Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct risk assessments to determine which cloud services require higher sovereignty assurance levels. The specific methodology for these assessments will be defined by the European Commission through implementing acts, adopted via the examination procedure outlined in Article 46(2). Member States are required to report any departures from this standardized methodology to the Commission within three months of carrying out their assessments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a structured approach to managing dependencies on third-country cloud providers by establishing a "Union cloud computing sovereignty framework." A central pillar of this framework is the obligation for public sector bodies to assess the risks associated with their use of cloud computing services. This process determines whether a service must meet higher "Union assurance levels" (levels 2, 3, or 4) rather than the baseline level 1.

The Obligation to Assess Risk

Article 29 of the CADA proposal mandates that Member States and Union entities carry out risk assessments. These assessments are not optional; they are the mechanism by which public authorities identify which of their activities contribute to the preservation of public order. Specifically, Article 29(1) requires these assessments to:

  1. Identify public sector activities using cloud services that contribute to preserving public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as areas of national security, internal security, external border management, defence, justice, and law enforcement.
  2. Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

These assessments must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.

Harmonizing the Methodology via Implementing Acts

To prevent fragmentation across the 27 Member States, the CADA proposal centralizes the definition of how these risk assessments must be performed. Article 29(3) explicitly states that the Commission shall specify the methodology by means of implementing acts.

The text of Article 29(3) reads:

"The Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used and the elements to be taken into account by the Member States and Union entities for the purpose of carrying out the risk assessments referred to in paragraph 1."

This implementing act will not be a vague guideline but a binding procedural framework. It will define:

  • The Methodology: The step-by-step process for evaluating risk.
  • Templates: Standardized forms or structures for documenting the assessment.
  • Elements to Consider: The specific factors that must be weighed. Article 29(2) already lists several mandatory considerations, including:
    • The sensitivity, criticality, and magnitude of non-personal data processed.
    • The nature, scope, context, and purpose of personal data processing, including risks to data subjects' rights.
    • The risk of unlawful access to data by a third country or entity established in a third country.
    • The risk of possible service disruption.

The implementing act will likely expand on these elements, providing granular criteria for what constitutes "high sensitivity" or "criticality" in the context of cloud infrastructure.

The Examination Procedure (Article 46)

The adoption of this methodology is governed by the "examination procedure." Article 46(1) establishes that the Commission shall be assisted by a committee, which is defined as a committee within the meaning of Regulation (EU) No 182/2011. Article 46(2) specifies that where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 applies.

In practical terms, this means the Commission's draft implementing act on the risk assessment methodology will be subject to scrutiny by a committee of Member State representatives. If the committee gives a positive opinion, the Commission adopts the act. If the opinion is negative, the Commission may not adopt the act, or it may refer the matter to the Appeal Committee. This procedure ensures that Member States have a direct say in the technical details of the risk assessment framework before it becomes binding.

Departures and Commission Oversight

While the methodology will be harmonized, the CADA proposal recognizes that national contexts may vary. Article 29(4) requires Member States to provide the Commission with the results of their risk assessments within three months of carrying them out. Crucially, this report must indicate where they depart from the implementing acts referred to in paragraph 3.

This creates a two-way accountability mechanism:

  1. Standardization: The Commission sets the baseline methodology.
  2. Transparency: Member States must justify any deviation from that baseline.

Furthermore, Article 29(5) grants the Commission corrective powers. If the Commission reviews a Member State's risk assessment and concludes that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels for that specific public sector activity. This ensures that a Member State cannot arbitrarily lower the sovereignty requirements for critical infrastructure by manipulating the risk assessment methodology.

Multi-Cloud Strategies

Article 29(9) adds another layer to the methodology, requiring Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. The implementing act on methodology will likely provide guidance on how to evaluate the resilience benefits of such strategies against the complexity and cost implications.

What this means for you

For CTOs, architects, and SMEs operating in the European cloud market, the definition of the risk assessment methodology is a critical signal for product development and sales strategy.

1. Anticipate the "Audit Trail" Requirements Since the methodology will be defined by implementing acts and must be documented using specific templates, public sector buyers will require rigorous documentation from their cloud providers. If you are building a cloud service targeting the EU public sector, you must design your compliance documentation to align with the forthcoming templates. Expect to provide detailed evidence on data residency, subcontractor transparency, and vulnerability management practices that map directly to the "elements to be taken into account" listed in Article 29(2).

2. Prepare for Granular Assurance Levels The risk assessment will determine whether a client needs Assurance Level 1, 2, 3, or 4. Level 1 is a self-assessment; Levels 2–4 require independent third-party audits. The methodology will likely create clear thresholds. For example, processing health data in a hospital (high sensitivity) may automatically trigger a requirement for Level 2 or higher. SMEs should focus on achieving at least Level 1 recognition (via the EU statement of conformity under Article 19) as a baseline, while larger providers should prepare for the audit rigor of Level 2 (which requires substantial cybersecurity certification and strict data localization).

3. Monitor the Commission's Draft Implementing Acts The exact weight given to each risk factor (e.g., how much "magnitude" of data affects the score) will be in the implementing act. Because this is adopted via the examination procedure, there will be a window for stakeholder feedback during the committee phase. Engaging with industry associations to ensure the methodology is technically feasible for SMEs is advisable. A methodology that is overly burdensome could inadvertently favor only the largest hyperscalers who have dedicated compliance teams.

4. Multi-Cloud as a Risk Mitigation Tool Article 29(9) explicitly mentions multi-cloud strategies. If the methodology favors diversification of providers, this presents an opportunity for smaller, specialized EU cloud providers to enter the market as secondary vendors in a multi-cloud architecture, rather than competing head-on with global hyperscalers for primary workload contracts.

Common misconceptions

Misconception 1: Member States can design their own risk assessment methods from scratch. Reality: No. Article 29(3) mandates that the Commission specify the methodology via implementing acts. While Member States can depart from the methodology, they must report these departures, and the Commission can override them if they deem the assurance level insufficient (Article 29(5)). The goal is harmonization, not national fragmentation.

Misconception 2: The risk assessment is a one-time event. Reality: Article 29(1) requires assessments to be carried out every two years, or whenever necessary. The dynamic nature of cloud threats and geopolitical risks means this is a continuous compliance obligation.

Misconception 3: Only data protection risks matter. Reality: Article 29(2) requires assessing the sensitivity of non-personal data as well. Operational continuity, supply chain resilience, and the risk of service disruption by third countries are equally critical components of the assessment. The methodology will likely score technical and operational risks alongside data privacy risks.

Misconception 4: SMEs are exempt from the impact of these assessments. Reality: While the assessment is performed by the public buyer, the outcome dictates the technical requirements for the vendor. If an SME's service is deemed necessary for a high-risk activity, it must meet the corresponding Union assurance level. The implementing act may include simplified templates or considerations for smaller entities, but the core risk factors remain the same.

Related

This is general information about a draft EU regulation, not legal advice.