Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission acts as a central supervisor for national risk assessments. Member States and Union entities must identify public sector activities critical to public order and assign them a Union assurance level (2, 3, or 4). Crucially, Article 29(5) grants the Commission the power to intervene: if the Commission concludes that a Member State's chosen assurance level is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts to specify the required Union assurance levels for that activity. This mechanism ensures a harmonised, high-standard protection of public order across the EU, preventing national divergences from weakening the Union's strategic autonomy.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework to safeguard Europe's cloud and AI ecosystem. A cornerstone of this framework is the "sovereignty risk assessment" mechanism, designed to ensure that public sector activities critical to the Union's security are supported by cloud services with sufficient assurance levels. While the primary responsibility for conducting these assessments lies with Member States and Union entities, the Commission retains a decisive oversight role to guarantee consistency and adequacy.

The Obligation to Assess Public Order Risks

As proposed in Article 29(1), Member States and Union entities are required to carry out risk assessments. These assessments must be conducted within one year of the Regulation's entry into force and subsequently every two years, or whenever necessary. The primary objective is to identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order."

The scope of "public order" is broad and explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as specific areas such as national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

When conducting these assessments, Member States must determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities. This determination is not arbitrary; it must consider specific factors outlined in Article 29(2), including:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  • The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

The Commission's Review Power: Article 29(5)

Once a Member State completes its risk assessment, it must submit the results to the Commission within three months, as per Article 29(4). This submission is not merely for information; it triggers a substantive review process.

The Commission's role is to verify that the national decision aligns with the Union's strategic objectives. Article 29(5) is the critical provision governing this oversight. It states:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

This provision establishes a clear "corrective mechanism." If the Commission determines that a Member State has underestimated a riskβ€”for example, by assigning a Level 2 assurance to a defence-related activity that arguably requires Level 4β€”it has the authority to override the national decision. The Commission does not simply offer advice; it can legally mandate a higher assurance level through an implementing act.

Corrective Implementing Acts and the Examination Procedure

When the Commission exercises its power under Article 29(5), it does so by adopting implementing acts. These acts are not delegated acts (which would allow the Commission to amend the Regulation itself); rather, they are specific measures adopted to ensure uniform conditions for implementation.

The adoption of these acts follows the examination procedure referred to in Article 46(2) of the CADA. This procedure involves a committee composed of representatives from the Member States, ensuring that the Commission's corrective measures are scrutinised by national authorities before becoming binding. This process balances the need for Union-level consistency with the principle of subsidiarity, allowing Member States to have a voice in the final determination of assurance levels.

The scope of these implementing acts is precise: they specify the Union assurance levels needed for the specific public sector activity in question. Once adopted, these acts become binding on the Member State concerned. Consequently, the contracting authorities within that Member State must procure cloud computing services that meet the newly specified assurance level, as mandated by Article 30(3).

The Role of Guidance and Methodology

To prevent the need for frequent corrective interventions, the Commission is also tasked with providing proactive guidance. Under Article 29(3), the Commission shall adopt implementing acts specifying:

  • The methodology to be applied.
  • The templates to be used.
  • The elements to be taken into account by Member States and Union entities.

This guidance is designed to harmonise the interpretation of "public order" and the mapping of risks to assurance levels. The Commission's methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.

Member States are required to indicate where they depart from this guidance when submitting their risk assessment results. This transparency allows the Commission to identify potential inconsistencies early. If a Member State deviates from the guidance without a compelling justification, it increases the likelihood that the Commission will invoke Article 29(5) to issue a corrective implementing act.

Implications for Public Procurement and Migration

The outcome of the Commission's review has immediate and practical consequences for public procurement. Under Article 30, contracting authorities must procure cloud services that meet the assurance levels determined by the risk assessment. If the Commission intervenes and specifies a higher level via an implementing act, the procurement obligation shifts immediately to that higher standard.

Furthermore, Article 29(6) addresses the transition. If the risk assessment (or a subsequent Commission intervention) requires migration to another cloud computing service, the Member State or Union entity must migrate within a "reasonable transition period that shall not exceed 12 months." This period must take into account technical feasibility, continuity of service, and data portability requirements. This ensures that while the Commission can enforce higher standards, it also mandates a structured and feasible transition path to avoid service disruption.

What this means for you

For public-sector bodies, procurement officers, and cloud service providers, the Commission's review power under Article 29(5) represents a significant compliance factor.

  • Scrutiny of National Decisions: Do not assume that a national risk assessment is final. The Commission actively reviews these assessments and has the legal authority to override them if they are deemed insufficient to protect public order.
  • Adherence to Methodology: Strictly follow the Commission's implementing acts regarding methodology and templates. Departures must be clearly justified and documented, as unexplained deviations are a primary trigger for Commission intervention.
  • Procurement Alignment: If the Commission adopts an implementing act specifying a higher assurance level for your sector, your procurement strategy must adapt immediately. You are legally bound to procure services meeting the Commission's specified level, not just the national baseline.
  • Transition Planning: Be aware of the 12-month migration cap in Article 29(6). If a Commission intervention forces a change in your cloud provider, you have a maximum of one year to migrate. Start planning for potential upgrades in assurance levels early to ensure continuity.
  • Engagement with Competent Authorities: Work closely with your national competent authority. They are responsible for submitting the risk assessment results to the Commission. Ensure your internal risk data is accurate and robust to support the national submission.

Common misconceptions

"The Commission only reviews risk assessments for information."

  • Reality: The Commission's review is substantive and corrective. Under Article 29(5), it can adopt binding implementing acts to override national decisions if the assurance level is found inadequate.

"Member States have full discretion to set their own assurance levels."

  • Reality: While Member States conduct the initial assessment, their discretion is bounded by Commission guidance and the Commission's power to intervene. A national decision that fails to adequately address public order concerns can be superseded by a Union-level implementing act.

"Risk assessments are a static, one-time requirement."

  • Reality: Assessments must be conducted every two years, or whenever necessary. This ensures that assurance levels remain appropriate as threats evolve and as the Commission updates its guidance.

"Only the highest assurance levels (Level 4) are subject to Commission review."

  • Reality: The Commission reviews all risk assessments for public order activities. If a Member State assigns a Level 2 to an activity that the Commission deems requires Level 3 or 4, the Commission can intervene regardless of the starting level.

Related

This is general information about a draft EU regulation, not legal advice.