CADA Migration

Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies and Union entities have a maximum transition period of 12 months to migrate cloud computing services if a risk assessment determines a change is necessary to meet sovereignty requirements. As stipulated in Article 29(6), this period is a strict ceiling that must be tailored to three critical factors: technical feasibility, continuity of service, and data portability requirements. The clock starts only when a specific risk assessment mandates the migration, not upon the Regulation's entry into force.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework for cloud sovereignty. It requires public sector bodies and Union entities to align their cloud services with specific "Union assurance levels" (Levels 1–4) based on periodic risk assessments. When these assessments reveal that current services fail to meet the required assurance level for activities contributing to public order, a migration to a compliant provider becomes mandatory.

The 12-Month Ceiling: Article 29(6)

The specific timeline for these mandated migrations is governed by Article 29(6) of the CADA proposal. This provision explicitly states:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This clause establishes a hard outer limit for public sector migrations. The 12-month cap is designed to ensure that sovereignty gaps are closed promptly, preventing prolonged exposure to third-country risks or non-compliant infrastructure. However, the regulation does not mandate that all migrations must take the full 12 months; rather, it sets a maximum duration to balance the urgency of sovereignty objectives with the operational realities of complex IT environments.

Determining the "Reasonable" Period

While 12 months is the maximum, the actual transition period must be "reasonable." The regulation explicitly requires that this period be determined by weighing three specific factors. These factors act as both constraints on the timeline and justifications for the duration chosen:

1. Technical Feasibility: The complexity of the migration is a primary determinant. This includes the integration of new software stacks, hardware compatibility checks, and the architectural changes required to move from a legacy or non-compliant provider to a Union-assured one. If a migration requires significant refactoring of applications or the deployment of new infrastructure, the "reasonable" period may approach the 12-month limit. Conversely, a "lift-and-shift" migration of compatible workloads may require significantly less time.
2. Continuity of Service: Public services, particularly those related to national security, justice, law enforcement, or critical infrastructure, cannot afford significant downtime. The transition plan must ensure that services remain available and functional throughout the migration process. Article 29(6) explicitly protects this interest; a migration that would cause a critical service outage cannot be rushed to an arbitrary date if it violates the continuity requirement. The timeline must allow for parallel running, phased cutovers, or other strategies that maintain operational integrity.
3. Data Portability Requirements: The migration must adhere to applicable data portability rules. This includes the secure extraction, transfer, and ingestion of large volumes of data without loss, corruption, or unauthorized access. While the CADA proposal complements the Data Act (which facilitates switching and reduces vendor lock-in), the practical execution of data transfer remains a key determinant of the timeline. The "reasonable" period must account for the time needed to validate data integrity and ensure that portability mechanisms function correctly under the specific constraints of the legacy and target environments.

The Trigger: Risk Assessments Under Article 29

The obligation to migrate—and thus the start of the transition clock—is triggered by the risk assessments mandated in Article 29(1). Member States and Union entities must conduct these assessments within one year of the Regulation's entry into force and subsequently every two years, or whenever necessary.

If an assessment identifies that a current cloud service fails to meet the required Union assurance level for activities contributing to public order (e.g., law enforcement, defence, or critical infrastructure), the 12-month migration window begins. The assessment must determine the appropriate assurance level (2, 3, or 4) based on the sensitivity of the data and the risk of third-country access or service disruption.

The Commission's Oversight Role

The Commission plays a supervisory role that can indirectly impact migration timelines. Under Article 29(5), if the Commission concludes, after reviewing a Member State's risk assessment, that the identified Union assurance level is inappropriate or fails to adequately address public order concerns, it may adopt implementing acts specifying the required levels.

This power means that a Member State might be forced to accelerate a move to a higher assurance level than initially planned if the Commission deems the original assessment insufficient. In such cases, the 12-month clock would restart or be adjusted based on the new requirements, reinforcing the need for robust initial risk assessments.

What this means for you

For public-sector procurement officers, IT directors, and legal compliance teams, the 12-month transition period introduces a strict project management constraint for cloud migrations.

• Plan for the Worst, Hope for the Best: While you have up to 12 months, complex enterprise migrations often face delays. Start migration planning immediately upon the completion of your risk assessment. Do not wait for the final month to initiate technical testing or vendor selection.
• Document Your "Reasonableness": You must be prepared to justify why your specific migration requires the time it does. Document how you are addressing technical feasibility, ensuring service continuity, and managing data portability. This documentation may be scrutinized during Commission reviews or national audits to prove the transition period was "reasonable" and not merely an excuse for delay.
• Leverage Data Portability Tools: Use the switching and interoperability provisions enabled by the Data Act to streamline data extraction. Ensure your contracts with current providers include clear clauses for data export in open formats to avoid bottlenecks that could jeopardize the 12-month deadline.
• Coordinate with Risk Assessments: Align your IT migration schedules with your legal and security teams conducting the Article 29 risk assessments. The migration clock starts when the risk assessment mandates a change, so early identification of non-compliant services is crucial to maximizing the available time.
• Prioritise Continuity: If your service is critical (e.g., emergency response or judicial systems), your migration strategy must prioritise continuity over speed. The regulation explicitly allows for this, but you must demonstrate that your timeline is the shortest possible while maintaining service availability.

Common misconceptions

"All migrations must take exactly 12 months." Incorrect. The 12-month period is a maximum limit (a ceiling). Simple migrations with low data volumes and high compatibility may take only a few months. The regulation requires a "reasonable" period, which should be the shortest time feasible while maintaining service quality and data integrity.

"The 12-month period starts when CADA enters into force." Incorrect. The transition period begins only when a specific risk assessment determines that a migration is necessary. Since risk assessments are conducted annually or bi-annually (or whenever necessary), the migration clock is tied to the outcome of these specific assessments, not the general entry into force of the Regulation.

"Data portability is handled automatically by the cloud provider." Incorrect. While the Data Act reduces vendor lock-in, the public sector body remains responsible for ensuring that data portability requirements are met during the CADA-mandated migration. You must actively manage the technical aspects of data transfer to ensure no service disruption and to meet the "reasonable" timeline.

"The 12-month deadline is absolute regardless of technical hurdles." Incorrect. Article 29(6) explicitly states that the period must take into account "technical feasibility." If a migration is technically impossible within 12 months without compromising service continuity, the "reasonable" period may be adjusted, provided the authority can demonstrate that all feasible steps were taken to meet the deadline.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• How does data portability affect CADA-mandated migration?
• What triggers cloud migration after a CADA risk assessment?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Why does CADA treat dependence on non-EU providers as a strategic risk?
• Why does CADA encourage multi-cloud architectures?

This is general information about a draft EU regulation, not legal advice.