Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are legally required to conduct risk assessments to determine the appropriate Union assurance level for public sector cloud activities. Article 29(2) mandates that these assessments consider three minimum factors: (a) the sensitivity, criticality, and magnitude of the data processed; (b) the risk of unlawful third-country access to that data; and (c) the risk of service disruption. These assessments are the gateway to procurement compliance: if an activity is deemed to contribute to public order, authorities must procure cloud services recognised at Union assurance levels 2, 3, or 4.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a sovereign cloud framework designed to reduce dependencies on third-country providers and ensure operational autonomy for the Union. Central to this framework is the obligation for public sector bodies to conduct structured, recurring risk assessments. These assessments are not merely administrative formalities; they are the decisive mechanism that triggers specific procurement mandates under Article 30.

The Legal Basis: Article 29 Obligations

Article 29, titled "Risk assessments," places the primary burden on Member States and Union entities (including EU institutions, bodies, offices, and agencies). As proposed, these entities must carry out risk assessments within one year of the regulation's entry into force, and subsequently every two years, or whenever necessary.

The purpose of these assessments is twofold:

  1. To identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.
  2. To determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

While the scope of activities subject to these assessments is broad, the specific factors that must be considered during the assessment are explicitly defined in Article 29(2). The provision states that Member States and Union entities "shall consider at least" the following aspects. This phrasing is critical: it establishes a floor, not a ceiling. Authorities may consider additional factors based on their specific national contexts or sectoral risks, but they cannot ignore these three core elements.

Factor 1: Sensitivity, Criticality, and Magnitude of Data

The first mandatory consideration is the nature of the data being processed. Article 29(2)(a) requires assessors to evaluate:

"the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects."

This factor moves beyond simple data classification (e.g., "public" vs. "confidential"). It requires a holistic, multi-dimensional view of the data ecosystem:

  • Sensitivity: This assesses the potential damage resulting from data exposure. It encompasses commercially sensitive information, operationally critical data, and personal data protected under the GDPR. The assessment must determine how damaging a breach would be to the public interest.
  • Criticality: This evaluates the essentiality of the data to the functioning of the public service. If the data is lost, corrupted, or rendered inaccessible, can the service continue to operate? High criticality implies that the data is a linchpin for essential functions.
  • Magnitude: This considers the volume and breadth of the data. Large-scale datasets, even if individually low-risk, may present systemic risks when aggregated.
  • Impact on Public Order: Crucially, the assessment must explicitly link the data processing to the potential impact on public order. This connects directly to CADA's overarching goal of protecting the Union's sovereignty and stability.
  • Rights and Freedoms: For personal data, the assessment must align with GDPR principles, specifically considering the "risk of varying likelihood and severity for the rights and freedoms of data subjects." This ensures that CADA risk assessments do not conflict with existing data protection obligations but rather reinforce them in the context of sovereignty.

Factor 2: Risk of Unlawful Third-Country Access

The second factor addresses the core sovereignty concern driving the CADA proposal. Article 29(2)(b) requires the consideration of:

"the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."

This provision directly responds to the extraterritorial reach of laws from non-EU jurisdictions, such as the US CLOUD Act, which can compel cloud providers to hand over data stored in their custody, regardless of where the data is physically located. The risk assessment must evaluate:

  • Legal Exposure: Is the cloud provider subject to the jurisdiction of a third country that has laws allowing access to data? The assessment must consider whether such access would be "unlawful under Union law," meaning it conflicts with EU fundamental rights or data protection frameworks.
  • Unlawful Access: What is the likelihood that a third-country authority could access the data in a manner that violates Union law? This involves analyzing the provider's corporate structure, the laws of the country of establishment, and any existing international agreements.
  • Impact on Public Order: If such access were to occur, how would it undermine public order? Potential impacts include espionage, economic coercion, the compromise of national security secrets, or the manipulation of public services.

This factor is the primary determinant for distinguishing between Union assurance levels. For instance, Union assurance levels 3 and 4 impose strict requirements on the absence of third-country control and the prevention of third-country access to customer data. If the risk assessment identifies a significant risk of unlawful access, a lower assurance level (such as Level 1 or 2) may be deemed insufficient to protect public order.

Factor 3: Risk of Service Disruption

The third mandatory factor focuses on operational resilience and continuity. Article 29(2)(c) requires the assessment of:

"the risk and consequent impact on public order of possible service disruption."

In an increasingly geopolitical landscape, service disruption is not merely a technical failure but a potential tool of coercion. A third-country provider could theoretically degrade or disrupt service continuity as a form of political or economic pressure. The risk assessment must therefore consider:

  • Dependence Vulnerabilities: How dependent is the public sector activity on this specific cloud service? Is there a single point of failure? The assessment must evaluate the risk of vendor lock-in and the availability of alternatives.
  • Disruption Scenarios: What are the potential impacts if the service is degraded, slowed, or completely shut down? This includes analyzing the provider's ability to maintain service continuity in the face of unilateral decisions by third-country actors.
  • Impact on Public Order: Would such a disruption hinder the delivery of essential public services, such as healthcare, emergency response, or justice administration? The assessment must quantify the societal impact of a service outage.

This factor reinforces the need for multi-cloud strategies or services with high operational autonomy, which are features of the higher Union assurance levels. Article 29(9) explicitly encourages Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" as part of their procurement of cloud computing services to mitigate this risk.

The Role of Commission Guidance and Oversight

While Article 29(2) sets the minimum factors, the Commission is empowered to adopt implementing acts that specify the methodology, templates, and elements to be taken into account for these risk assessments (Article 29(3)). This guidance will help harmonize the application of the assessment across the Union, ensuring that a "sensitive" activity in one Member State is treated consistently in another. The methodology will specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.

Furthermore, the Commission retains oversight powers. If the Commission concludes, after reviewing the results of a Member State's risk assessment, that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels (Article 29(5)). This creates a feedback loop where national assessments are subject to EU-level oversight to ensure consistent protection of public order.

Consequences of the Assessment: Procurement Obligations

The outcome of the risk assessment directly dictates procurement obligations under Article 30.

  • If an activity is identified as contributing to the preservation of public order, the contracting authority must procure cloud computing services recognised as having a Union assurance level 2, 3, or 4 (Article 30(3)).
  • For activities not identified as contributing to public order, a minimum of Union assurance level 1 is required (Article 30(2)).

This linkage makes the risk assessment a critical compliance step. A flawed or incomplete assessment could lead to the procurement of non-compliant services, exposing the public sector to sovereignty risks and potential penalties. Article 29(6) further mandates that where the risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the CADA risk assessment is a high-stakes compliance obligation that requires immediate attention.

1. Document Your Methodology Rigorously Ensure that your risk assessment process explicitly documents the consideration of the three factors in Article 29(2). You must be able to demonstrate that you evaluated:

  • The sensitivity, criticality, and magnitude of both non-personal and personal data.
  • The specific risk of unlawful third-country access under Union law.
  • The risk and impact of service disruption on public order. If challenged later, the absence of evidence for any of these three factors could render the assessment invalid.

2. Align Risks with Union Assurance Levels Understand the criteria for Union assurance levels 1–4 (set out in Annex II of CADA). Your risk assessment must map your identified risks to the appropriate assurance level.

  • High Risk of Third-Country Access: Likely requires Level 3 or 4, which prohibit third-country control or require specific safeguards.
  • High Risk of Disruption: May require Level 2 or higher, which mandate operational support exclusively within the Union.
  • Low Risk: May suffice with Level 1, which relies on self-assessment and basic data localisation.

3. Prepare for Commission Oversight Be aware that the Commission may review your risk assessment results. If your assessment is deemed insufficient, the Commission can mandate a higher assurance level via implementing acts. Ensure your assessments are robust, defensible, and based on the "at least" criteria of Article 29(2).

4. Plan for Migration Early If your risk assessment determines that you must migrate to a higher assurance level, Article 29(6) allows for a reasonable transition period not exceeding 12 months. Start planning your migration strategies, including vendor selection and data portability, immediately to ensure continuity of service.

5. Monitor for Commission Guidance The Commission will issue implementing acts with detailed methodologies and templates under Article 29(3). Stay alert for these documents, as they will provide the specific framework for conducting compliant assessments and may refine how "public order" is interpreted in specific sectors.

Common misconceptions

Misconception 1: The risk assessment is a one-time exercise. Correction: Article 29(1) requires assessments to be carried out every two years, or whenever necessary. This is an ongoing compliance obligation, not a one-off project. Public order risks evolve, and so must the assessments.

Misconception 2: Only personal data matters. Correction: Article 29(2)(a) explicitly includes "non-personal data." The sensitivity, criticality, and magnitude of non-personal data (e.g., industrial data, infrastructure logs) must also be assessed, especially if their compromise could impact public order.

Misconception 3: The three factors in Article 29(2) are the only considerations. Correction: The provision states that assessors "shall consider at least" these aspects. Authorities may and should consider additional relevant factors, such as specific sectoral risks or geopolitical developments, but these three are mandatory minimums that cannot be omitted.

Misconception 4: Risk assessments only apply to the public sector. Correction: While Article 29 applies to Member States and Union entities, Article 31 allows private sector entities (as defined in Annex I of the NIS2 Directive) to conduct similar impact assessments. Furthermore, the procurement requirements in Article 30 create a de facto requirement for private providers to understand these assessments to win public contracts, as they must prove they meet the required assurance level.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.