What are high-risk cloud dependencies for public bodies under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public bodies must conduct mandatory risk assessments to identify "high-risk" cloud dependencies that threaten public order, specifically in sectors like national security, defence, and critical infrastructure. These assessments determine whether a cloud service must meet higher "Union assurance levels" (2, 3, or 4) rather than the baseline level 1. Failure to align procurement with these risk-driven assurance requirements exposes authorities to non-compliance, as CADA mandates that activities contributing to public order preservation use only recognised sovereign-aligned services.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission in June 2026, introduces a structured framework to mitigate the Union's dependence on non-European cloud providers. A core component of this framework is the requirement for Member States and Union entities to perform rigorous risk assessments to identify high-risk dependencies. These dependencies are not defined by a static list of banned vendors, but rather by the sensitivity of the public sector activities and the potential impact of third-country access or service disruption on public order.

Identifying High-Risk Dependencies via Article 29

The primary mechanism for identifying high-risk cloud dependencies is Article 29 of the CADA proposal. This article mandates that Member States and Union entities carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

Article 29(1) specifies that these assessments must identify public sector activities using cloud computing services that contribute to public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as in areas of:

• National security;
• Internal security;
• External border management;
• Defence;
• Justice or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities. This creates a direct link between the nature of the public service and the technical/legal sovereignty requirements of the cloud provider.

Criteria for Assessing Risk

Article 29(2) outlines the specific aspects Member States and Union entities must consider when conducting these risk assessments. High-risk dependencies are characterised by:

1. Data Sensitivity and Criticality: The assessment must evaluate the sensitivity, criticality, and magnitude of both non-personal and personal data processed. This includes considering the potential impact on public order and the nature, scope, context, and purpose of processing personal data, as well as the risk to the rights and freedoms of data subjects.
2. Third-Country Access Risks: Authorities must assess the risk and consequent impact on public order of unlawful access to data by a third country or a legal entity established in a third country, under Union law. This directly addresses the "extraterritorial access" problem highlighted in the explanatory memorandum, where laws like the US CLOUD Act may compel providers to hand over data to foreign governments.
3. Service Disruption Risks: The assessment must consider the risk and impact of possible service disruption. This includes scenarios where a third-country actor could degrade, disrupt, or terminate services, thereby undermining operational autonomy and public order.

Linking Risk to Assurance Levels

The outcome of the Article 29 risk assessment dictates the procurement requirements under Article 30.

• Baseline Requirement: Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised as having Union assurance level 1 (Article 30(2)).
• High-Risk Requirement: Contracting authorities whose activities have been identified as contributing to the preservation of public order (as defined in Article 29(1)) must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4 (Article 30(3)).

This creates a tiered system where "high-risk dependencies" effectively bar the use of non-sovereign or low-assurance cloud services for critical functions. The higher assurance levels (2–4) impose stricter criteria, such as requirements for Union-based infrastructure, personnel, and data localisation, and prohibitions on third-country control over the provider.

Deadlines and Methodology

Article 29(1) sets a clear deadline: risk assessments must be carried out by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary.

To ensure consistency, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements for these risk assessments. The methodology will specify how Member States use the highest levels of assurance for the most critical public sector activities, including defence.

Article 29(4) requires Member States to provide the Commission with the results of these risk assessments within three months of carrying them out, indicating any departures from the Commission's implementing acts.

Penalties and Enforcement

While CADA primarily targets cloud service providers for penalties under Article 24, the obligations on public bodies are enforced through procurement rules and oversight. Article 24 stipulates that Member States must lay down rules on penalties for infringements by cloud providers, ensuring they are effective, proportionate, and dissuasive. For public bodies, non-compliance manifests as the inability to legally procure certain services for high-risk activities. If a public body procures a level 1 service for a high-risk activity identified under Article 29, it violates the procurement mandates of Article 30.

Furthermore, Article 29(5) allows the Commission to adopt implementing acts specifying the required Union assurance levels if it concludes that a Member State's risk assessment does not adequately address public order concerns. This creates a top-down enforcement mechanism where the Commission can override national risk assessments if they are deemed insufficient.

Critical Dependencies on Non-EU Providers

The explanatory memorandum highlights that the EU's dependence on a limited number of non-EU hyperscalers exposes the Union to critical strategic dependencies. These include vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting service continuity, and reduced control over data and infrastructure.

CADA's sovereignty framework, particularly the higher assurance levels triggered by Article 29 risk assessments, is designed to mitigate these risks. For instance, Union assurance level 3 and level 4 (detailed in Annex II of the proposal) require that the provider and subcontractors are not subject to the control of a third country, except under specific derogations for associated third countries meeting strict criteria (Article 18). This effectively excludes most non-EU hyperscalers from providing services for high-risk public sector activities unless they can demonstrate complete operational and legal separation from their third-country parent entities and jurisdictions.

What this means for you

For in-house counsel and compliance officers in the public sector, CADA introduces a proactive, evidence-based compliance obligation rather than a simple vendor blacklist.

1. Conduct Immediate Gap Analyses: You must review all current and planned cloud computing services used by your organisation. Map these services against the sectors listed in Article 29(1) (NIS2 sectors, defence, justice, etc.). Identify which services support activities contributing to public order.
2. Prepare for Risk Assessments: Begin drafting internal risk assessment methodologies aligned with the forthcoming Commission implementing acts. Document the sensitivity of data, the criticality of operations, and the specific risks of third-country access or service disruption.
3. Audit Vendor Assurance Levels: Verify the "Union assurance level" status of your current cloud providers. Check the central repository established under Article 22. If your organisation is identified as high-risk under Article 29, and your provider only holds Level 1 recognition, you will need to migrate.
4. Plan for Migration: Article 29(6) states that if a risk assessment requires migration to another cloud service, the migration must occur within a reasonable transition period not exceeding 12 months. Start planning exit strategies and data portability measures now to avoid disruption.
5. Engage with National Competent Authorities: As the national competent authority of establishment oversees the recognition process (Article 25), maintain open lines of communication. They will be responsible for enforcing the assurance level requirements and may provide guidance on risk assessment methodologies.

Common misconceptions

• "CADA bans all non-EU cloud providers." Incorrect. CADA does not ban non-EU providers outright. However, for high-risk activities identified under Article 29, providers must meet Union assurance levels 2, 3, or 4. Level 3 and 4 generally prohibit third-country control, making it highly difficult for non-EU hyperscalers to qualify unless they establish legally and operationally independent EU entities that meet strict sovereignty criteria (Article 18 and Annex II).
• "Only national security agencies need to worry about Article 29." Incorrect. Article 29 applies to all public sector bodies whose activities contribute to the preservation of public order. This includes sectors covered by NIS2 (e.g., energy, transport, health) as well as justice, law enforcement, and border management. A municipal health service or transport authority could easily fall under this scope.
• "Risk assessments are a one-time exercise." Incorrect. Article 29(1) mandates assessments every two years, or whenever necessary. The dynamic nature of cloud services and geopolitical risks means this is an ongoing compliance obligation.
• "We can ignore this if we use a provider with a GDPR adequacy decision." Incorrect. The explanatory memorandum explicitly states that the EU-US Data Privacy Framework does not remove sovereignty concerns about dependence on third-country providers. CADA's sovereignty framework goes beyond data transfer rules to address operational autonomy and the risk of service disruption or extraterritorial data access.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• EuroCloud Federation: How CADA enables public bodies to share sovereign cloud
• How does CADA affect public administration and government bodies?
• Does CADA require multi-cloud strategies for public bodies?
• Can a bank use CADA impact assessments instead of public-sector risk assessments?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines

This is general information about a draft EU regulation, not legal advice.