What does a CADA risk assessment mean for a national government CIO?

Summary Under the proposed Cloud and AI Development Act (CADA), a national government Chief Information Officer (CIO) faces a new statutory duty: leading mandatory risk assessments to determine the appropriate cloud sovereignty level for public sector activities. Article 29(1) requires Member States to inventory activities contributing to the preservation of "public order" and assign them Union assurance levels 2, 3, or 4. Article 29(4) mandates that the results of these assessments be reported to the European Commission within three months of completion. This process transforms cloud procurement from a technical decision into a strategic, legally binding exercise in preserving public order, requiring cross-agency coordination and strict adherence to Commission methodology.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous framework for cloud sovereignty. For a national government CIO, the centerpiece of this obligation is the risk assessment mechanism detailed in Article 29. This provision is not merely a compliance checkbox; it is the foundational step that dictates which cloud providers can be legally procured for sensitive government functions. Failure to correctly classify an activity could result in the procurement of non-compliant services, exposing the state to legal and operational risks.

The Mandate to Assess and Classify

Article 29(1) establishes the core obligation for Member States and Union entities. It requires that risk assessments be carried out by one year after the Regulation's entry into force, and thereafter every two years, or whenever necessary. The primary goal of these assessments is twofold:

1. Identify Public Order Activities: The CIO must map out which public sector activities use or will use cloud computing services that contribute to the preservation of public order. The text explicitly identifies sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as specific areas including national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
2. Determine Assurance Levels: For each identified activity, the assessment must determine which Union assurance level (Level 2, 3, or 4) is appropriate. These levels correspond to increasing degrees of sovereignty, with Level 4 offering the highest protection against third-country control and data access.

This classification is critical because it directly drives procurement rules under Article 30. Contracting authorities whose activities are identified as contributing to public order must only procure cloud services recognized as offering the specific Union assurance level determined by the risk assessment (Levels 2, 3, or 4). Conversely, activities not identified as contributing to public order must, as a minimum requirement, use services recognized at Union assurance level 1.

Methodology and Reporting Obligations

The assessment is not left to arbitrary national interpretation. Article 29(3) specifies that the Commission will issue implementing acts detailing the methodology, templates, and elements to be taken into account. This ensures a harmonized approach across the EU, preventing fragmentation. The methodology will specify how Member States must use the highest level of assurance for the most critical public sector activities, including defence.

Once the assessment is complete, transparency and oversight are enforced through Article 29(4). Member States must provide the Commission with the results of their risk assessments within three months of carrying them out. Crucially, this report must indicate where the Member State departs from the Commission's implementing acts. This creates a direct line of accountability between national CIOs and the European Commission, ensuring that national strategies align with the Union's broader sovereignty goals.

Coordination and Joint Assessments

The legislation acknowledges that public sector activities often span multiple agencies or levels of government. Article 29(1) explicitly states that where Union entities and Member States share responsibilities in relation to public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessments jointly.

For a national CIO, this implies a need for robust cross-agency coordination. Siloed IT departments cannot independently assess risks if data flows or services are shared across ministries (e.g., between Justice and Interior, or Defence and Health). The CIO must facilitate a whole-of-government approach to ensure consistent classification of data sensitivity and cloud requirements. This coordination is essential to avoid conflicting assurance levels for the same data or service across different parts of the government.

Consequences of Assessment: Migration and Multi-Cloud

The outcome of the risk assessment has immediate operational consequences. Article 29(6) addresses the scenario where an assessment reveals that a current cloud provider does not meet the required assurance level. In such cases, the Member State or Union entity must migrate to a compliant provider. This migration must occur within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability requirements.

Furthermore, Article 29(9) requires that risk assessments consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services. This is a direct response to the risks of vendor lock-in and single points of failure. The CIO must evaluate if diversifying cloud providers enhances resilience and aligns with the sovereignty objectives of the assessment.

Commission Oversight and Correction

The Commission retains oversight powers to ensure the integrity of the sovereignty framework. Article 29(5) allows the Commission to review the results of a Member State's risk assessment. If the Commission concludes that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the correct Union assurance levels for the public sector activity. This provision acts as a safeguard against under-assessment of risks by national authorities, ensuring that critical infrastructure is protected to the Union's standard.

What this means for you

For a national government CIO, Article 29 transforms your role from IT manager to strategic risk officer. You are no longer just selecting the most cost-effective or technically capable cloud provider; you are legally responsible for mapping the entire digital landscape of your government to identify what constitutes "public order" and ensuring the correct sovereignty level is applied.

Immediate Actions Required:

1. Inventory Your Assets: You must conduct a comprehensive inventory of all cloud computing services currently in use and planned for future use. Categorize them by the data they process and the public services they support.
2. Map to NIS2 and Security Domains: Identify which services fall under the NIS2 Directive's critical sectors, as well as national security, defence, justice, and law enforcement. These are the high-risk areas requiring Levels 2–4 assurance.
3. Establish a Cross-Agency Task Force: Given the requirement for joint assessments where responsibilities are shared, you must coordinate with heads of security, defence, and justice departments. Siloed assessments will lead to compliance failures.
4. Prepare for Reporting: Build internal processes to document your risk assessment methodology and results. You must be ready to submit this to the Commission within three months of completion, including any justifications for deviating from Commission guidelines.
5. Plan for Migration: If your current cloud providers do not hold the required Union assurance level for your critical activities, begin planning a migration strategy immediately. You have a maximum of 12 months to transition, so early engagement with sovereign cloud providers is essential.

Common misconceptions

Misconception 1: "This is just another cybersecurity audit." While cybersecurity is a component, CADA risk assessments are fundamentally about sovereignty and public order. A service can be highly secure (cyber-resilient) but still fail a CADA risk assessment if it is controlled by a third country that could potentially access data or disrupt service. The assessment focuses on legal and operational autonomy, not just technical security controls.

Misconception 2: "Only the Ministry of Defence needs to worry about this." While defence and national security are explicitly mentioned, the scope is much broader. Any public sector activity that contributes to public order, including healthcare, critical infrastructure management (under NIS2), and law enforcement, requires a risk assessment. Even non-critical activities must use at least Level 1 assurance, meaning no public body is exempt from the framework.

Misconception 3: "We can keep our current providers if they are EU-based." Being EU-based is not sufficient for Levels 2–4. Providers must be formally recognized as offering the specific Union assurance level. This requires independent audits (for Levels 2–4) and compliance with strict criteria regarding data location, personnel citizenship, and absence of third-country control. An EU-based provider without formal recognition cannot be used for activities requiring higher assurance levels.

Related

• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.