Summary Under the proposed Cloud and AI Development Act (CADA), public authorities must conduct risk assessments not only on a fixed two-year cycle but also "whenever necessary" to ensure the continued protection of public order. This event-driven trigger mandates immediate reassessment when material changes occur, such as the emergence of new third-country threats, a change in cloud provider or subcontractor structure, or the reclassification of a public sector activity. Waiting for the next biennial review in the face of such changes would constitute non-compliance with Article 29(1) of the proposal.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework for the procurement of cloud computing services by public authorities. Central to this framework is the obligation for Member States and Union entities to perform risk assessments to determine the appropriate Union assurance level (1, 2, 3, or 4) required for their specific activities.

Article 29(1) of the proposal explicitly sets the timeline for these assessments:

"By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments..."

While the "every two years" provision establishes a regular baseline for compliance, the phrase "whenever necessary" introduces a critical, event-driven obligation. This clause ensures that the validity of a risk assessment is not fixed by time alone. If the circumstances underpinning the original risk profile change materially, the assessment is no longer accurate. Consequently, a new assessment must be conducted immediately to maintain compliance with the regulation's public-order protections.

What constitutes "whenever necessary"?

The proposal does not provide an exhaustive, closed list of triggers within Article 29 itself. However, the context of the sovereignty framework (Title IV), the specific criteria for Union assurance levels in Annex II, and the risk factors listed in Article 29(2) clarify what constitutes a material change requiring immediate action. A new assessment is triggered when any factor influencing the required Union assurance level is altered.

Key scenarios that would likely trigger a "whenever necessary" reassessment include:

1. Emergence of New Threats or Intelligence

Article 29(2)(b) requires authorities to consider "the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country." If new intelligence reveals that a specific third country has enacted laws allowing broader access to data, or if a specific cloud architecture is found to be vulnerable to new types of cyber-attacks, the risk landscape has shifted. For example, if a third country passes legislation similar to the US CLOUD Act that compels data disclosure, or if a geopolitical event increases the risk of service disruption, the "whenever necessary" clause is activated. Authorities must update their assessments to reflect these new threats immediately, rather than waiting for the biennial cycle.

2. Changes in the Cloud Provider or Service Architecture

The sovereignty of a cloud service depends heavily on the provider's legal structure, infrastructure location, and subcontractor network. If a provider changes its infrastructure, subcontractors, or legal structure, the sovereignty guarantees may be affected.

  • Subcontractor Changes: If a provider previously recognized for Union Assurance Level 2 begins using a subcontractor located outside the Union without adequate safeguards, or if the provider is acquired by a third-country entity, the operational autonomy and data confidentiality criteria in Annex II may no longer be met.
  • Service Degradation: If a provider fails to maintain the "state-of-the-art cybersecurity standards" required for their assurance level, or if they are found to be in breach of the criteria (e.g., allowing data to be used for training third-country AI models), the authority must reassess. In such cases, the authority cannot rely on the previous assessment; a new one is necessary to verify if the service still aligns with the required assurance level.

3. Reclassification of the Public Sector Activity

Article 29(1)(a) requires authorities to identify activities that "contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement." If a specific public sector activity is reclassified as having a higher impact on public order, the required assurance level may increase. For instance, if a national directive reclassifies a specific health data processing activity as critical infrastructure, or if a local authority takes on new responsibilities in border management, the associated cloud services must be reassessed. The shift from a low-risk category to a high-risk category (such as defence or justice) necessitates a new assessment to ensure the services meet the higher sovereignty standards (potentially Level 3 or 4).

4. Changes in the Nature of the Data or Service

Article 29(2)(a) mandates that authorities consider the "sensitivity, criticality, and magnitude of the non-personal data processed... as well as the risk... for the rights and freedoms of data subjects." If a public authority begins processing more sensitive data than originally anticipated, the risk profile changes. For example, if a local government initially uses a cloud service for general administrative tasks (potentially requiring only Union Assurance Level 1) but later decides to store health records, law enforcement data, or classified information, the sensitivity and criticality have increased. This shift necessitates a new assessment to determine if a higher assurance level is now required.

5. Migration or Significant Technical Changes

If an authority plans to migrate to a new cloud environment or significantly alters the current service configuration (e.g., changing data residency rules or introducing new AI tools), a new assessment is necessary. This ensures that the new environment meets the specific assurance levels determined for the authority's activities. Article 29(6) further reinforces this by requiring migration within a "reasonable transition period" (not exceeding 12 months) if a risk assessment requires a change in service.

The Role of the Commission and Guidance

To ensure consistency across the Union, Article 29(3) empowers the Commission to specify the methodology, templates, and elements to be taken into account for these risk assessments. This guidance will help authorities determine what constitutes a "necessary" reassessment. Furthermore, Article 29(5) allows the Commission to intervene if it concludes that an authority's identified assurance level is inappropriate or does not adequately address public order concerns, potentially specifying the required levels through implementing acts. This top-down oversight reinforces the need for authorities to be proactive in updating their assessments when conditions change.

What this means for you

For public-sector procurement officers, IT managers, and legal counsel, the "whenever necessary" clause transforms risk assessment from a static compliance exercise into a dynamic, ongoing governance process.

  • Establish Continuous Monitoring: You must monitor your cloud contracts and the services you use for material changes. This includes tracking provider news, geopolitical developments affecting data sovereignty, and internal changes in data usage. Do not rely solely on the biennial calendar.
  • Document Triggers Rigorously: Keep a detailed record of why and when you conduct an ad-hoc assessment. If auditors question why a new assessment was done outside the two-year cycle, you must be able to demonstrate the specific material change (e.g., "New third-country law enacted on [Date]" or "Provider acquired by non-EU entity on [Date]") that triggered it.
  • Plan for Migration: If an assessment reveals that your current provider no longer meets the required assurance level, Article 29(6) requires you to migrate to a compliant service within a "reasonable transition period" that shall not exceed 12 months. Early detection via timely assessments is crucial to avoid rushed, costly migrations or service interruptions.
  • Cross-Functional Engagement: Determining "necessity" often requires input from legal counsel (regarding data protection and third-country laws) and cybersecurity experts (regarding threat landscapes). Do not rely solely on IT procurement teams to identify these triggers.

Common misconceptions

Misconception 1: "I only need to assess every two years." This is incorrect. The two-year cycle is the maximum interval for routine reviews. If a significant change occurs in month three, you must assess immediately. Waiting for the next biennial review could leave your organization non-compliant and vulnerable to public order risks.

Misconception 2: "Minor updates to the software don't require a new assessment." While minor bug fixes or routine patches may not trigger a reassessment, changes that affect the sovereignty criteria (such as data storage location, access controls, subcontractor involvement, or the introduction of third-country AI training) do. You must evaluate whether the change impacts the criteria in Annex II.

Misconception 3: "The provider's certification is enough." A provider's recognition for a Union assurance level is a prerequisite, but it does not replace the authority's risk assessment. The authority must still determine which level is appropriate for its specific activities. If the authority's needs change, the assessment must change, even if the provider's certification remains valid.

Misconception 4: "Only high-risk sectors need to worry about this." All public sector bodies must conduct risk assessments. Even if your activities are not classified as high-risk, you must still determine the appropriate assurance level (minimum Level 1) and reassess if your data or services change. The "whenever necessary" clause applies to all contracting authorities.

Related

This is general information about a draft EU regulation, not legal advice.