CADA Multi-Cloud Guidance vs. Data Act

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket mandate for multi-cloud architectures. Instead, Article 29(9) explicitly requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their risk assessments to mitigate dependency risks. This strategic consideration is technically enabled by the Data Act (Regulation (EU) 2023/2854), which establishes the interoperability and switching rights necessary to make multi-cloud feasible without prohibitive costs. Together, these instruments create a framework where multi-cloud is a recognized, risk-based mitigation strategy for enhancing sovereignty and resilience, rather than a rigid procurement requirement.

Detail

The interaction between the proposed Cloud and AI Development Act (CADA) and the existing Data Act represents a coordinated legislative effort to enhance the European Union's cloud sovereignty. While the Data Act addresses market fairness, technical interoperability, and the removal of vendor lock-in, CADA addresses strategic resilience, public order, and the reduction of critical dependencies. Understanding how these two instruments interact regarding multi-cloud strategies is critical for CTOs, architects, and procurement officers designing compliant, resilient infrastructure.

CADA: Multi-Cloud as a Risk-Based Consideration

Under CADA, the decision to adopt a multi-cloud or multi-vendor architecture is not a universal obligation but a risk-based determination. Article 29(9) of the proposal explicitly states: "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision sits within the broader framework of Article 29, which obliges public sector bodies to conduct risk assessments to determine the appropriate Union assurance level (Levels 1–4) for their cloud services. The risk assessment must evaluate the sensitivity of data, the criticality of the service, and the potential impact on public order.

Recital 65 of the CADA explanatory memorandum further clarifies the intent behind Article 29(9), stating: "To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate." Crucially, the recital emphasizes that this decision "should be based on a context-specific risk assessment" that identifies operational, regulatory, or resilience-related circumstances supporting such an architecture.

This means that for lower-risk public sector activities, a single provider meeting Union assurance level 1 may suffice. However, for higher-risk activities requiring Union assurance levels 2, 3, or 4 (as mandated by Article 30(3) for activities contributing to public order), the risk assessment may conclude that a multi-cloud strategy is necessary to prevent vendor lock-in, ensure service continuity, and mitigate the risk of unilateral disruption by a third-country-controlled provider. The law requires the consideration of this strategy, not its automatic adoption, leaving the final decision to the outcome of the specific risk analysis.

The Data Act as a Technical Enabler

While CADA provides the strategic imperative to consider multi-cloud, the Data Act (Regulation (EU) 2023/2854) provides the technical mechanisms that make such strategies viable. The CADA explanatory memorandum explicitly describes the Data Act as an "enabler" for the proposal. In the section on consistency with existing policy provisions, the Commission notes: "The proposal is consistent with the rules on switching between data processing services introduced by the Data Act... The Data Act is thus an enabler for the proposal."

The Data Act introduces strict interoperability requirements and rights to switch between data processing services, thereby reducing vendor lock-in. It requires cloud computing service providers to ensure that users can switch providers without significant disruption. This includes obligations to provide data portability, interoperability of services, and transparency regarding switching procedures.

Without these interoperability guarantees, a multi-cloud strategy under CADA would be technically burdensome and economically inefficient, potentially discouraging public sector adoption. The Data Act lowers the barrier to entry for multi-cloud architectures by ensuring that data can be moved and services can be integrated across different providers. This technical foundation allows the "context-specific risk assessment" required by CADA to realistically conclude that a multi-cloud approach is a viable mitigation strategy.

Synergy in Public Procurement

The synergy between these two acts is most visible in public procurement. Article 30 of CADA sets minimum assurance levels for public sector procurement:

• Article 30(2) requires that public sector activities not identified as contributing to the preservation of public order must use services with Union assurance level 1.
• Article 30(3) requires that activities identified as critical to public order must use services with Union assurance levels 2, 3, or 4.

When a contracting authority conducts the risk assessment under Article 29, it determines the necessary assurance level. If the risk assessment concludes that a multi-cloud strategy is appropriate under Article 29(9), the procurement process must reflect this. The Data Act's interoperability requirements ensure that the procured services can technically integrate into a multi-cloud environment.

Furthermore, Article 32 of CADA introduces "Union added value" criteria in procurement, encouraging the use of technologies developed in the Union. A multi-cloud strategy using multiple EU-based providers can enhance this added value, further aligning with CADA's goal of reducing dependence on non-European providers. The Data Act ensures that the technical switching costs do not negate the strategic benefits of this approach.

Practical Implications for Architecture

For CTOs and architects, this legislative interplay means that multi-cloud is no longer just a best practice for resilience but a legally recognized risk mitigation tool. When designing cloud architectures for public sector clients, architects must:

1. Align with Risk Assessments: Ensure that the architecture supports the outcomes of the Article 29 risk assessment. If the assessment identifies high dependency risks (e.g., reliance on a single third-country provider), the architecture must demonstrate how multi-cloud or multi-vendor approaches mitigate these risks.
2. Leverage Data Act Interoperability: Utilize the Data Act's requirements for data portability and interoperability to design seamless integration points between different cloud providers. This reduces the technical debt associated with multi-cloud environments and ensures that the "switching rights" are not just theoretical.
3. Document the Rationale: Maintain clear documentation linking the architectural choice of multi-cloud to the specific risks identified in the Article 29 assessment. This documentation will be crucial for demonstrating compliance during audits by national competent authorities and for justifying the procurement strategy under Article 30.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of these regulations, the key takeaway is that multi-cloud is a strategic option, not a mandatory default. However, its strategic value is significantly enhanced by the legal framework.

For Public Sector Architects: You must integrate multi-cloud considerations into your risk assessment methodologies. When advising public sector clients, you should present multi-cloud as a viable option for mitigating risks related to vendor lock-in and third-country dependency. Ensure that your proposed solutions leverage the interoperability standards mandated by the Data Act to minimize switching costs and integration complexity. If your risk assessment under Article 29 identifies significant resilience risks, you must be prepared to justify why a single-vendor solution was rejected or why a multi-cloud approach was deemed appropriate.

For Cloud Service Providers: SMEs and European cloud providers should highlight their compliance with Data Act interoperability standards as a competitive advantage. By demonstrating that their services are easy to integrate into multi-cloud environments, they become more attractive to public sector buyers looking to meet CADA's risk mitigation goals. Providers should also be prepared to support customers in meeting the transparency and switching obligations under the Data Act, as this directly supports the "multi-vendor" consideration required by CADA.

For Procurement Teams: When drafting tender documents, include criteria that evaluate the vendor's ability to support multi-cloud strategies. This includes assessing their interoperability features, data portability mechanisms, and flexibility in switching services. Use the "Union added value" criteria under Article 32 of CADA to favor providers that contribute to the European cloud ecosystem. Ensure that the procurement process explicitly references the risk assessment outcomes under Article 29 to justify the selection of a multi-cloud or single-cloud approach.

Common misconceptions

Misconception 1: CADA mandates multi-cloud for all public sector procurement. This is incorrect. Article 29(9) only requires that a multi-cloud strategy be considered as part of the risk assessment. The final decision depends on the specific risks identified. For many lower-risk public sector activities, a single provider may be sufficient, provided it meets the minimum Union assurance level 1 under Article 30(2).

Misconception 2: The Data Act automatically enables multi-cloud. While the Data Act provides the technical tools for switching and interoperability, it does not force organizations to adopt multi-cloud. It removes the technical barriers, but the strategic decision to adopt multi-cloud remains with the organization, guided by frameworks like CADA. The Data Act makes multi-cloud feasible; CADA makes it a strategic consideration.

Misconception 3: Multi-cloud is only for high-risk, classified data. While multi-cloud is particularly relevant for high-assurance levels (2, 3, and 4) under CADA, it can also be a valuable strategy for lower-risk services to enhance resilience and avoid vendor lock-in. The risk assessment under Article 29 should evaluate these benefits for all public sector activities, not just those involving classified information.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs the Data Governance Act: How do they interact?
• How does CADA interact with the Data Act?
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act

This is general information about a draft EU regulation, not legal advice.