CADA for Public Buyers

Summary As proposed, the Cloud and AI Development Act (CADA) introduces a mandatory sovereignty framework that sits alongside, rather than replaces, existing GDPR and NIS2 obligations for public-sector buyers. Contracting authorities must conduct risk assessments under Article 29 to determine the appropriate Union assurance level for their cloud services, with a mandatory minimum of Union assurance level 1 applying across all public sector procurement. For activities identified as contributing to the preservation of public order, procurement is restricted to Union assurance levels 2, 3, or 4.

Detail

For public-sector procurement officers, the introduction of CADA represents a significant shift in how cloud and AI services are evaluated. While the General Data Protection Regulation (GDPR) and the Network and Information Security Directive 2 (NIS2) remain the primary legal bases for data protection and cybersecurity compliance, CADA adds a distinct layer focused on technological sovereignty and operational autonomy. It addresses risks that GDPR and NIS2 do not fully cover, such as the extraterritorial reach of third-country laws and the potential for service disruption by non-EU providers.

CADA does not replace GDPR or NIS2

It is crucial to understand that CADA is complementary to existing EU digital law. The proposal explicitly states that it is consistent with existing rules on the processing of personal data, including the GDPR, and complements the cybersecurity risk management improvements introduced by NIS2.

• GDPR Continues to Apply: GDPR governs the lawfulness, fairness, and transparency of personal data processing. CADA does not provide a new legal basis for data processing. If a cloud service processes personal data, the buyer must still comply with all GDPR requirements, including data protection impact assessments and appropriate technical and organizational measures. CADA's sovereignty criteria may help demonstrate compliance with GDPR's requirements for adequate security, but they do not substitute for GDPR compliance.
• NIS2 Duties Remain Unchanged: NIS2 focuses on technical cybersecurity risk management for entities in essential and important sectors. CADA goes further by addressing "sovereignty" risks, such as the risk of a third-country government compelling a cloud provider to disrupt service or access data. A cloud service can be NIS2-compliant (secure against hackers) but still fail CADA's sovereignty criteria if it is controlled by a third-country entity with extraterritorial data access laws.

The Mandatory Risk Assessment (Article 29)

The cornerstone of CADA's demand-side measures for the public sector is the obligation to conduct risk assessments. Under Article 29, Member States and Union entities must carry out risk assessments by one year after the Regulation's entry into force, and subsequently every two years, or whenever necessary.

These assessments serve two primary purposes:

1. Identify Public Order Relevance: They identify public sector activities that contribute to the preservation of public order. This includes sectors listed in Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defense, justice, and law enforcement.
2. Determine the Assurance Level: The risk assessment determines which Union assurance level (2, 3, or 4) is appropriate for the identified activities. The assessment must consider:
   • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
   • The risk of unlawful access to data by a third country or a legal entity established in a third country.
   • The risk of possible service disruption.

The Commission will provide guidance and methodology for these assessments to ensure consistency across the Union. If the Commission concludes that a Member State's chosen assurance level is inappropriate, it may adopt implementing acts to specify the correct level.

Procurement Tiers Based on Risk (Article 30)

Once the risk assessment is complete, Article 30 dictates the procurement rules. The proposal establishes a tiered system based on the results of the Article 29 assessment:

• Minimum Standard (Union Assurance Level 1): For all contracting authorities whose activities have not been identified as contributing to the preservation of public order, the use of cloud computing services recognized as having Union assurance level 1 is mandatory. This creates a baseline of trust and sovereignty for the entire public sector.
• Higher Assurance Levels (Union Assurance Levels 2, 3, or 4): For contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., defense, law enforcement, critical infrastructure), they must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4.

The specific criteria for these levels are detailed in Annex II of the proposal. For instance, Level 1 requires the provider to be established in the Union and data to remain in the Union. Higher levels introduce stricter requirements, such as Union citizenship for personnel, higher cybersecurity certification levels, and stricter controls on third-country influence.

Derogations and Multi-Cloud Strategies

Article 30 includes limited derogations. Contracting authorities may decide not to procure a recognized service if:

• No adequate or reasonable alternative exists in the central repository of recognized services.
• A similar procurement process was launched within the previous year without suitable tenders.
• Applying the requirements would result in disproportionate costs.

Furthermore, Article 29 encourages buyers to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their risk assessment to enhance resilience and limit dependency on a single provider.

What this means for you

For public-sector procurement officers, CADA introduces a new, mandatory step in your procurement lifecycle that runs parallel to your existing GDPR and NIS2 compliance checks.

1. Update Your Risk Assessment Framework: You must integrate CADA's sovereignty criteria into your existing risk management processes. Your next risk assessment (due within one year of CADA's entry into force) must explicitly evaluate the risk of third-country control and service disruption, not just technical cybersecurity or data privacy.
2. Map Your Services to Assurance Levels: You need to classify your cloud and AI services based on the Article 29 assessment. If your department handles critical public order functions, you cannot simply buy the cheapest or most feature-rich cloud service; it must be recognized at Level 2, 3, or 4. For all other activities, Level 1 is the new mandatory minimum.
3. Check the Central Repository: When drafting tender specifications, you must reference the Commission's central repository of recognized cloud services. You will only be able to award contracts to providers listed in this repository with the appropriate assurance level.
4. Do Not Deregister from GDPR/NIS2: Continue to fulfill all GDPR data protection impact assessments and NIS2 cybersecurity reporting obligations. CADA does not relieve you of these duties. Instead, view CADA's sovereignty certification as an additional layer of assurance that supports your overall security and compliance posture.
5. Plan for Migration: If your current cloud providers do not meet the required Union assurance levels, Article 29 allows for a reasonable transition period of up to 12 months for migration. Start identifying compliant alternatives early.

Common misconceptions

• "CADA replaces the GDPR."
  • Correction: CADA and GDPR address different risks. GDPR protects individual privacy rights; CADA protects public order and operational autonomy from third-country influence. You must comply with both.
• "NIS2 certification is enough for CADA compliance."
  • Correction: NIS2 focuses on technical cybersecurity resilience. CADA's Union assurance levels include NIS2-relevant cybersecurity standards but also add strict sovereignty criteria, such as data localization, personnel citizenship, and freedom from third-country legal control. A service can be NIS2-compliant but fail CADA's sovereignty audit.
• "I only need to worry about CADA if I am in defense or law enforcement."
  • Correction: While higher assurance levels (2-4) are for critical public order sectors, Union assurance level 1 is mandatory for all public sector bodies. Every public-sector buyer must procure services that meet at least this baseline sovereignty standard.
• "I can ignore CADA until it is fully adopted."
  • Correction: While CADA is currently a proposal, the Commission is already developing guidance and the central repository. Early preparation, such as mapping your current cloud usage against the proposed criteria, will prevent rushed and costly migrations once the regulation enters into force.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA and the AI Act: Dual Compliance for Public-Sector AI Buyers
• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• Which CADA obligations stack with NIS2 obligations?
• Which CADA definitions come from the NIS2 Directive?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies

This is general information about a draft EU regulation, not legal advice.