Summary Under the proposed Cloud and AI Development Act (CADA), public-sector entities would be obliged to carry out risk assessments to determine the appropriate Union assurance level for their cloud services (Article 29), while certain private-sector entities may carry out similar impact assessments voluntarily (Article 31). Article 29 ties the public-sector assessment to procurement and public order; Article 31 starts as permissive but lets the Commission make impact assessments mandatory, by delegated act, for high-criticality sectors. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

The CADA proposal would treat the public and private sectors differently on assessing cloud-sovereignty risk: a mandatory risk assessment for public authorities, and an optional (but conditionally mandatory) impact assessment for some private entities.

The public-sector obligation: Article 29

Article 29, as proposed, imposes a mandatory duty on Member States and Union entities to carry out risk assessments — a foundational step before public procurement of cloud services.

Who must act? Member States and Union entities (institutions, bodies, offices and agencies), assessing the activities they perform, or intend to perform, using cloud services. Where responsibilities are shared, they should, where appropriate, consider carrying out the assessment jointly (Article 29(1)).

Purpose. The assessment must (Article 29(1)):

  1. Identify public-order relevance — which activities contribute to the preservation of public order in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement (including the prevention, investigation, detection and prosecution of criminal offences); and
  2. Determine the assurance level — which Union assurance level (2, 3 or 4) is appropriate. Activities not identified as contributing to public order must use at least Union assurance level 1 (Article 30(2)); those that are must procure level 2, 3 or 4 (Article 30(3)).

Timing. By one year after entry into force, thereafter every two years, or whenever necessary (Article 29(1)).

Content. Article 29(2) requires considering at least: the sensitivity, criticality and magnitude of the non-personal data (and the nature, scope, context and purpose of personal-data processing, with risks to data subjects' rights and freedoms); the risk and impact on public order of unlawful access by a third country or an entity established in a third country; and the risk and impact on public order of possible service disruption.

Commission oversight. The Commission will, by implementing act, specify the methodology, templates and elements for these assessments, including how Member States use the highest assurance level for the most critical activities such as defence (Article 29(3)). Member States must report results to the Commission within three months, flagging departures from the methodology (Article 29(4)). If the Commission concludes a Member State's identified level is inappropriate or does not adequately address public-order concerns, it may adopt implementing acts specifying the levels needed (Article 29(5)).

The private-sector option: Article 31

Article 31 takes a lighter-touch approach. It applies to entities referred to in Annex I of the NIS2 Directive who are not public-sector bodies.

Voluntary by default. Article 31(1) provides that such entities "may carry out similar assessments as those set out in Article 29." The permissive "may" signals encouragement, not initial compulsion.

Guidance and potential mandates. Article 31(2) allows the Commission to issue guidance on methodology and possible mitigation measures for private entities in sectors of high criticality. More significantly, Article 31(3) empowers the Commission, where duly justified, because of specific circumstances and in consultation with Member States, to adopt delegated acts supplementing the Regulation to require impact assessments (and risk-mitigation measures) for non-public-sector entities operating in sectors of high criticality.

Obligation vs option.

  • Public sector (Art 29): Mandatory. Without the assessment, a contracting authority cannot determine the correct assurance level for its procurement.
  • Private sector (Art 31): Voluntary by default, but exposed to a future Commission mandate for high-criticality sectors.

What this means for you

For in-house counsel and compliance officers, the Article 29/31 split drives both immediate action and longer-term monitoring.

If you work for a public-sector body:

  • Act on the deadline. Stand up a process to run the assessment within one year of entry into force, then on the two-year cycle.
  • Wait for, then follow, the methodology. Align with the Article 29(3) implementing acts (methodology, templates) rather than designing a framework in isolation, and be ready to justify any departures (Article 29(4)).
  • Drive procurement from the assessment. If activities preserve public order, you are restricted to levels 2-4 (Article 30(3)); build the assessment into procurement planning to avoid invalid tenders.
  • Address multi-cloud. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate.

If you work for a private NIS2 Annex I entity:

  • Treat the impact assessment as best practice. Although Article 31(1) is permissive, a parallel assessment demonstrates diligence, maps third-country exposure and prepares you for a possible Article 31(3) mandate.
  • Monitor Commission action. Watch for guidance under Article 31(2) and delegated acts under Article 31(3); a "high criticality" designation for your sector could make assessments mandatory.
  • Map cloud dependencies. Expect to map providers and their assurance levels, consistent with CADA's aim of reducing reliance on non-EU providers.

Penalties and enforcement. Article 24 sets penalties for cloud computing service providers that infringe the sovereignty Chapter. For public bodies, the consequence of not assessing is largely procedural and procurement-related — non-compliant procurement may be challenged, and the Commission may intervene on inappropriate levels (Article 29(5)). The current text does not set out a dedicated penalty regime for private entities' impact assessments comparable to the provider penalties.

Common misconceptions

Misconception 1: Private companies are exempt from sovereignty considerations. Article 31 is voluntary by default, not an exemption. Public procurement bars (Article 30, driven by Article 29) set a market standard that pulls in suppliers and critical-infrastructure operators, and the Commission can mandate assessments for high-criticality entities (Article 31(3)).

Misconception 2: The assessment is a one-time event. Article 29 requires assessments every two years and "whenever necessary." A single static assessment quickly goes stale.

Misconception 3: All public-sector activities require high assurance levels. Only activities contributing to public order need levels 2-4 (Article 30(3)); others use at least level 1 (Article 30(2)). The Article 29 assessment is the tool that makes the distinction.

Misconception 4: Private impact assessments are identical to public risk assessments. Article 31(1) allows "similar" assessments. The methodology may align, but the legal context differs: public assessments are tied to procurement and public order; private ones focus on operational resilience and risk mitigation, while potentially informing future mandates.

Related

This is general information about a draft EU regulation, not legal advice.