Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must carry out risk assessments for public sector activities every two years. However, as explicitly stated in Article 29(1), this biennial cycle is not the only trigger; assessments must also be conducted whenever necessary to ensure the preservation of public order. The very first assessment must be completed within one year of the Regulation's entry into force.

Detail

The Cloud and AI Development Act (CADA) establishes a dynamic, risk-based framework to determine the appropriate level of "Union assurance" required for cloud computing services used by the public sector. Unlike static compliance checks, this framework relies on periodic and event-driven risk assessments to map public sector activities to the correct assurance levels (Level 1 through Level 4).

The Legal Basis: Article 29(1)

The frequency and timing of these assessments are strictly defined in Article 29(1) of the CADA proposal. The text mandates:

"By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments..."

This provision establishes three distinct temporal triggers that govern the compliance calendar for all Member States and Union entities:

  1. The Initial Deadline: The first risk assessment must be completed by the date of entry into force plus one year. This sets a hard deadline for Member States to establish their baseline understanding of which public sector activities require higher levels of sovereignty assurance (Levels 2, 3, or 4) versus those that can rely on the baseline Level 1.
  2. The Recurring Cycle: After the initial assessment, Member States are required to repeat the process every two years. This biennial cycle ensures that the mapping of public sector activities to assurance levels remains current as technologies, threat landscapes, and public sector needs evolve.
  3. The "Whenever Necessary" Clause: Crucially, the two-year cycle is not a safe harbor. The phrase "or whenever necessary" imposes a continuous duty on Member States and Union entities. If a significant change occurs in the threat landscape, a new critical public sector activity is launched, or a previously assessed activity is found to pose a higher risk to public order than originally thought, a new risk assessment must be triggered immediately, regardless of where the entity is in its two-year cycle.

What is Being Assessed?

As outlined in Article 29(1), the purpose of these assessments is twofold:

  • To identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice, and law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.
  • To determine which Union assurance level (Level 2, 3, or 4) is appropriate for those identified activities.

It is important to note that the risk assessment does not apply to all cloud usage indiscriminately. Public sector bodies whose activities have not been identified as contributing to the preservation of public order under this assessment are still required to use cloud services with at least Union assurance level 1 (as per Article 30(2)), but they are not subject to the same rigorous risk-based mapping for higher assurance levels.

The Role of the Commission and Methodology

While Member States are responsible for conducting the assessments, the European Commission plays a supervisory and harmonizing role. Article 29(3) grants the Commission the power to adopt implementing acts that specify the methodology, templates, and elements to be taken into account. This ensures that risk assessments are conducted consistently across the EU, preventing a fragmented market where different Member States apply vastly different standards to similar public sector activities.

If the Commission concludes, after reviewing a Member State's results, that the identified assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels for that activity (Article 29(5)). Furthermore, Article 29(9) explicitly requires Member States to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services during these assessments.

What this means for you

For public-sector procurement officers, IT decision-makers, and legal counsel, the CADA risk assessment frequency dictates your compliance calendar and procurement strategy.

1. Plan for a Biennial Review Cycle You cannot set your cloud sovereignty strategy and forget it. Your organization must build a two-year review cycle into its IT governance calendar. Every 24 months, you must re-evaluate your cloud contracts and usage patterns against the latest risk assessment results. If your risk assessment results change—for example, if a previously low-risk department is now deemed to handle critical public order data—your procurement requirements for cloud services must upgrade accordingly.

2. Monitor for "Whenever Necessary" Triggers Be prepared to trigger an ad-hoc risk assessment immediately if:

  • Your organization launches a new service involving sensitive data (e.g., new health data processing, new border control tools).
  • There is a significant geopolitical shift or cyber threat that alters the risk profile of your current cloud providers.
  • You receive guidance from your national competent authority indicating that your current assurance level is insufficient.
  • A new activity is identified that contributes to the preservation of public order.

3. Prepare for the Initial Deadline If CADA is adopted in its current form, the clock starts ticking from the date of entry into force. You have one year to conduct the first comprehensive risk assessment. Start mapping your current cloud usage to potential public order relevance now. Identify which systems handle data related to national security, justice, or critical infrastructure. This early mapping will prevent last-minute scrambles when the deadline arrives.

4. Document Your Methodology Ensure your risk assessment process aligns with the methodology and templates that the Commission will provide via implementing acts (Article 29(3)). While these are still to be defined, you should document your risk criteria, data sensitivity classifications, and decision-making processes. This documentation will be vital if the Commission or national competent authorities review your assessments for adequacy.

Common misconceptions

Misconception 1: "I only need to assess my cloud providers once." Reality: CADA requires a dynamic, ongoing process. The risk assessment is not a one-time box-ticking exercise. It must be repeated every two years and whenever circumstances change. A provider that was compliant with Level 2 requirements two years ago may no longer be suitable if your risk assessment reveals a higher sensitivity for the data you now process.

Misconception 2: "The two-year cycle is optional if we are busy." Reality: The two-year cycle is a mandatory statutory obligation under Article 29(1). Failure to conduct the assessment on time could mean your procurement decisions are non-compliant with CADA, potentially exposing your organization to legal risk and undermining the EU's sovereignty goals.

Misconception 3: "Risk assessments only apply to high-security sectors like defence." Reality: While defence and national security are key areas, the risk assessment covers any public sector activity that contributes to the preservation of public order. This can include healthcare, emergency services, and critical infrastructure management. Even if you are not in a "high-security" sector, you must still determine if your activities fall under the risk assessment scope.

Misconception 4: "I can ignore the 'whenever necessary' clause." Reality: The "whenever necessary" clause is a critical safety valve. Ignoring it could leave your organization vulnerable. If a new threat emerges or your data handling practices change significantly, waiting for the next two-year cycle could result in a compliance gap. Proactive reassessment is part of good governance under CADA.

Related

This is general information about a draft EU regulation, not legal advice.