CADA public-order-relevant vs ordinary cloud procurement

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector cloud procurement would split into two tiers based on a mandatory risk assessment. As proposed, ordinary public activities must use a service recognised at Union assurance level 1 (Article 30(2)). Where a Member State's risk assessment identifies an activity as contributing to the preservation of public order, procurement is restricted to Union assurance level 2, 3 or 4 (Article 30(3)). The split is driven by the Article 29 risk assessment. Limited derogations exist under Article 30(4). CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

The CADA proposal would distinguish "ordinary" public cloud use from activities relevant to public order, and tie the minimum Union assurance level to that distinction.

The risk-assessment trigger: Article 29

The starting point is the risk assessment in Article 29. Member States and Union entities must carry these out by one year after entry into force, and thereafter every two years, or whenever necessary (Article 29(1)).

Article 29(1) requires the assessment to (a) identify public-sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in the areas of national security, internal security, external border management, defence, justice or law enforcement (including the prevention, investigation, detection and prosecution of criminal offences); and (b) determine which Union assurance level — 2, 3 or 4 — is appropriate for those activities.

Under Article 29(2), the assessment must consider at least: the sensitivity, criticality and magnitude of the non-personal data (and the nature, scope, context and purpose of personal-data processing, with the risks to data subjects); the risk and impact on public order of unlawful access by a third country or an entity established in a third country; and the risk and impact on public order of possible service disruption.

Ordinary procurement: Union assurance level 1

For activities not identified as contributing to public order, Article 30(2) requires Union entities and public-sector bodies to use cloud services recognised under Article 17 as having a Union assurance level 1.

As proposed, level 1 is the entry tier: per the Annex II criteria, it requires (among other things) that the provider is established in the Union and that infrastructure, assets and customer data remain in the Union unless the public-sector body requires otherwise, alongside state-of-the-art cybersecurity and transparency on subcontractors. It is a baseline of sovereignty, without the stricter personnel, supply-chain or control requirements of higher levels.

Public-order-relevant procurement: levels 2-4

Where the Article 29 assessment identifies an activity as contributing to public order in those sectors and areas, Article 30(3) provides that the contracting authority "shall only procure" services recognised at Union assurance level 2, 3 or 4. A level 1-only service would be ineligible. The specific level required follows from the risk assessment, and the Commission's methodology is to specify use of the highest assurance level for the most critical activities, including defence (Article 29(3)). The higher levels add, per Annex II, progressively stricter requirements — for example on subcontractor and personnel location, Union citizenship at the higher tiers, supply-chain controls, and protection against third-country control.

Derogations: Article 30(4)

Article 30(4) allows a contracting authority, on an exceptional basis and where duly justified, to decide not to procure a recognised service where one or more circumstances apply:

1. The subject matter cannot be supplied by recognised services in the central repository (Article 22), no adequate or reasonable alternative exists, and that absence is not the result of artificially narrowing the procurement parameters.
2. A similar procurement process launched within the previous year received no suitable tenders or participants.
3. Applying the requirements would require procurement at disproportionate cost.

These are exceptions requiring due justification, not a general escape from the obligation.

What this means for you

For public-sector procurement officers, CADA would turn cloud buying into a sovereignty exercise as much as a technical one.

1. Map activities to public order. You cannot fix your procurement bar until the Article 29 assessment is done. Identify which functions fall under the NIS2 sectors or the listed public-order areas (defence, justice, law enforcement, etc.). Activities supporting critical infrastructure or sensitive data are likely to trigger the level 2-4 requirement.

2. Specify the assurance level in tenders. State the required Union assurance level explicitly — level 1 for ordinary activities, level 2, 3 or 4 (per your assessment) for public-order activities — and align evaluation criteria accordingly.

3. Check the central repository first. Article 22 establishes a public central repository of recognised services. Consult it before tendering to confirm which providers are recognised at the required level.

4. Plan migration early. Where the assessment requires migration to another service, Article 29(6) sets a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability. Start exit and portability planning now if incumbents may not reach the required level.

5. Consider multi-cloud. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of your assessment — useful for resilience, especially for public-order activities.

Common misconceptions

Misconception 1: All public-sector cloud needs level 2 or higher. Incorrect. Only activities identified as contributing to public order are restricted to levels 2-4 (Article 30(3)). Ordinary activities require level 1 (Article 30(2)). Applying the higher bar everywhere would be disproportionate.

Misconception 2: Level 1 is "non-sovereign" or unsafe. Level 1 is the sovereignty baseline: under Annex II it still requires EU establishment, EU data location (subject to the public body's requirements) and state-of-the-art cybersecurity. It is calibrated for lower-risk activities, not a free pass.

Misconception 3: You can pick any level above the minimum. You can choose higher than required, but not lower. If your assessment mandates level 3, a level 2 service does not satisfy it. The assessment sets the minimum.

Misconception 4: Third-country providers can never serve public contracts. Not quite. Under Article 18, the Commission may, by implementing act, identify third countries whose controlled providers may be audited against the Union assurance level 3 criteria, where the country meets cumulative conditions (including a GDPR adequacy decision and no measures enabling conflicting access or service disruption). This is a narrow, Commission-gated route, not a general opening.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA voluntary recognition vs mandatory procurement levels
• CADA Union added value criteria vs lowest-price procurement: what changes?
• Sovereign cloud vs public cloud: what's the difference under CADA?
• CADA public-sector risk assessment vs private-sector impact assessment
• Open-source-first vs proprietary-first procurement under CADA

This is general information about a draft EU regulation, not legal advice.