Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies and Union entities must conduct risk assessments to determine the required "Union assurance level" for their cloud services at least every two years. However, Article 29(1) explicitly adds a critical event-driven obligation: assessments must be revisited "whenever necessary." This clause mandates immediate reviews when specific triggers occur, such as the emergence of new geopolitical dependencies, changes in third-country laws affecting data access, or significant cybersecurity incidents. Failure to trigger an out-of-cycle review when threats evolve could result in procuring cloud services at an insufficient assurance level, violating Article 30.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a dynamic, risk-based framework for cloud sovereignty. Unlike static compliance regimes, CADA recognizes that the threat landscape—particularly regarding third-country control and data sovereignty—is fluid. Consequently, Article 29 imposes a dual-layered review schedule on Member States and Union entities.

The Statutory Frequency: Biennial Baseline

The foundational requirement is set in Article 29(1), which states that risk assessments shall be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary."

This biennial cycle serves as the mandatory baseline. Regardless of whether the external environment appears stable, Member States and Union entities must formally reassess their public-sector activities every 24 months. The purpose of this periodic review is to:

  • Re-identify public-sector activities that contribute to the preservation of public order.
  • Re-evaluate the sensitivity, criticality, and magnitude of data processed.
  • Confirm that the assigned Union assurance levels (1, 2, 3, or 4) remain appropriate for the identified risks.

The assessment must cover sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as specific areas including national security, internal security, external border management, defence, justice, and law enforcement.

The "Whenever Necessary" Trigger: Event-Driven Reviews

The phrase "whenever necessary" in Article 29(1) is the mechanism that prevents the framework from becoming obsolete. It creates a legal obligation to conduct an immediate, out-of-cycle assessment when material changes occur that could alter the risk profile. While the article does not provide an exhaustive list of these events, the criteria listed in Article 29(2) and the explanatory context of the proposal define the scope of these triggers.

A "whenever necessary" review is triggered when:

  1. Emergence of New Geopolitical Risks: If a third country enacts new legislation with extraterritorial effects (similar to the US CLOUD Act) that could compel a cloud provider to disclose Union data, the risk of "unlawful access" increases. Article 29(2)(b) explicitly requires assessing the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country." A change in foreign law constitutes a material change necessitating an immediate review.
  2. Identification of New Dependencies: If a public body discovers a previously unknown critical dependency on a specific provider, technology stack, or supply chain component, the assessment must be updated. Article 29(2) requires considering the "risk and consequent impact on public order of possible service disruption." New dependencies that increase the risk of vendor lock-in or unilateral service termination by a third-country actor trigger this obligation.
  3. Significant Cybersecurity Incidents: A major breach or service disruption affecting a cloud provider, or a new vulnerability in the software supply chain, may alter the "sensitivity, criticality, and magnitude" of the data risk. If an incident suggests that the current assurance level no longer guarantees operational autonomy or data confidentiality, a review is "necessary."
  4. Changes in Data Processing Scope: If a public sector body begins processing new categories of data (e.g., moving from administrative data to classified or highly sensitive personal data), the risk profile shifts. Article 29(2)(a) mandates assessing the "sensitivity, criticality, and magnitude of the non-personal data processed... as well as the risk... for the rights and freedoms of data subjects."

The Commission's Oversight Role

To ensure that the "whenever necessary" clause is applied consistently across the Union, the Commission plays a supervisory role. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be considered in these assessments. This ensures that Member States do not interpret "whenever necessary" too narrowly.

Furthermore, Article 29(5) grants the Commission the power to intervene if a national assessment is deemed insufficient. If the Commission concludes that the Union assurance level identified by a Member State "is not appropriate or does not adequately address the public order concerns," it may adopt implementing acts to specify the required level. This top-down authority ensures that national interpretations of threat triggers align with Union-wide sovereignty objectives.

Consequences: Procurement and Migration

The outcome of a "whenever necessary" review has immediate legal consequences under Article 30.

  • Procurement Obligations: If the updated assessment determines that an activity contributes to public order, the contracting authority must procure services at Union assurance levels 2, 3, or 4. If the risk was previously underestimated, the authority may be in non-compliance if it continues to use a Level 1 service.
  • Migration Timeline: If the review necessitates a change in the cloud service (e.g., migrating from a Level 2 to a Level 3 provider), Article 29(6) mandates that the migration must occur within a "reasonable transition period that shall not exceed 12 months." This period must account for technical feasibility, continuity of service, and data portability.

What this means for you

For public-sector procurement officers, IT security managers, and legal counsel, the CADA framework requires a shift from periodic compliance to continuous risk monitoring.

  • Implement a Continuous Monitoring Protocol: Do not rely solely on the biennial calendar. Establish a formal process to monitor geopolitical developments, third-country legislation, and cybersecurity threat intelligence. Document any event that could be interpreted as a "material change" under Article 29(1).
  • Define Internal Triggers: Your internal policies should explicitly list what constitutes a "whenever necessary" event. Examples include: a change in the ownership structure of your cloud provider, the enactment of new data access laws in the provider's home country, or a confirmed security incident affecting the provider's infrastructure.
  • Prepare for Rapid Migration: If a trigger event forces a reassessment that requires a higher assurance level, you have a maximum of 12 months to migrate. Start scoping multi-cloud or sovereign-cloud alternatives now to ensure you can meet the Article 29(6) deadline without disrupting critical public services.
  • Align with National Guidance: Since the Commission will issue implementing acts on methodology, stay in close contact with your national competent authority. Their interpretation of what constitutes a necessary review will likely guide your internal decision-making.

Common misconceptions

"The two-year cycle is the only requirement."

  • Reality: The biennial review is a minimum floor, not a ceiling. Article 29(1) explicitly states "or whenever necessary." Ignoring a new geopolitical threat because the next scheduled review is six months away would be a violation of the proposal.

"Only technical cybersecurity breaches trigger a review."

  • Reality: CADA focuses on sovereignty and public order, not just technical security. A provider that is technically secure but subject to a new third-country law compelling data access creates a sovereignty risk that triggers an immediate review under Article 29(2)(b).

"I have full discretion to decide if a review is 'necessary'."

  • Reality: While Member States conduct the assessments, the Commission has the power to override national decisions if they are deemed inappropriate (Article 29(5)). Your interpretation of "whenever necessary" must align with the Commission's future implementing acts and the broader Union sovereignty framework.

Related

This is general information about a draft EU regulation, not legal advice.