How should data sensitivity be classified for CADA assurance levels?

Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies and Union entities must classify data sensitivity through mandatory risk assessments to determine the required Union assurance level (1–4) for their cloud services. Article 29 requires these assessments to evaluate the sensitivity, criticality, and magnitude of both personal and non-personal data, ensuring that activities contributing to public order are matched with appropriate sovereignty safeguards. While Member States retain discretion over specific data classification, the Commission will provide centralized guidance to map data categories to assurance levels, with levels 3 and 4 specifically designed to allow the secure hosting of EU classified information.

Detail

The Cloud and AI Development Act introduces a structured framework to mitigate the risks associated with the EU's reliance on third-country cloud providers. Central to this framework is the requirement for public sector bodies to conduct rigorous risk assessments to determine which "Union assurance level" their cloud services must meet. This process is not merely a technical checkbox but a legal obligation designed to preserve public order, ensure operational autonomy, and protect sensitive data from unauthorized access or disruption.

The Legal Basis: Article 29 Risk Assessments

Article 29 of the CADA proposal establishes the core mechanism for classifying data sensitivity. It mandates that Member States and Union entities carry out risk assessments within one year of the Regulation's entry into force, and thereafter every two years or whenever necessary. These assessments serve two primary functions:

1. Identifying Public Order Relevance: Determining which public sector activities contribute to the preservation of public order in sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.
2. Determining the Assurance Level: Deciding whether Union assurance level 2, 3, or 4 is appropriate for those identified activities.

The risk assessment process is granular. Article 29(2) explicitly requires assessors to consider at least the following aspects:

• The sensitivity, criticality, and magnitude of non-personal data, including the potential impact on public order.
• The nature, scope, context, and purpose of processing personal data.
• The risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk of possible service disruption.

Furthermore, Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services during these assessments.

Mapping Data Categories to Assurance Levels

A key challenge in implementing CADA is translating abstract data characteristics into concrete assurance levels. Recital 63 of the CADA proposal clarifies that while Member States and Union entities have flexibility in determining the appropriate assurance level, divergent national approaches could undermine the consistent application of the sovereignty framework. To prevent this fragmentation, the Commission is tasked with providing "centrally coordinated guidance on the mapping between Union assurance levels and categories of information."

This guidance will take into account:

• The sensitivity, criticality, and magnitude of the data processed.
• The systematic importance of the contracting authority's activities.
• Applicable obligations arising from Union law.

For instance, data processing that involves ordinary business information might only require Union assurance level 1 (which relies on a self-assessment conformity statement). However, data that is operationally critical, commercially sensitive, or subject to sector-specific obligations under laws like NIS2 or DORA may trigger the need for higher assurance levels (2, 3, or 4), which require independent third-party audits.

Classified Information and Higher Assurance Levels

The CADA proposal explicitly addresses the handling of classified information. Recital 62 states that "to provide consistency across the Union, Union assurance levels 3 and 4 should allow for the secure hosting of EU classified information." This distinction is crucial for national security and defense sectors.

• Union Assurance Level 1: Generally suitable for non-critical public services. It requires the provider to be established in the Union and infrastructure/assets to be located in the Union, but it does not mandate independent audits.
• Union Assurance Level 2: Introduces stricter requirements, including independent audits, Union establishment for subcontractors, and strict data localization. It is suitable for sensitive non-classified data.
• Union Assurance Level 3: Requires that personnel involved in service provision are Union citizens (with national security clearance if handling classified information). It also mandates that the provider and subcontractors are not subject to third-country control, unless specific derogations apply under Article 18. This level is explicitly designed to handle classified information.
• Union Assurance Level 4: The highest level of assurance, requiring the strictest controls on personnel (Union citizens with clearance), infrastructure, and data localization. It is reserved for the most critical public order activities involving highly sensitive or classified data.

The Role of Commission Guidance and Intervention

Because the classification of data sensitivity can vary significantly between Member States, the Commission's role in issuing guidance is pivotal. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account for these risk assessments. This guidance will specify how Member States should use the highest level of assurance for the most critical public sector activities, including defence.

If the Commission concludes that a Member State's risk assessment does not adequately address public order concerns, it may adopt implementing acts to specify the Union assurance levels needed for specific public sector activities (Article 29(5)). This creates a feedback loop where national discretion is balanced by EU-level oversight to ensure a minimum standard of security across the Union.

Additionally, Article 29(6) notes that if a risk assessment requires migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months.

What this means for you

For in-house counsel and compliance officers in the public sector or entities providing services to the public sector, the CADA proposal introduces several immediate and future-facing obligations:

1. Conduct Mandatory Risk Assessments: You must prepare to conduct comprehensive risk assessments of your cloud computing usage. These assessments must go beyond standard data protection impact assessments (DPIAs) under the GDPR to include an analysis of "public order relevance" and "third-country control risks." Ensure your methodology aligns with the upcoming Commission guidance.
2. Map Your Data to Assurance Levels: Begin categorizing your data based on sensitivity, criticality, and magnitude. Identify which datasets contain classified information or are critical to national security, justice, or defense. These will likely require Union assurance levels 3 or 4.
3. Review Cloud Contracts: If you are a cloud service provider, you must determine which assurance levels you can realistically achieve. Levels 2, 3, and 4 require independent audits and strict adherence to criteria in Annex II of the CADA proposal, including data localization and personnel citizenship requirements. If you are a buyer, ensure your procurement processes mandate the appropriate assurance level based on your risk assessment.
4. Prepare for Migration: Article 29(6) notes that if a risk assessment requires migration to another cloud service, the migration must occur within a reasonable transition period not exceeding 12 months. Plan for potential vendor changes if your current provider cannot meet the required assurance level.
5. Monitor for Commission Guidance: The specific mapping of data categories to assurance levels will be detailed in Commission guidance. Subscribe to updates from the European Commission and your national competent authority to ensure your classification methodology remains compliant.

Common misconceptions

• Misconception: GDPR compliance is sufficient for CADA.
  • Reality: While the CADA framework is consistent with GDPR, it addresses broader sovereignty risks. GDPR focuses on personal data protection and privacy, whereas CADA addresses operational autonomy, data sovereignty, and protection against third-country legal access (e.g., via laws like the US CLOUD Act). A service can be GDPR-compliant but fail to meet Union assurance level 3 due to third-country control or lack of Union-based personnel.
• Misconception: All public sector data requires the highest assurance level.
  • Reality: The framework is risk-based. Most public services do not require levels 3 or 4. Level 1 is sufficient for many non-critical activities. The risk assessment is crucial to avoid unnecessary costs and complexity by only applying higher assurance levels where public order is genuinely at stake.
• Misconception: Classified information can only be hosted on-premise.
  • Reality: CADA explicitly enables the hosting of EU classified information in cloud environments, provided the service meets Union assurance level 3 or 4. This allows for greater flexibility and efficiency in public sector IT while maintaining strict security controls.
• Misconception: Member States have unlimited discretion in classifying data.
  • Reality: While Member States conduct the risk assessments, the Commission provides centralized guidance to ensure consistency. Furthermore, the Commission can intervene if it believes a Member State's assessment does not adequately address public order concerns, ensuring a harmonized approach across the EU.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Can EU classified information be hosted under CADA assurance levels 3 and 4?
• CADA Public-Order Test: How Risk Assessments Gate Assurance Levels 2–4
• How does data sensitivity factor into a CADA risk assessment?
• Which activities need Union assurance level 2, 3 or 4 under CADA?
• CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels

This is general information about a draft EU regulation, not legal advice.