Summary Under the proposed Cloud and AI Development Act (CADA), Member States retain the discretion to depart from the Commission's prescribed risk assessment methodology, but this is not a silent exemption. Article 29(4) mandates that any such departure must be explicitly indicated when submitting risk assessment results to the Commission within three months. Crucially, Article 29(5) grants the Commission the authority to review these submissions and, if it concludes that the identified Union assurance level is inappropriate or fails to adequately address public order concerns, to adopt implementing acts that override the Member State's decision and specify the required assurance levels. This mechanism ensures that national flexibility does not compromise the Union's strategic autonomy or public order.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty. Central to this framework is the requirement for Member States and Union entities to conduct risk assessments to determine the appropriate "Union assurance level" (Levels 2, 3, or 4) for public sector activities that contribute to the preservation of public order. While the proposal aims for consistency, it acknowledges the diversity of national security contexts. However, this flexibility is strictly bounded by transparency and supervisory mechanisms.

The Commission's Methodology and the Right to Depart

The foundation of the risk assessment process is the methodology established by the Commission. Under Article 29(3), the Commission is empowered to adopt implementing acts that specify:

  • The methodology to be applied;
  • The templates to be used; and
  • The elements to be taken into account by Member States and Union entities.

This methodology is designed to ensure that the highest levels of assurance are applied consistently to the most critical public sector activities, including defence, national security, and law enforcement. The text of the proposal emphasises that the methodology must specify how Member States use the highest level of assurance for these critical sectors.

However, the proposal does not impose a rigid, one-size-fits-all mandate that precludes national adaptation. Member States are required to take "utmost account" of the Commission's guidance, but the legislative text implicitly allows for departures where national circumstances or specific risk profiles dictate a different approach. The critical question is not whether a Member State can depart, but how such a departure is managed to prevent fragmentation of the single market or erosion of public order protections.

The Reporting Obligation: Article 29(4)

The mechanism for managing departures is explicitly defined in Article 29(4). This provision imposes a strict transparency obligation on Member States. It states:

"Within three months of carrying out the risk assessments referred to in paragraph 1, Member States shall provide the Commission with the results of those risk assessments, indicating where they depart from the implementing acts referred to in paragraph 3."

This clause establishes two key requirements for any Member State choosing to deviate from the Commission's methodology:

  1. Timing: The submission of results must occur within three months of completing the risk assessment.
  2. Explicit Indication: The submission must not merely present the final assurance levels; it must specifically identify and indicate the points of departure from the Commission's implementing acts.

This "indication of departure" is a procedural safeguard. It prevents Member States from silently applying lower standards or different risk weighting without the Commission's knowledge. By forcing the Member State to articulate where and how it has diverged, the Commission is placed in a position to evaluate the justification for the deviation. The departure is not a veto; it is a notification that triggers a review.

The Commission's Override Power: Article 29(5)

The most significant aspect of the CADA risk assessment framework is the Commission's power to intervene if a national departure is deemed insufficient to protect public order. Article 29(5) provides the legal basis for this override:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

This provision creates a corrective mechanism with binding force. The process operates as follows:

  • Review: The Commission reviews the submitted risk assessment results, paying specific attention to any indicated departures from the methodology.
  • Conclusion: If the Commission determines that the assurance level chosen by the Member State (potentially due to a departure) is "not appropriate" or fails to "adequately address the public order concerns," it may act.
  • Action: The Commission may adopt implementing acts to specify the Union assurance levels needed. These acts are binding and effectively override the Member State's initial determination.

This power ensures that the "public order" objective of CADA is not diluted by national discretion. It prevents a scenario where a Member State might, for reasons of cost or administrative convenience, assign a lower assurance level to a critical activity (e.g., law enforcement or defence) that the Commission deems requires a higher level of sovereignty. The Commission's implementing acts would then mandate the higher level, and the Member State would be legally required to procure services at that level.

The Broader Context of Article 29

To fully understand the weight of these provisions, one must consider the broader obligations under Article 29(1) and Article 29(2).

  • Frequency: Risk assessments must be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. This means the potential for Commission override is a recurring event, not a one-off occurrence.
  • Scope: The assessments must identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas of national security, internal security, external border management, defence, justice, or law enforcement.
  • Risk Factors: Under Article 29(2), the assessment must consider the sensitivity, criticality, and magnitude of data; the risk of unlawful third-country access; and the risk of service disruption.

The methodology under Article 29(3) is designed to translate these risk factors into a specific assurance level. A departure from this methodology essentially alters the translation of risk into assurance. Article 29(5) is the Commission's tool to ensure that this translation remains robust enough to safeguard the Union's public order.

What this means for you

For legal counsel, compliance officers, and public procurement authorities within Member States, the interplay between Article 29(4) and Article 29(5) creates a dynamic compliance environment.

1. Rigorous Documentation of Deviations

If your national competent authority decides to depart from the Commission's methodology, the burden of proof is on you. You must prepare a detailed justification for the departure. When submitting the results under Article 29(4), the "indication of departure" must be precise. Vague statements such as "national specificities" are unlikely to satisfy the requirement. You must explicitly map the deviation: Which part of the methodology was ignored? What national risk factor justified this? How does the resulting assurance level still meet the public order threshold? Failure to clearly indicate the departure could lead to the Commission rejecting the submission or initiating an override.

2. Anticipate and Prepare for Override

The power under Article 29(5) is not theoretical. If your national assessment results in a lower assurance level than the Commission's methodology suggests for a critical sector (e.g., assigning Level 2 to a defence-related activity where Level 3 is standard), you must anticipate a Commission implementing act.

  • Migration Planning: Be aware that Article 29(6) requires migration to a new cloud service within a reasonable transition period not exceeding 12 months if the risk assessment requires a change. If the Commission overrides your assessment, this 12-month clock starts ticking immediately upon the adoption of the implementing act.
  • Procurement Flexibility: Your procurement strategies must be adaptable. Do not lock into long-term contracts for a specific assurance level until the Commission's review period has passed or the risk assessment is confirmed as appropriate.

3. Strategic Engagement with the Commission

The most effective way to manage the risk of override is proactive engagement. Before finalising a risk assessment that departs from the methodology, consider engaging with the Commission during the consultation phases or via the consistency mechanisms mentioned in Article 29(7). If you can demonstrate that your national context genuinely requires a different approach and that public order is still adequately protected, you may be able to secure the Commission's tacit approval or influence the methodology itself before the formal submission.

4. Monitoring the "Public Order" Threshold

The trigger for the Commission's override is the adequacy of "public order" protection. This is a broad and politically sensitive concept. Legal teams must ensure that their risk assessments do not just focus on technical cybersecurity (which is covered by other instruments like NIS2) but also on strategic autonomy, third-country control, and operational continuity. A departure that weakens these specific dimensions is highly likely to trigger Article 29(5).

Common misconceptions

Misconception 1: Member States can ignore the methodology if they report it. Reporting a departure under Article 29(4) does not grant immunity. It merely triggers the Commission's review. If the Commission finds the departure leads to an inadequate assurance level, it will override the decision under Article 29(5). The report is a notification, not a waiver.

Misconception 2: The Commission can only override if the methodology was not followed at all. The Commission's power under Article 29(5) is triggered if the result (the identified assurance level) is inappropriate, regardless of whether a departure was formally indicated. However, a failure to indicate a departure under Article 29(4) would be a procedural infringement in itself, compounding the issue.

Misconception 3: Once a risk assessment is submitted, the assurance level is fixed for two years. While assessments are required every two years, Article 29(5) allows the Commission to intervene at any time after reviewing the results. Furthermore, Article 29(1) states assessments must be carried out "whenever necessary," meaning a significant change in the geopolitical landscape or threat environment could trigger an immediate review and potential override before the two-year cycle ends.

Misconception 4: The Commission's override is a suggestion. Implementing acts adopted under Article 29(5) are legally binding. They specify the Union assurance levels "needed" for the activity. Member States and contracting authorities must comply with these specified levels when procuring cloud services, as per Article 30(3).

Related

This is general information about a draft EU regulation, not legal advice.