Summary Under the proposed Cloud and AI Development Act (CADA), public-sector CFOs must budget for mandatory risk assessments (Article 29) that determine whether cloud procurement must shift to higher "Union assurance levels" (Article 30). This shift often incurs significant migration, audit, and service-premium costs. While Article 31 currently allows private financial entities to conduct similar assessments voluntarily, the Commission retains the power to mandate them for high-criticality sectors via delegated acts. Planning must align with Article 48, which sets the application date at one year after entry into force, meaning risk assessments must be completed by that date, with migration potentially extending up to 12 months after the law applies.

Detail

The proposed Cloud and AI Development Act (CADA) represents a structural shift in the financial and public-sector cloud landscape. For Chief Financial Officers (CFOs) and procurement officers, CADA is not merely a compliance exercise but a primary driver of IT expenditure. The proposal establishes a "Union cloud computing sovereignty framework" designed to reduce dependence on third-country providers. This framework introduces four distinct assurance levels, each with specific technical, personnel, and legal criteria that directly impact service pricing and migration complexity.

The Cost of Sovereignty: Risk Assessments and Migration

The financial core of CADA lies in Article 29, which obliges Member States and Union entities to carry out risk assessments. These assessments must identify public sector activities that contribute to the preservation of public order (e.g., national security, justice, law enforcement, critical infrastructure). The outcome of this assessment dictates the procurement floor under Article 30.

  • Baseline Requirement: Public sector bodies whose activities are not identified as contributing to public order must, as a minimum, procure services recognized as having Union assurance level 1 (Article 30(2)).
  • Public Order Requirement: If an activity is identified as contributing to public order, the contracting authority shall only procure services recognized as having Union assurance levels 2, 3, or 4 (Article 30(3)).

For a CFO, the transition from a standard commercial cloud contract to a service meeting Union assurance levels 2, 3, or 4 involves substantial cost implications:

  1. Service Premiums: Higher assurance levels impose stricter criteria, such as Union citizenship for personnel (Annex II, 3.1(d) and 4.1(d)), exclusive data localization within the Union, and the absence of third-country control (Annex II, 3.1(g) and 4.1(g)). These constraints often limit the pool of eligible providers, potentially driving up service costs.
  2. Migration Expenses: Moving critical workloads to a sovereign environment may require data re-homing, system re-architecture, and dual-running periods to ensure continuity.
  3. Audit and Compliance Costs: While the provider bears the cost of the independent third-party audit required for levels 2–4 (Article 20), these costs are typically factored into the service pricing. Furthermore, public bodies may incur internal costs for verifying audit reports and managing the recognition process.

The Private Sector Ripple Effect: Article 31 and Voluntary Assessments

While CADA's mandatory procurement rules apply to public authorities, the financial sector (as private entities) is affected through market dynamics and specific provisions in Article 31.

Article 31(1) states that entities referred to in Annex I of Directive (EU) 2022/2555 (NIS2), which includes credit institutions and investment firms, "may carry out similar assessments as those set out in Article 29." This phrasing confirms that, under the current proposal, conducting these sovereignty risk assessments is voluntary for private financial entities.

However, CFOs must recognize that this voluntary status is not static. Article 31(3) explicitly empowers the Commission to adopt delegated acts to require impact assessments for private entities operating in sectors of high criticality if specific circumstances arise. The Commission may conclude that entities in high-criticality sectors require such assessments and specify the necessary risk mitigation measures. This mechanism means that while the baseline is voluntary today, the regulatory framework contains a built-in trigger to make these assessments mandatory for the financial sector without new primary legislation.

Consequently, public-sector CFOs must anticipate a "market signal" effect. As public procurement shifts toward sovereign providers, private financial institutions may voluntarily adopt similar assessments to align with industry standards or due to customer pressure. This could lead to a bifurcated market where "sovereign" cloud capacity becomes scarce and expensive. Public budgets must model potential market-wide price inflation, not just direct compliance costs.

Timeline and Planning: The Article 48 Logic

Budget planning must be synchronized with the precise legislative timeline defined in Article 48.

  • Entry into Force: The Regulation enters into force on the twentieth day following its publication in the Official Journal.
  • Application Date: The Regulation shall apply from [same day and month as date of entry into force plus 1 year].

This one-year gap is the critical planning window. Crucially, Article 29(1) requires Member States and Union entities to carry out risk assessments "By [date of entry into force plus 1 year]". This deadline coincides exactly with the application date of the Regulation.

Therefore, the risk assessment must be completed by the day the law applies. It is a common misconception that the migration process must be finished before the application date. In reality:

  1. Assessment Deadline: The risk assessment (Article 29) must be finalized by the application date (Day X).
  2. Migration Window: If the assessment requires migration to a different cloud service, Article 29(6) states that the Member State or Union entity shall migrate within a "reasonable transition period that shall not exceed 12 months."

This 12-month migration period begins after the risk assessment is completed (i.e., after the application date). The article's previous suggestion that the "entire cycle... must be compressed into the application window" was incorrect. The assessment is due at the start of the application period, and the migration window opens then. CFOs must budget for a migration phase that extends up to one year beyond the initial application date, not within the pre-application year.

What this means for you

For public-sector procurement officers and CFOs, the immediate action items are:

  1. Initiate Risk Assessments Immediately: Do not wait for the Regulation to apply. Begin the Article 29 risk assessment process now to identify which departments (e.g., justice, defense, critical infrastructure) will require Union assurance levels 2–4. This determines the scope of your migration budget.
  2. Audit Current Contracts: Review all existing cloud computing service agreements. Identify clauses that may conflict with CADA's data localization and sovereignty requirements. Budget for legal review and contract renegotiation.
  3. Model Sovereignty Premiums: Work with finance teams to estimate the cost differential between current cloud providers and those offering Union assurance levels. Include costs for independent audits (Article 20) and potential data migration fees.
  4. Engage with the EuroCloud Federation: Consider participation in the European public sector cloud federation (Article 34). This mechanism allows for the sharing of idle cloud capacity among public bodies, potentially reducing costs. Budget for membership fees and integration costs.
  5. Monitor Private Sector Trends: Keep a close eye on the financial sector. Even though Article 31 makes assessments voluntary for private banks, their move toward sovereign clouds will impact market supply and pricing. Your procurement strategy should account for this broader market shift.
  6. Plan for the Post-Application Migration: Recognize that the 12-month migration cap in Article 29(6) applies after the risk assessment is done. Ensure your budget covers a transition period that extends up to 12 months after the Regulation's application date.

Common misconceptions

"CADA only applies to the public sector." While the mandatory procurement rules (Article 30) target public authorities, the broader market effects will influence private sector vendors. Additionally, private entities in critical sectors (NIS2 Annex I) can voluntarily adopt similar assessments (Article 31), leading to industry-wide standardization.

"Union assurance level 1 is the highest standard." No. Union assurance level 1 is the minimum baseline for public sector bodies not involved in public order preservation. Levels 2, 3, and 4 offer progressively higher sovereignty guarantees, including stricter requirements on personnel citizenship, data localization, and absence of third-country control. Public order-critical activities must use levels 2–4.

"We have five years to comply." No. Article 48 sets an application date of one year after entry into force. This is a tight timeline for complex migrations. Early planning is essential to avoid non-compliance or rushed, expensive transitions.

"Private banks are forced to switch to sovereign clouds." Not currently. Article 31 allows private financial entities to carry out similar assessments voluntarily. The Commission may require impact assessments for high-criticality sectors in the future via delegated acts (Article 31(3)), but there is no immediate blanket mandate for private banks to switch providers.

"The migration must be done before the law applies." Incorrect. The risk assessment is due by the application date. The 12-month migration period allowed under Article 29(6) begins after the assessment is completed, meaning migration can legally continue for up to a year after the Regulation applies.

Related

This is general information about a draft EU regulation, not legal advice.