CADA Risk Assessments

Summary As proposed, the Cloud and AI Development Act (CADA) requires Member States and Union entities to conduct risk assessments to determine the appropriate Union assurance level for cloud services. To prevent fragmentation, Article 29(3) mandates that the Commission issue implementing acts specifying the methodology, templates, and elements for these assessments. Recital 62 confirms this guidance is essential for consistent application across the single market. Furthermore, Recital 63 highlights that the Commission will provide centrally coordinated guidance to map data sensitivity categories to specific assurance levels, ensuring that a "Level 3" requirement in one Member State carries the same weight in another. This framework balances national discretion with Union-wide harmonisation.

Detail

The Cloud and AI Development Act (CADA) introduces a Union cloud computing sovereignty framework to mitigate risks stemming from dependence on third-country providers. A cornerstone of this framework is the obligation for Member States and Union entities to conduct risk assessments to determine which Union assurance level (1, 2, 3, or 4) is appropriate for their public sector activities. The Commission's role in this process is not merely supervisory but actively prescriptive, designed to ensure a coherent, risk-based approach across the Union.

The Legal Mandate: Article 29 and Recital 62

The obligation to assess risk is rooted in Article 29(1), which requires Member States and Union entities to identify public sector activities that contribute to the preservation of public order. These activities include sectors falling under Annex I or II of the NIS2 Directive, as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement. The assessment must determine whether Union assurance levels 2, 3, or 4 are appropriate for these activities.

Recital 62 explicitly addresses the need for harmonisation in this process. It states that while Member States and Union entities must carry out these assessments, "To ensure consistent application of this Regulation and preserve the integrity of the digital single market, the Commission will provide guidance to assist Member States in carrying out their risk assessments."

This guidance is operationalised through Article 29(3). This article empowers the Commission to adopt implementing acts that specify:

• The methodology to be applied.
• The templates to be used.
• The elements to be taken into account by Member States and Union entities.

Crucially, the methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including defence. This ensures that the most sensitive functions are not subject to varying national interpretations of "criticality."

Centrally Coordinated Mapping of Data Categories

One of the primary risks to the single market under a sovereignty framework is the divergence of national approaches to classifying data sensitivity. Recital 63 identifies this as a specific threat: "divergent national approaches to the classification and mapping of data sensitivity and assurance requirements may undermine the consistent application of the sovereignty framework across the Union."

To counter this, the Commission is tasked with providing "centrally coordinated guidance on the mapping between Union assurance levels and categories of information." This mapping is not a rigid, one-size-fits-all list but a structured framework that takes into account three key factors:

1. The sensitivity, criticality, and magnitude of the data processed: This includes both personal data (within the meaning of the GDPR) and non-personal data, such as operationally critical data or commercially sensitive information.
2. The systematic importance of the activities: The guidance considers the role of the contracting authority and the potential impact of service disruption on public order.
3. Applicable obligations arising from Union law: This ensures alignment with existing sector-specific regulations (e.g., NIS2, GDPR).

By establishing this central mapping, the Commission ensures that the criteria for requiring a higher assurance level (e.g., Level 3 or 4) are consistent across Member States. This is particularly vital for Union assurance levels 3 and 4, which are designed to allow for the secure hosting of EU classified information. Without a central mapping, a Member State might classify certain data as requiring Level 4, while another might only require Level 2 for the same data type, creating an uneven playing field for cloud providers and potential security gaps.

Balancing Discretion with Consistency

While the Commission provides the methodology and central mapping, Recital 62 clarifies that the determination of the specific level of sensitivity of information hosted in a cloud service remains within the competence and discretion of the Member States. However, this discretion is not unlimited. It is bounded by the requirement to align with the Union assurance levels and the Commission's guidance.

For instance, while a Member State decides which specific datasets are "sensitive," it must apply the Commission's methodology to determine if that sensitivity warrants Level 2, 3, or 4. The guidance ensures that the process of determination is uniform, even if the outcome (the specific data classification) varies based on national context.

Review and Correction Mechanisms

The Commission retains a robust oversight role to ensure that risk assessments are adequate and consistent. Article 29(5) establishes a corrective mechanism: if the Commission concludes, after reviewing the results of a Member State's risk assessment, that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the Union assurance levels needed for that specific public sector activity.

This power underscores the binding nature of the Commission's guidance. It prevents Member States from underestimating risks or applying assurance levels that are too low for critical activities. Additionally, Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their risk assessment. The Commission's guidance will likely provide criteria for evaluating how such strategies mitigate concentration risks and enhance resilience.

The Assessment Scope: What Must Be Considered?

Under Article 29(2), the risk assessment must consider at least the following aspects:

• The sensitivity, criticality, and magnitude of non-personal data processed, including the potential impact on public order.
• The nature, scope, context, and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The Commission's implementing acts will provide the templates to ensure these specific elements are systematically evaluated and documented.

What this means for you

For public-sector bodies, Union entities, and cloud providers, the Commission's guidance on CADA risk assessments will be the definitive reference for compliance.

1. Await the Implementing Acts: Do not finalise your internal risk assessment methodologies until the Commission publishes the implementing acts under Article 29(3). These acts will contain the mandatory templates and methodologies. Relying solely on pre-existing national frameworks may lead to non-compliance or inconsistent assurance levels that could be rejected by the Commission.
2. Adopt the Central Mapping: When classifying your data, you must align with the centrally coordinated guidance on mapping data categories to assurance levels. This ensures that your classification of "sensitive" or "critical" data is recognised across the Union. Misclassification could result in procuring services that do not meet the required sovereignty standards, exposing your organisation to public order risks and potential legal challenges.
3. Document Rigorously: The guidance will likely require detailed documentation of the risk assessment process. Ensure your procurement records include the rationale for selecting a specific assurance level, explicitly referencing the Commission's methodology and templates. This documentation will be crucial for audits and for demonstrating compliance with Article 29.
4. Evaluate Multi-Cloud Strategies: As part of your risk assessment, evaluate whether a multi-vendor or multi-cloud approach enhances your resilience against third-country interference or service disruption. The Commission's guidance may offer specific criteria for assessing the benefits and complexities of such strategies, which could influence your assurance level determination.
5. Engage with National Competent Authorities: Your national competent authority will be responsible for enforcing the framework. Engage with them early to understand how they interpret the Commission's guidance and to ensure your risk assessments align with national implementation plans. Be prepared for the Commission to intervene if your assessment is deemed inadequate under Article 29(5).

Common misconceptions

• "Risk assessments are purely national matters." While Member States conduct the assessments, the Commission provides binding implementing acts and centrally coordinated guidance to ensure consistency. National discretion is limited by the need to align with Union assurance levels and the Commission's mapping of data categories. The Commission has the power to override national decisions if they are deemed inadequate.

• "Only personal data matters for risk assessments." Article 29(2) explicitly requires consideration of both personal and non-personal data. The sensitivity, criticality, and magnitude of all data processed—including operationally critical data, commercially sensitive information, and classified information—are relevant factors.

• "The Commission will do the risk assessment for you." The Commission provides the methodology, templates, and guidance, but the actual assessment must be carried out by the Member State or Union entity. The Commission's role is to standardise the process and, if necessary, correct inadequate assessments through implementing acts.

• "Assurance Level 1 is sufficient for all public services." While Level 1 is the minimum baseline for public sector procurement (as per Article 30(2)), activities contributing to the preservation of public order require higher assurance levels (2, 3, or 4) based on the risk assessment. The Commission's guidance will help identify which activities fall into these higher-risk categories, ensuring that critical functions are not exposed to third-country control.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Who sets the methodology for CADA risk assessments?
• Can the Commission request information from cloud providers for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?

This is general information about a draft EU regulation, not legal advice.