Must a CADA risk assessment consider a multi-vendor or multi-cloud strategy?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly requires Union entities and Member States to consider a multi-vendor or multi-cloud strategy during their mandatory risk assessments. Article 29(9) mandates that these entities evaluate the appropriateness of such strategies as part of their procurement of cloud computing services. This is not a blanket obligation to adopt multi-cloud for all activities; rather, it is a context-specific, risk-based decision intended to enhance resilience and limit dependency on a single provider. The decision must be grounded in an assessment of operational, regulatory, and resilience-related circumstances, as clarified in Recital 65.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem by reducing strategic dependencies and enhancing operational resilience. A cornerstone of this framework is the obligation for public sector bodies to conduct regular risk assessments to determine the necessary "Union assurance" level for their cloud services. Within this rigorous assessment process, the proposal explicitly addresses the architectural strategy of how these services are procured and deployed, specifically regarding the use of multiple vendors or cloud environments.

The Legal Basis: Article 29(9) and Recital 65

The primary legal basis for this requirement is found in Article 29 of the CADA proposal, which governs the risk assessments that Member States and Union entities must carry out. While the majority of Article 29 focuses on identifying public sector activities that contribute to the preservation of public order and determining the appropriate Union assurance levels (Levels 1 through 4), paragraph 9 introduces a specific architectural consideration regarding provider concentration.

Article 29(9) states:

"In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision integrates infrastructure architecture directly into the sovereignty and risk assessment process. It moves beyond merely evaluating the legal jurisdiction of a provider (e.g., whether they are subject to third-country laws) to evaluating the technical and operational resilience of the procurement strategy itself. By mandating this consideration, the proposal ensures that the risk of single points of failure is explicitly weighed against the benefits of a unified procurement approach.

The rationale for this inclusion is further clarified in Recital 65 of the explanatory memorandum, which states:

"To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate."

Recital 65 further emphasizes that the decision to adopt and implement a multi-cloud architecture must be based on a context-specific risk assessment. The recital specifies that this assessment should identify any relevant operational, regulatory, or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy. This language confirms that the regulation does not prescribe a specific technical outcome but rather a rigorous decision-making process.

Context-Specific and Risk-Based Decision Making

It is crucial to understand that CADA does not impose a blanket requirement for all public sector bodies to adopt multi-cloud strategies. Instead, it mandates a consideration of this option within the broader risk assessment framework. The decision is driven by the specific risks identified in the assessment, ensuring that the chosen architecture is proportionate to the threat landscape.

The risk assessment under Article 29 requires entities to evaluate several critical factors, including:

1. Sensitivity and Criticality: The nature of the data processed, including personal and non-personal data, and its potential impact on public order.
2. Third-Country Access Risks: The risk of unlawful access to data by third countries or legal entities established in third countries.
3. Service Disruption Risks: The risk and consequent impact on public order of possible service disruption.

If a risk assessment determines that reliance on a single provider poses an unacceptable risk to operational continuity, data sovereignty, or public order, the assessment should logically lead to a recommendation for a multi-vendor or multi-cloud strategy. Conversely, for lower-risk activities with minimal public order implications, a single-provider strategy might remain appropriate and proportionate. The key is that the entity must document why a single provider was deemed sufficient, based on the specific circumstances of the activity.

Integration with Procurement Obligations

This consideration of multi-cloud strategies is tightly linked to the procurement obligations outlined in Article 30 of CADA. Article 30 mandates that contracting authorities procure cloud computing services recognized as offering specific Union assurance levels. For entities whose activities have been identified as contributing to the preservation of public order under the Article 29 risk assessment, they must procure services recognized at Union assurance levels 2, 3, or 4.

When a multi-cloud strategy is deemed appropriate by the risk assessment, the procurement process must reflect this. This could involve:

• Splitting Workloads: Distributing critical workloads across different providers, each meeting the required Union assurance level, to prevent a single point of failure.
• Interoperability Standards: Implementing standards to ensure data portability and reduce vendor lock-in, aligning with the Data Act's provisions on switching between data processing services.
• Independent Recognition: Ensuring that each vendor in the multi-cloud setup is independently assessed and recognized under the CADA sovereignty framework.

The risk assessment thus acts as the gatekeeper, determining whether the complexity and cost of a multi-vendor approach are justified by the resilience benefits for a specific public sector activity.

Implications for the Private Sector

While Article 29 and its multi-cloud consideration primarily target Union entities and Member States, Article 31 allows private sector entities (specifically those referred to in Annex I of the NIS2 Directive) to carry out similar impact assessments. Although not mandatory for the private sector, these entities are encouraged to adopt similar risk-based approaches to mitigate their own dependencies and ensure business continuity, especially in sectors of high criticality. The market signal is clear: as public procurement shifts towards resilience-focused strategies, private sector operators will likely face similar pressures to demonstrate multi-vendor readiness.

What this means for you

For CTOs, architects, and SMEs operating in the EU cloud and AI market, the inclusion of multi-cloud considerations in CADA's risk assessments has several practical implications:

1. Architectural Flexibility is a Selling Point: If you are a cloud provider, demonstrating that your services are interoperable and compatible with multi-cloud architectures will be a significant advantage. Public sector buyers will increasingly favor providers that facilitate, rather than hinder, multi-vendor strategies. Your technical documentation should explicitly highlight how your service supports data portability and integration with other sovereign providers.
2. Vendor Lock-In is a Risk Factor: As public entities are mandated to consider multi-cloud strategies to limit dependency, providers who employ aggressive vendor lock-in tactics may find themselves excluded from high-assurance procurements. Your service agreements should clearly address data portability, exit strategies, and interoperability to align with the risk assessment criteria.
3. Complexity in Procurement: For public sector CTOs, preparing for CADA means enhancing your risk assessment methodologies. You will need to develop clear criteria for when a multi-cloud strategy is justified. This involves not just technical evaluation but also an analysis of operational costs, integration complexity, and the availability of multiple providers meeting specific Union assurance levels. You must be prepared to justify a single-provider decision if the risk assessment deems it appropriate.
4. Focus on Interoperability Standards: The success of a multi-cloud strategy depends on robust interoperability standards. SMEs and developers should focus on building solutions that adhere to open standards and open-source principles, as these are heavily promoted in CADA (see Articles 41-44) to reduce dependencies and facilitate multi-cloud environments.
5. Risk Assessment Documentation: Ensure your internal risk assessments explicitly document the consideration of multi-vendor strategies. Even if you decide against a multi-cloud approach, you must be able to justify this decision based on the specific operational, regulatory, and resilience risks identified in your assessment. The "consideration" is the mandatory step; the "adoption" is the context-specific outcome.

Common misconceptions

Misconception 1: CADA forces all public bodies to use multi-cloud. Correction: No. Article 29(9) requires entities to consider whether a multi-vendor or multi-cloud strategy is appropriate. The decision is context-specific and based on the risk assessment. For many lower-risk applications, a single-provider model may remain the most efficient and proportionate choice, provided the risk assessment justifies it.

Misconception 2: Multi-cloud automatically solves sovereignty risks. Correction: While multi-cloud can reduce dependency on a single provider, it does not automatically mitigate third-country access risks. Each provider in a multi-cloud setup must still meet the relevant Union assurance levels (1-4) as defined in Annex II of CADA. A multi-cloud strategy with providers that do not meet sovereignty criteria does not enhance public order protection.

Misconception 3: This only applies to large enterprises. Correction: While the direct obligation under Article 29 applies to Union entities and Member States, the market signal is significant for all providers. SMEs and start-ups aiming to serve the public sector must be aware that their ability to integrate into multi-cloud environments will be a key evaluation criterion in public procurement.

Misconception 4: Multi-cloud is the same as hybrid cloud. Correction: CADA specifically mentions "multi-vendor or multi-cloud." While hybrid cloud (combining public and private cloud) is a form of multi-cloud, the term here emphasizes the use of multiple providers to mitigate concentration risk and vendor lock-in, rather than just the deployment model. The focus is on reducing reliance on a single legal entity.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?
• What factors must be considered in a CADA risk assessment?
• CADA Risk Assessment: What Public Sector Buyers Must Do
• Must Member States report CADA risk assessment results to the Commission?

This is general information about a draft EU regulation, not legal advice.