How is service disruption risk assessed under Article 29 of CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies and Union entities must assess service disruption risk as a mandatory component of their sovereignty risk assessments under Article 29. Specifically, Article 29(2)(c) requires evaluating "the risk and consequent impact on public order of possible service disruption." This assessment is not limited to technical outages; it explicitly covers geopolitical and legal risks where third-country laws could compel a provider to degrade or halt services. The outcome of this assessment determines whether a cloud service must meet higher Union assurance levels (2, 3, or 4) to safeguard operational autonomy. Furthermore, Article 29(9) mandates that entities consider a multi-vendor or multi-cloud strategy based on these specific risk findings to limit dependency on single providers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to mitigate the European Union's strategic dependencies on non-European cloud providers. A cornerstone of this framework is the mandatory sovereignty risk assessment that Member States and Union entities must conduct for their public sector activities. This process is governed by Article 29, which serves as the primary mechanism for mapping critical dependencies and aligning procurement decisions with the appropriate Union assurance levels (ranging from Level 1 to Level 4).

The Mandate of Article 29

Article 29 obliges Member States and Union entities to carry out risk assessments within one year of the regulation's entry into force, and subsequently every two years, or whenever necessary. These assessments are designed to identify public sector activities that contribute to the preservation of public order—specifically in sectors such as national security, internal security, external border management, defence, justice, and law enforcement.

Once these activities are identified, the assessment must determine which Union assurance level is appropriate. The regulation explicitly outlines three core risk dimensions in Article 29(2) that must be evaluated:

1. The sensitivity, criticality, and magnitude of the data processed, including personal data risks.
2. The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
3. The risk and consequent impact on public order of possible service disruption.

It is this third dimension, Article 29(2)(c), that directly addresses service disruption risk. The regulation posits that the unavailability of cloud services is not merely a technical failure but a direct threat to public order. If a critical public service—such as emergency response coordination, healthcare data management, or national security operations—relies on a cloud provider that can be forced to degrade or halt service by a third-country government, the continuity of that public service is fundamentally compromised.

The Rationale: Continuity, Quality, and Resilience

The inclusion of service disruption as a distinct risk factor is deeply rooted in the sovereignty concerns articulated in the proposal's recitals. Recital 46 provides the critical context for why this assessment is necessary. It states that the Union remains critically dependent on a limited number of cloud providers subject to the control of third countries. This dependence exposes the Union to "critical strategic dependencies and concentration risks," including vulnerabilities arising from the extraterritorial application of third-country laws.

Recital 46 explicitly identifies that these dependencies lead to "potential disruptions affecting the continuity, quality and resilience of cloud computing services." The recital further elaborates on the nature of these risks, categorizing them into:

• Misuse: Including manipulation, remote access and control, sabotage, and weaponisation.
• Access to information: Including unauthorised communication, technology leakage, data manipulation, or exfiltration.
• Dependency vulnerabilities: Including political and/or economic coercion, such as using vendor lock-ins, embargoes, or sanctions.

Therefore, when assessing service disruption risk under Article 29(2)(c), public sector bodies must look beyond standard Service Level Agreements (SLAs) regarding uptime. They must evaluate whether the provider is subject to legal frameworks that allow a foreign government to compel the provider to cut off access to EU data, degrade service quality in response to international sanctions, or disrupt service continuity for political reasons. If such a risk exists, the impact on public order is elevated, potentially necessitating the procurement of a service with a higher Union assurance level (e.g., Level 3 or 4) which imposes stricter criteria regarding third-country control and operational autonomy.

Linking Risk Assessment to Multi-Vendor Strategies

The outcome of the Article 29 risk assessment does not merely dictate the assurance level required; it also informs the architectural strategy for service delivery. The regulation recognizes that reliance on a single provider, regardless of their assurance level, creates a concentration risk.

Recital 65 explicitly addresses this by stating that "to enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate." Crucially, the recital notes that this decision "should be based on a context-specific risk assessment."

This requirement is codified in Article 29(9), which mandates that "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services." This creates a direct feedback loop: the assessment of service disruption risk under Article 29(2)(c) must explicitly evaluate whether a single-provider architecture is resilient enough. If the risk assessment concludes that a single point of failure poses an unacceptable threat to public order, the entity is expected to adopt a multi-vendor or multi-cloud approach to mitigate that specific disruption risk.

From Assessment to Procurement

The practical application of this risk assessment is found in Article 30. If the risk assessment under Article 29 determines that an activity contributes to the preservation of public order, the contracting authority is prohibited from procuring services that do not meet the required assurance level. Specifically, Article 30(3) mandates that for activities with public order relevance, authorities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

Services that fail to demonstrate resilience against third-country coercion or service disruption risks will not qualify for these higher assurance levels. Consequently, the assessment of service disruption risk under Article 29(2)(c) acts as a gatekeeper, effectively excluding providers who cannot guarantee continuity and quality independent of third-country interference from critical public sector contracts.

What this means for you

For CTOs, architects, and technology leaders in the public sector and the private cloud industry, the emphasis on service disruption risk in Article 29(2)(c) represents a fundamental shift in how cloud resilience is defined and measured.

• For Public Sector CTOs and Architects: Your risk assessments must now explicitly document the geopolitical and legal resilience of your cloud architecture. When conducting the Article 29 assessment, you cannot rely solely on technical uptime metrics. You must evaluate the legal environment of your provider's home country. Can that country's laws compel your provider to disrupt service? If the answer is yes, your risk assessment will likely flag a high impact on public order, forcing a migration to a provider with a higher Union assurance level. Furthermore, Article 29(9) requires you to formally consider a multi-vendor or multi-cloud strategy. You must be prepared to justify why a single-provider model is sufficient or, conversely, why a diversified architecture is necessary to mitigate the specific disruption risks identified.
• For Cloud Service Providers (SMEs and Hyperscalers): To compete for public sector contracts, especially those with public order relevance, you must demonstrate resilience against service disruption that goes beyond technical redundancy. You need to prove that your operations are insulated from third-country legal pressures. For EU-based providers, this means highlighting independence from non-EU control. For non-EU providers, the path is more complex; you must navigate the recognition process under Article 18 and demonstrate that your home country has implemented specific safeguards (as per Article 18(1)) that prevent the exercise of control that would compromise service continuity or quality. Without this, you will be ineligible for the higher assurance levels required for critical public services.

Common misconceptions

• Misconception: Service disruption risk under CADA only refers to technical outages, server failures, or natural disasters.
  • Reality: Under CADA, service disruption risk explicitly includes geopolitical and legal coercion. As noted in Recital 46, the risk encompasses the possibility that a third country could compel a provider to degrade or disrupt service continuity through laws with extraterritorial effect. The assessment must cover "political and/or economic coercion" such as embargoes or sanctions.
• Misconception: Only the highest assurance levels (3 and 4) need to consider service disruption risks.
  • Reality: All risk assessments under Article 29 must consider the risk of service disruption as a mandatory element under Article 29(2)(c). However, the response to that risk varies based on the activity's criticality. Lower-risk activities may only require Union assurance level 1, while activities where disruption would severely impact public order will require levels 2, 3, or 4, which have stricter criteria regarding third-country control and operational autonomy.
• Misconception: A multi-cloud strategy is mandatory for all public bodies under CADA.
  • Reality: Article 29(9) and Recital 65 state that entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate. It is a risk-based decision, not a blanket requirement. The decision depends entirely on the specific risk assessment of the activity in question. If the risk assessment concludes that a single provider with high assurance levels is sufficient to mitigate disruption risks, a multi-cloud strategy may not be required.

Related

• Who must carry out risk assessments under Article 29 of CADA?
• CADA Risk Assessments: How Article 29 Drives Digital Sovereignty
• CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels
• CADA Article 29: Purpose, Risk Assessment & Public Order
• CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules

This is general information about a draft EU regulation, not legal advice.