Summary The proposed Cloud and AI Development Act (CADA) does not replace the European Health Data Space (EHDS) Regulation but adds a mandatory sovereignty layer for public sector cloud procurement. Hospitals and health data holders must continue to comply with EHDS rules for primary and secondary health data use, but when procuring or migrating cloud infrastructure, they must now conduct risk assessments under Article 29 of CADA. Given the inherent sensitivity of health data, these assessments will likely trigger higher sovereignty assurance levels, potentially requiring providers to meet Union assurance levels 3 or 4. This creates a dual-compliance landscape where EHDS data governance intersects with CADA's strategic autonomy requirements.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonized framework for cloud sovereignty across the EU. For hospitals and health data holders, the critical interaction is between CADA's public procurement rules and the existing obligations under the European Health Data Space (EHDS) Regulation. CADA does not repeal or supersede EHDS; rather, it operates alongside it. While EHDS governs how health data is accessed, shared, and used, CADA governs where the infrastructure hosting that data is located, who controls it, and the resilience of the supply chain.

The Dual Compliance Landscape: EHDS and CADA

Under the EHDS Regulation, health data holders (such as hospitals) and health data processors have specific duties regarding the primary use of health data (for care purposes) and secondary use (for research, public health, etc.). These duties include strict consent management, data minimization, and cybersecurity standards. CADA does not alter these primary and secondary use obligations. Hospitals must still adhere to EHDS protocols for data access, patient rights, and cross-border data exchange.

However, CADA introduces a new constraint on how the underlying cloud infrastructure is procured and managed. Title IV of CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. Article 30 of CADA mandates that public sector bodies, including hospitals acting as contracting authorities, must procure cloud computing services that have been recognized as offering at least Union assurance level 1.

Article 29 Risk Assessments for Health Sectors

The pivotal provision for hospitals is Article 29 of CADA, which requires Member States and Union entities to carry out risk assessments to determine the appropriate sovereignty level for their activities.

Article 29(1) states that by one year after CADA's entry into force, Member States and Union entities shall carry out risk assessments that:

"(a) identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence; (b) determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

While health care is not explicitly listed in Article 29(1)(a) alongside defense or law enforcement, the risk assessment methodology in Article 29(2) requires assessing:

"(a) the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects;"

Health data is inherently highly sensitive and critical. The recitals of CADA (Recital 63) emphasize that risk assessments must consider the "sensitivity, criticality and magnitude of personal and non-personal data processed." Consequently, national risk assessments conducted by Member States are likely to classify health sector activities as contributing to public order due to the critical nature of healthcare infrastructure and the sensitivity of patient data.

Implications for Assurance Levels 3 and 4

If a hospital's cloud activities are deemed to contribute to public order under Article 29, Article 30(3) mandates stricter procurement rules:

"Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

For sensitive health workloads, such as those involving genomic data, mental health records, or critical care infrastructure, the risk assessment will likely point toward Union assurance levels 3 or 4.

  • Level 3 Criteria (Annex II, Section 3.1): Requires that the provider and subcontractors are established in the Union, infrastructure and personnel are located in the Union, and customer data remains exclusively within the Union. Crucially, Annex II, Section 3.1(d) mandates that "the personnel... are Union citizens and where appropriate, the personnel must also have the necessary national security clearance." It also mandates that the provider is not subject to the control of a third country, unless specific derogations apply under Article 18 (Associated third countries), which requires a Commission implementing act.
  • Level 4 Criteria (Annex II, Section 4.1): Imposes even stricter requirements, including that sensitive data identified via risk assessment remains exclusively within the Union, and that the provider and subcontractors are not subject to third-country control. It also requires a European cybersecurity certificate of at least assurance level 'high' (Annex II, Section 4.1(e)), whereas Level 3 requires a 'substantial' certificate (Annex II, Section 3.1(e)).

This means hospitals may be legally barred from using cloud services controlled by non-EU entities for their most sensitive workloads, even if those services are currently compliant with EHDS cybersecurity standards.

What this means for you

For public-sector procurement officers and hospital IT directors, the overlap between CADA and EHDS requires a strategic shift in cloud infrastructure planning.

  1. Conduct Dual Assessments: You must continue to perform EHDS-compliant data protection impact assessments for health data use. Simultaneously, you must participate in or conduct the national risk assessments mandated by Article 29 of CADA. Document the sensitivity and criticality of your health data workloads explicitly, as this documentation will determine your required assurance level.
  2. Review Current Contracts: Audit existing cloud contracts. If your current provider is controlled by a third-country entity, you may need to migrate sensitive health workloads to a provider recognized under Union assurance level 3 or 4. Article 29(6) provides a transition period, stating that if a risk assessment requires migration, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months.
  3. Procurement Criteria: Update your tender documents for cloud services. Under Article 32, you must include non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem. This includes evaluating the extent to which hardware and software are designed or manufactured in the Union.
  4. Multi-Cloud Strategies: Consider a multi-cloud approach as suggested in Article 29(9). By distributing workloads across different providers, you can mitigate the risk of vendor lock-in and ensure that critical health data is hosted on sovereign infrastructure while less sensitive administrative data might remain on lower-assurance platforms.

Common misconceptions

Misconception 1: CADA replaces EHDS cybersecurity rules. This is incorrect. CADA focuses on sovereignty, supply chain resilience, and public order. EHDS focuses on data access, patient rights, and technical cybersecurity. A cloud provider can be EHDS-compliant but fail to meet CADA's Union assurance level 3 or 4 criteria if it is controlled by a third-country entity. You must comply with both.

Misconception 2: All hospital cloud services must meet Level 4. Not necessarily. CADA employs a risk-based approach. Only activities identified as contributing to public order under Article 29 require levels 2, 3, or 4. Administrative or non-sensitive health data might only require Level 1. However, given the nature of health data, expect most clinical workloads to be classified as high-sensitivity, pushing them toward Levels 3 or 4.

Misconception 3: The transition period is unlimited. It is not. Article 29(6) sets a maximum transition period of 12 months for migration once a risk assessment determines a need to move to a different assurance level. Hospitals must plan migrations proactively to avoid service disruption.

Misconception 4: Level 3 and Level 4 have the same cybersecurity requirements. They do not. While both require a European cybersecurity certificate, Annex II, Section 3.1(e) requires Level 3 to have a certificate of at least assurance level 'substantial', whereas Annex II, Section 4.1(e) requires Level 4 to have a certificate of at least assurance level 'high'.

Related

This is general information about a draft EU regulation, not legal advice.