Summary Under the proposed Cloud and AI Development Act (CADA), public-sector cloud buyers face a mandatory, risk-driven procurement framework. As proposed in Article 29, Member States and Union entities must conduct risk assessments to identify which activities contribute to the "preservation of public order." The outcome of this assessment dictates the minimum Union assurance level (1, 2, 3, or 4) that must be procured under Article 30. If a current service fails to meet the required level, Article 29(6) imposes a strict obligation to migrate to a compliant provider within a transition period that shall not exceed 12 months.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally shifts public-sector cloud procurement from a market-driven choice to a sovereignty-driven obligation. The mechanism linking the two is the risk assessment. This process ensures that the level of cloud sovereignty matches the sensitivity of the public function being performed.

The Mandatory Risk Assessment (Article 29)

Article 29 establishes the legal requirement for Member States and Union entities to carry out risk assessments. These are not optional strategic reviews but binding compliance steps. The Regulation mandates that these assessments be conducted:

  • Within one year of the Regulation's entry into force;
  • Every two years thereafter;
  • Whenever necessary due to changing circumstances.

The primary objective, as defined in Article 29(1), is twofold:

  1. Identify Public Order Activities: Determine which public-sector activities use or will use cloud computing services that "contribute to the preservation of public order." This explicitly includes sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2) and specific areas such as "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."
  2. Determine the Required Assurance Level: Based on the findings, the authority must determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

Article 29(2) specifies the factors buyers must consider during this assessment. These include:

  • The "sensitivity, criticality, and magnitude" of both personal and non-personal data processed.
  • The "risk and consequent impact on public order of unlawful access" to such data by a third country or a legal entity established in a third country.
  • The "risk and consequent impact on public order of possible service disruption."

While the Commission will provide implementing acts to specify the methodology and templates, the ultimate responsibility for the assessment lies with the Member State or Union entity. However, Article 29(5) grants the Commission the power to intervene: if the Commission concludes that a Member State's identified assurance level is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts to specify the required level.

Procurement Obligations Linked to Assessment Results (Article 30)

The results of the Article 29 risk assessment directly trigger the procurement rules in Article 30. This article creates a binary procurement regime based on whether an activity has been flagged as contributing to public order.

1. The Baseline: Union Assurance Level 1 For all public-sector bodies and Union entities whose activities have not been identified as contributing to the preservation of public order, Article 30(2) mandates a minimum requirement. These entities "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1." This establishes a Union-wide baseline of sovereignty for all public cloud usage, ensuring that even non-critical administrative functions are not served by providers with no Union assurance recognition.

2. The Enhanced Requirement: Levels 2, 3, or 4 For contracting authorities whose activities have been identified as contributing to the preservation of public order under the Article 29 risk assessment, the rules are stricter. Article 30(3) states that these authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

The specific level (2, 3, or 4) is determined by the risk assessment outcome. For example, a law enforcement agency might determine that its case management system requires Level 3 or 4 due to the sensitivity of classified data, whereas a public health data repository might require Level 2. The procurement documents must explicitly reflect this minimum requirement.

3. Limited Derogations Article 30(4) provides narrow, exceptional derogations where a contracting authority may decide not to procure a recognized service. These apply only if:

  • The subject matter cannot be supplied by recognized services available in the central repository, and no adequate alternative exists (provided this is not the result of artificially narrowing parameters);
  • A similar procurement process was launched within the previous year but received no suitable tenders; or
  • Applying the requirements would result in "disproportionate cost."

These exceptions are strictly construed and require due justification.

The Migration Obligation: A 12-Month Clock

Perhaps the most immediate operational impact for buyers with existing contracts is the migration obligation found in Article 29(6).

If a risk assessment determines that a current cloud service does not meet the required Union assurance level, the Member State or Union entity is legally bound to migrate. The Regulation states: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months."

This 12-month cap is not a suggestion; it is a hard deadline. The period must take into account "technical feasibility, continuity of service and data portability requirements applicable to such migration." This provision effectively prevents the indefinite extension of legacy contracts with non-compliant third-country providers. Once the risk assessment is finalized and the required level is set, the clock starts ticking.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, CADA transforms cloud strategy into a compliance exercise. The following steps are essential preparation:

1. Map Your Activities to Public Order Criteria

Before the Regulation enters into force, begin mapping your current cloud usage against the criteria in Article 29(1). Identify which services support activities in "national security, internal security, external border management, defence, justice or law enforcement." If your organization handles data in these sectors, you are likely in the "public order" category, triggering the need for Level 2, 3, or 4 assurance.

2. Prepare for the Article 29 Assessment

Once the Regulation is active, you must conduct the formal risk assessment. This is not a generic IT risk review; it is a specific sovereignty assessment. You must evaluate:

  • The sensitivity and magnitude of your data.
  • The specific risk of third-country access or service disruption.
  • The impact of such risks on public order. Use the Commission's forthcoming templates to ensure your assessment aligns with the required methodology.

3. Align Procurement Specifications with Article 30

Your tender documents must explicitly state the minimum Union assurance level required.

  • Non-public order activities: Specify "Union assurance level 1" as a mandatory minimum.
  • Public order activities: Specify the exact level (2, 3, or 4) determined by your risk assessment. Failure to include these mandatory minimums in your procurement documents would constitute a breach of Article 30.

4. Execute the Migration Plan Immediately

If your current provider does not hold the necessary recognition, you must initiate a migration plan. Article 29(6) gives you a maximum of 12 months to complete this transition. Do not wait for the deadline to approach. Assess data portability, technical dependencies, and continuity risks now. The 12-month period is designed to be "reasonable," but it is a hard cap; failure to migrate within this timeframe would leave the authority in violation of the Regulation.

5. Monitor the Central Repository

Procurement is only valid if the service is recognized in the central repository established under Article 22. Regularly check this repository to identify eligible providers for your required assurance level. If no providers exist for a specific level, you may need to invoke the derogation in Article 30(4), but this requires strong justification that the absence is not due to artificial narrowing of parameters.

Common misconceptions

"All public sector cloud usage requires the highest assurance level (Level 4)."

  • Reality: No. CADA is proportionate. Article 30(2) explicitly sets Union assurance level 1 as the baseline for activities not contributing to public order. Only activities identified as critical under Article 29 require the higher tiers (2, 3, or 4).

"We can keep our current non-EU provider if we sign a strong contract."

  • Reality: Not if the risk assessment mandates a higher assurance level. Article 30 requires the procurement of services recognized as meeting specific Union assurance levels. Contractual safeguards alone do not grant this recognition. If your current provider is not recognized at the required level, you must migrate within the 12-month transition period.

"The risk assessment is a one-time event."

  • Reality: Article 29(1) requires assessments to be repeated every two years, or whenever necessary. As your data sensitivity, threat landscape, or operational needs change, your required assurance level may change, potentially triggering new procurement or migration obligations.

"The 12-month migration period is flexible."

  • Reality: Article 29(6) states the transition period "shall not exceed 12 months." While it must be "reasonable" regarding technical feasibility, the 12-month cap is a statutory limit. Authorities cannot extend this period indefinitely to avoid migration.

Related

This is general information about a draft EU regulation, not legal advice.