Summary No, compliance with the European Health Data Space (EHDS) does not automatically satisfy your obligations under the proposed Cloud and AI Development Act (CADA). While EHDS governs health-data quality, interoperability, and secondary use, CADA establishes a distinct, mandatory framework for cloud sovereignty. As proposed, public sector bodies and critical entities in the health sector must conduct specific risk assessments under Article 29 and procure cloud services meeting defined "Union assurance levels" (1–4), regardless of their EHDS compliance status. The regimes are complementary: EHDS ensures the data is handled correctly; CADA ensures the infrastructure holding that data is resilient against third-country interference.

Detail

The proposed Cloud and AI Development Act (CADA) and the European Health Data Space (EHDS) address different, albeit overlapping, dimensions of the EU's digital health ecosystem. A common operational assumption is that robust health-data governance under EHDS implies sufficient cloud sovereignty. However, as proposed, CADA creates a tiered sovereignty framework that operates independently of health-specific data rules.

EHDS vs. CADA: Data Governance vs. Infrastructure Sovereignty

The EHDS primarily regulates the governance, quality, and cross-border exchange of health data. It focuses on patient rights, data secondary use for research, and interoperability standards. While it mandates high security and data protection, it does not define "sovereignty" in terms of operational autonomy, supply chain control, or protection against extraterritorial access by third-country governments.

CADA, conversely, targets the underlying infrastructure. Its primary objective is to reduce dependence on non-European cloud providers and mitigate risks related to operational continuity and data access by third countries. Article 1(1)(c) explicitly states the proposal aims to enable "the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order."

To achieve this, CADA introduces a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). These levels define strict criteria for where infrastructure is located, who controls it, and whether third-country laws can compel data access or service disruption. Crucially, the criteria for higher assurance levels (2, 3, and 4) include requirements that are entirely outside the scope of EHDS, such as the citizenship of personnel (Annex II, 3.1(d)) and the absence of third-country control over the provider (Annex II, 3.1(g)).

The Article 29 Risk Assessment Obligation

The critical divergence lies in Article 29 of CADA. This article obliges Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must identify activities in sectors falling under Annex I or II of the NIS2 Directive, which explicitly includes healthcare.

The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for the identified public sector activities. As stated in Article 29(1)(a), this includes activities in "sectors falling under Annex I or II of Directive (EU) 2022/2555" (NIS2), covering healthcare.

Even if a health data platform is fully compliant with EHDS data-sharing and security standards, the public body using it must still determine if the underlying cloud service meets the necessary CADA assurance level. If the risk assessment identifies the activity as contributing to public order, the entity must procure services recognized as offering Union assurance levels 2, 3, or 4 (Article 30(3)). EHDS compliance does not exempt an entity from this procurement constraint. The regulation is clear: where a risk assessment determines public order relevance, "they must only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

Complementary Regimes and the "Stacking" Effect

The two regimes are complementary, not substitutive. EHDS ensures the data is handled correctly; CADA ensures the infrastructure holding the data is sovereign. A cloud provider may offer EHDS-compliant data processing features but fail CADA's Union assurance level 3 criteria if, for example, its personnel are not Union citizens or its software supply chain lacks the required transparency and control measures (Annex II).

Conversely, a CADA-compliant sovereign cloud may lack the specific health-data interoperability connectors required by EHDS. Therefore, health entities must manage compliance with both frameworks simultaneously. The CADA explanatory memorandum notes that the proposal "complements" existing frameworks like the Data Act and cybersecurity directives, filling the "long-standing gaps in sovereignty and non-technical risks" that other instruments do not cover.

What this means for you

For in-house counsel and compliance officers in the health sector, the interaction between EHDS and CADA requires a dual-track compliance strategy.

1. Conduct CADA-Specific Risk Assessments

Do not rely on EHDS security audits to satisfy CADA. You must perform the risk assessments mandated by Article 29 of CADA. These assessments must explicitly evaluate:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  • The risk of unlawful access by a third country or legal entity established in a third country.
  • The risk of service disruption.

This process determines the minimum Union assurance level your cloud provider must hold. As Article 29(3) states, the Commission will specify the methodology, but the obligation to assess lies with the Member State or Union entity.

2. Verify Cloud Provider Assurance Levels

When procuring or renewing cloud contracts for health data, verify that the provider has been recognized by a national competent authority as meeting the required Union assurance level. Check the central repository of recognized services maintained by the Commission (Article 22). EHDS certification is not a substitute for this recognition. For critical health data, the risk assessment will likely mandate levels 2, 3, or 4, which require independent third-party audits (Article 20) rather than the self-assessment allowed for Level 1.

3. Review Procurement Criteria

Update your procurement templates to include CADA's "Union added value" criteria (Article 32). This allows you to evaluate tenders based on the provider's contribution to the European cloud ecosystem, including the use of hardware designed or manufactured in the Union. Article 32(2) requires that these non-price criteria be "ancillary and not decisive," but they must be included in the quality evaluation.

4. Monitor Deadlines and Transitions

Member States must designate national competent authorities and begin risk assessments by the date of entry into force plus one year (Article 25 and Article 29). If a risk assessment requires migration to another cloud service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months (Article 29(6)). Ensure your internal risk assessment timeline aligns with these national deadlines to avoid non-compliance during procurement cycles.

5. Prepare for Penalties and Liability

Non-compliance with CADA's sovereignty framework can lead to penalties. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers (Article 24). These penalties must be "effective, proportionate and dissuasive." Furthermore, recipients of cloud services have the right to seek compensation for damage or loss suffered due to an infringement by the provider (Article 24(3)). While CADA primarily targets providers, public sector bodies face procurement restrictions and potential operational risks if they fail to mandate the correct assurance levels for critical health data.

Common misconceptions

Misconception 1: "EHDS security standards are equivalent to CADA sovereignty levels." This is incorrect. EHDS focuses on data protection, interoperability, and secondary use. CADA focuses on supply chain control, personnel citizenship, and protection against third-country legal extraterritoriality. A provider can be EHDS-compliant but fail CADA's strict criteria for Union assurance levels 3 and 4, which require, for instance, that all personnel involved in service provision are Union citizens (Annex II, 3.1(d)) and that the provider is not subject to third-country control (Annex II, 3.1(g)).

Misconception 2: "If my data is anonymized, CADA does not apply." CADA applies to cloud computing services regardless of the data type, though the required assurance level depends on the risk assessment. Even if health data is anonymized for secondary use under EHDS, the cloud infrastructure hosting it may still be deemed critical to public order under CADA Article 29, requiring a higher assurance level. The risk assessment considers "the sensitivity, criticality, and magnitude of the non-personal data processed" as well as personal data (Article 29(2)(a)).

Misconception 3: "I can choose any EU-based provider." Being established in the Union is only the baseline for Union assurance level 1 (Annex II, 1.1(a)). For critical health data, Article 29 may require levels 2, 3, or 4, which impose additional requirements on subcontractors, software supply chains, and cybersecurity certifications. Merely having an EU office is insufficient for higher assurance levels. For example, Level 2 requires a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 2.1(e)), while Level 4 requires a 'high' assurance level certificate (Annex II, 4.1(e)).

Misconception 4: "CADA replaces the AI Act or EHDS." No. CADA is a proposal that complements existing frameworks. The explanatory memorandum states that the AI Act "does not cover aspects of sovereignty," which is the gap CADA fills. Similarly, CADA does not replace EHDS but adds a layer of infrastructure sovereignty on top of health-data governance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.