Must Member States report CADA risk assessment results to the Commission?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), Member States are strictly required to report the results of their cloud computing sovereignty risk assessments to the European Commission. Article 29(4) of the proposal establishes a hard deadline: results must be submitted within three months of carrying out the assessment. Crucially, the report must explicitly indicate where the Member State departs from the Commission's prescribed methodology and implementing acts. This transparency mechanism allows the Commission to review national determinations of "Union assurance levels" and intervene if public order concerns are not adequately addressed.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union-wide framework to safeguard public order by reducing dependencies on third-country cloud providers. A central pillar of this framework is the risk assessment mechanism outlined in Article 29. This mechanism requires Member States and Union entities to identify public sector activities that contribute to the preservation of public order—such as those in national security, defense, justice, and law enforcement—and determine the appropriate "Union assurance level" (Level 2, 3, or 4) required for the cloud services supporting them.

While the initial assessment is a national competence, the proposal creates a robust EU-level oversight loop to ensure consistency and prevent fragmentation of the single market.

The Reporting Obligation: Article 29(4)

The core reporting requirement is found in Article 29(4). As proposed, the text states:

"Within three months of carrying out the risk assessments referred to in paragraph 1, Member States shall provide the Commission with the results of those risk assessments, indicating where they depart from the implementing acts referred to in paragraph 3."

This provision imposes two distinct duties on Member States:

1. Submission of Results: The full results of the risk assessment must be transmitted to the Commission.
2. Declaration of Departures: The submission must explicitly flag any instances where the Member State did not follow the methodology, templates, or elements specified in the Commission's implementing acts.

The Three-Month Deadline

The regulation imposes a strict, non-negotiable timeline for this reporting. The phrase "within three months of carrying out the risk assessments" creates a clear window for compliance. This deadline is designed to ensure that the Commission receives timely data to monitor the implementation of the sovereignty framework across the Union.

The timeline applies to the initial assessment carried out by the deadline set in Article 29(1) (one year after entry into force) and to subsequent assessments carried out "every two years, or whenever necessary." Failure to report within this window would constitute a breach of the proposed regulation, potentially triggering enforcement mechanisms under national law as transposed by Member States.

The Requirement to Indicate Departures

A critical nuance in Article 29(4) is the requirement to "indicate where they depart." This acknowledges that while the Commission will provide a standardized methodology via implementing acts (under Article 29(3)), Member States retain a degree of discretion in applying it to their specific national contexts.

However, this discretion is not absolute. The proposal requires transparency:

• Standard Methodology: Under Article 29(3), the Commission is empowered to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. These acts will also specify how Member States must use the highest level of assurance for the most critical public sector activities, including defense.
• The Duty to Flag: If a Member State decides to apply a different methodology, use a different template, or weigh certain risk factors differently than the Commission's implementing acts prescribe, they must explicitly state this in their report.
• Purpose: This requirement prevents "silent divergence." It ensures the Commission can immediately identify cases where national authorities may have underestimated risks or applied assurance levels that are lower than the EU-wide standard intended to protect public order.

Commission Review and Power to Intervene

The reporting obligation is not merely an administrative formality; it is the trigger for the Commission's supervisory powers. Article 29(5) outlines the consequences of the review process:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

This creates a "safety valve" for the Union. If the Commission determines that a Member State's reported assurance level is too low to protect public order, or if the departure from the methodology was unjustified, the Commission can override the national decision. It can then adopt binding implementing acts to specify the exact Union assurance level that must be applied for that specific activity. This ensures that the protection of public order remains a Union-level priority, even if national assessments vary.

What this means for you

For public-sector bodies, national competent authorities, and legal teams involved in cloud procurement, the reporting requirements of Article 29 have significant operational implications:

• Internal Timelines Must Be Aggressive: The three-month reporting deadline is external. To meet it, internal processes for conducting risk assessments, validating results, and preparing the report must be completed well in advance. Delays in national decision-making could lead to missed reporting deadlines.
• Documentation of Methodology is Critical: If your national authority intends to deviate from the Commission's implementing acts, you must document the rationale before submission. The report must clearly "indicate where they depart." Vague or missing explanations could lead to a finding that the assessment is non-compliant, triggering a Commission intervention.
• Preparation for Commission Scrutiny: Be aware that the Commission will actively review these reports. If a departure is flagged, the Commission may request further information or, in the worst case, issue a binding implementing act to correct the assurance level. This could force a re-tendering of cloud contracts if the originally selected assurance level is deemed insufficient.
• Alignment with Procurement: The results of the risk assessment directly dictate procurement obligations under Article 30. If the assessment (and subsequent Commission review) determines that an activity requires Union assurance Level 3, the contracting authority must procure only services recognized at Level 3 or 4. Reporting errors or delays could therefore stall critical public sector digital projects.

Common misconceptions

"Risk assessments are purely internal national documents." Incorrect. While the assessment is conducted by national authorities, Article 29(4) explicitly mandates that the results be provided to the European Commission. The process is subject to EU-level oversight and potential intervention.

"Member States can ignore the Commission's methodology without consequence." Incorrect. While Member States have the right to depart from the methodology, Article 29(4) requires them to explicitly indicate these departures. Furthermore, Article 29(5) grants the Commission the power to override national decisions if the resulting assurance level is deemed inadequate for public order protection.

"The three-month deadline is a suggestion." Incorrect. The text uses the mandatory "shall," establishing a strict legal obligation. Missing this deadline would be a failure to comply with the proposed regulation.

"Only the most critical sectors (like defense) need to report." Incorrect. Article 29(1) requires risk assessments for all public sector activities that contribute to the preservation of public order. This includes a broad range of sectors beyond just defense, such as internal security, border management, and justice. All such assessments must be reported.

Related

• CADA Risk Assessment Frequency: How Often Must Member States Assess?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• CADA Risk Assessment Consistency: How Member States Cooperate
• How does the Commission review CADA risk assessment results?
• Can the Commission override a Member State's CADA risk assessment conclusion?

This is general information about a draft EU regulation, not legal advice.