activity is public-order (per Article 29), the tender must require recognition for Union assurance level 2, 3, or 4 (as per Article 30(3)). The specific level will depend on the detailed mapping of data sensitivity and criticality established in the risk assessment.

Failure to align procurement requirements with the Article 29 assessment exposes the contracting authority to legal risk, as it would be procuring services that do not meet the statutory sovereignty requirements for that specific use case.

What this means for you

As a public-sector procurement officer, your role is evolving from simply buying IT services to actively managing sovereignty risk. Here is how you should prepare for CADA's implementation:

1. Initiate Risk Assessments Early: Do not wait for the regulation to enter into force. Begin mapping your current cloud usage against the criteria in Article 29(1) and (2). Identify which services support national security, justice, defence, or critical infrastructure.
2. Map Activities to Assurance Levels: For each identified public-order activity, determine the appropriate Union assurance level (2, 3, or 4). This mapping is the core output of your Article 29 assessment and will dictate your future tender requirements.
3. Review Existing Contracts: Check your current cloud contracts. If you are using a service for a public-order activity that only holds a Union assurance level 1 (or no recognition at all), you are currently non-compliant with the future requirements of Article 30(3). Plan for migration within the 12-month window provided by Article 29(6).
4. Update Tender Templates: Ensure your standard cloud procurement templates include clauses that mandate the specific Union assurance level required by your Article 29 assessment. You cannot treat all cloud procurement as equal; the assurance level is a non-negotiable technical specification tied to the nature of the public service being delivered.
5. Coordinate with Legal and Security Teams: The Article 29 assessment is not solely a procurement task. It requires input from data protection officers, cybersecurity teams, and legal advisors to accurately assess data sensitivity and public order impact.

Common misconceptions

Misconception 1: All public sector cloud procurement must be at the highest sovereignty level. Correction: No. CADA uses a proportionate approach. Only activities identified as contributing to the preservation of public order via the Article 29 risk assessment are subject to the stricter Article 30(3) requirements (levels 2–4). All other public sector activities must still use Union assurance level 1 (Article 30(2)), but they are not forced into the more complex and costly higher tiers unless justified by risk.

Misconception 2: The risk assessment is a one-time event. Correction: Article 29(1) explicitly states that risk assessments must be carried out every two years, or whenever necessary. Cloud usage, data sensitivity, and geopolitical risks change over time. Your procurement obligations may shift if your risk assessment evolves, potentially triggering migration requirements under Article 29(6).

Misconception 3: Member States can set their own sovereignty standards independently. Correction: While Member States conduct the risk assessments, the framework is harmonised. The Commission provides guidance on methodology (Article 29(3)) and can override a Member State's assessment if it deems the chosen assurance level inadequate for public order (Article 29(5)). This prevents a "race to the bottom" in sovereignty standards across the EU.

Related

• CADA Article 29 Risk Assessment: The Mandatory Precondition for Public Cloud Procurement
• CADA Article 30 vs Article 29: How Risk Assessments Drive Cloud Procurement
• Who pays for CADA procurement fees? Article 40 explained
• CADA Article 33: What must Member States report on innovation procurement?
• What is the procurement of innovation under CADA Article 33?

This is general information about a draft EU regulation, not legal advice.