Summary Under the proposed Cloud and AI Development Act (CADA), healthcare bodies in the EU would face stricter cloud procurement rules. Most public health services would require a minimum Union Assurance Level 1, while critical health activities deemed to impact public order would likely mandate Union Assurance Levels 2, 3, or 4. Additionally, innovative health-cloud purchases must include "Union added value" criteria, and private healthcare entities in high-criticality sectors can voluntarily conduct impact assessments to mitigate dependency risks.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonised framework for cloud sovereignty and procurement across the European Union. For healthcare bodies, this represents a significant shift from general data protection compliance to explicit sovereignty and operational resilience requirements. The regulation distinguishes between public sector bodies (such as public hospitals and national health services) and private sector entities, applying different obligations to each.

Public Sector Healthcare: Mandatory Assurance Levels

For public healthcare bodies, CADA establishes a baseline requirement for all cloud computing service procurement. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure cloud computing services that have been recognised as offering at least Union Assurance Level 1. This ensures a fundamental baseline of trust, including data residency within the Union and basic cybersecurity standards.

However, healthcare is frequently classified as a critical sector. Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must consider sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), which explicitly includes healthcare. If a risk assessment determines that a healthcare activity is critical to public order, Article 30(3) mandates that contracting authorities must only procure cloud computing services recognised as offering Union Assurance Levels 2, 3, or 4.

These higher assurance levels impose stricter criteria, as detailed in Annex II:

  • Level 2: Requires independent audits, EU-based infrastructure and personnel, and restrictions on third-country control. Crucially, it requires a European cybersecurity certificate of at least assurance level "substantial".
  • Level 3: Adds requirements for Union citizenship for personnel (conditional on public body requirements) and stricter software supply chain controls. It also requires a "substantial" cybersecurity certificate.
  • Level 4: The highest level, requiring no third-country control over the provider or subcontractors, strict data localisation for sensitive information, and a European cybersecurity certificate of at least assurance level "high".

Therefore, a public hospital processing critical patient data or managing essential emergency services would likely be required to procure Level 2, 3, or 4 services, depending on the outcome of its national risk assessment.

Private Sector Healthcare: Voluntary Impact Assessments

Private healthcare entities are not subject to the mandatory procurement rules of Article 30. However, CADA recognises their strategic importance. Article 31 allows entities referred to in Annex I of Directive (EU) 2022/2555 (which includes healthcare) that are not public sector bodies to carry out similar assessments to those conducted by public authorities.

These voluntary impact assessments allow private hospitals and health-tech providers to evaluate their exposure to third-country dependencies and service disruption risks. While not mandatory, conducting these assessments helps private entities align with the security expectations of public partners and demonstrates due diligence in protecting sensitive health data. The Commission may also issue guidance on mitigation measures for these private entities operating in high-criticality sectors.

Union Added Value in Innovative Procurement

Beyond sovereignty levels, CADA introduces economic and strategic criteria for procurement. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

For healthcare bodies procuring innovative cloud solutions (e.g., AI-driven diagnostic tools hosted on cloud infrastructure), this means evaluating:

  • The use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union.
  • The contribution to strengthening the security of supply and the European cloud ecosystem.

Under Article 32(2), these criteria must be ancillary and not decisive in the award of the contract, but they provide a structured way for public health bodies to favour European providers and reduce strategic dependencies.

What this means for you

For procurement officers in public healthcare bodies, CADA requires a proactive approach to cloud strategy:

  1. Conduct Risk Assessments: Work with your national competent authority to determine which of your cloud-based health services are considered critical to public order. This will dictate whether you need Level 1 (minimum) or Levels 2–4 (critical) services.
  2. Verify Assurance Levels: Only procure cloud services that are formally recognised in the central repository established by the Commission under Article 22. Ensure providers have the necessary audit reports or statements of conformity.
  3. Update Procurement Documents: Include "Union added value" criteria in your tender documents for innovative cloud and AI projects, as required by Article 32. This supports European suppliers and enhances supply chain resilience.
  4. Plan for Migration: If your current cloud provider does not meet the required assurance level, you must plan a migration within a reasonable transition period. Article 29(6) stipulates that this period shall not exceed 12 months, taking into account technical feasibility and continuity of service.

For private healthcare entities, consider conducting voluntary impact assessments under Article 31 to identify vulnerabilities and prepare for potential future regulatory alignment or partnership requirements with public health systems.

Common misconceptions

  • "All healthcare cloud services must be Level 4."
    • Correction: Level 4 is reserved for the most sensitive data and activities requiring the highest degree of autonomy. Most public health services will likely require Level 1 or Level 2, depending on the specific risk assessment outcome. Level 4 is only necessary where the highest degree of autonomy and security is required.
  • "CADA replaces GDPR for healthcare data."
    • Correction: CADA complements existing data protection laws. It focuses on sovereignty, operational continuity, and supply chain security, while GDPR remains the primary framework for personal data privacy. Both must be complied with simultaneously.
  • "Private hospitals are exempt from all CADA rules."
    • Correction: While private hospitals are not bound by the mandatory procurement rules of Article 30, they are encouraged to conduct impact assessments under Article 31. Furthermore, if they partner with public health bodies, they may need to align with the same assurance levels to ensure interoperability and trust.
  • "Level 2 and Level 3 require 'high' cybersecurity certification."
    • Correction: Under Annex II, both Level 2 and Level 3 require a cybersecurity certificate of at least assurance level "substantial". Only Level 4 requires the "high" assurance level.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.