What is a CADA risk assessment under Article 29?

Summary As proposed in the Cloud and AI Development Act (CADA), a risk assessment under Article 29 is a mandatory strategic evaluation that Member States and Union entities must conduct to identify public sector activities critical to the preservation of public order. This assessment is the decisive trigger for procurement rules: it determines whether cloud computing services supporting these activities must meet higher sovereignty standards—specifically Union assurance levels 2, 3, or 4—rather than the baseline level 1. The goal is to safeguard essential services from third-country dependencies, unlawful access, and service disruptions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a structured framework for cloud sovereignty that moves beyond general cybersecurity to address strategic autonomy and operational resilience. Central to this framework is the CADA risk assessment under Article 29, which serves as the gatekeeper for applying stricter procurement rules for cloud services in the public sector. Unlike a standard IT security audit, this is a sovereign risk evaluation designed to map the dependency of critical public functions on cloud infrastructure and determine the necessary level of protection against external interference.

The Mandate: Article 29(1)

Under Article 29(1) of the CADA proposal, Member States and Union entities are legally obligated to carry out risk assessments. The primary objective is to identify public sector activities that "contribute to the preservation of public order." This is not a voluntary exercise; it is a statutory requirement that must be completed within one year of the Regulation's entry into force and repeated every two years thereafter, or whenever necessary due to changing circumstances.

The assessment specifically targets two distinct categories of activities:

1. Sectors under NIS2: Activities falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive). This encompasses essential and important entities in sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space.
2. Sensitive Public Order Areas: Activities in the areas of national security, internal security, external border management, defence, justice, or law enforcement. This explicitly includes the prevention, investigation, detection, and prosecution of criminal offences.

Determining the Union Assurance Level

The primary output of the risk assessment is the determination of the appropriate Union assurance level for the cloud computing services supporting these identified activities. CADA establishes a four-tier sovereignty framework (Article 16), but Article 29 dictates which tier applies to which activity:

• Union Assurance Level 1 (Baseline): This level applies to public sector bodies whose activities have not been identified as contributing to the preservation of public order. Services at this level must be established in the Union, with infrastructure and data remaining in the Union, unless explicitly required otherwise by the public sector body.
• Union Assurance Levels 2, 3, and 4 (Enhanced Sovereignty): These higher levels are required for activities identified as critical to public order. The risk assessment must determine which of these higher levels (2, 3, or 4) is appropriate based on the specific sensitivity, criticality, and magnitude of the data processed.

If the risk assessment concludes that an activity contributes to the preservation of public order, the contracting authority must only procure cloud computing services that have been formally recognized as offering Union assurance level 2, 3, or 4. This creates a mandatory, legally binding link between the risk assessment outcome and the procurement process under Article 30.

What Must Be Assessed?

According to Article 29(2), the risk assessment must consider specific, non-exhaustive aspects to ensure a consistent and thorough evaluation across the Union. These aspects focus on the nature of the data and the geopolitical risks associated with third-country control:

1. Data Sensitivity and Criticality: The assessment must evaluate the sensitivity, criticality, and magnitude of non-personal data processed. Crucially, it must also consider the nature, scope, context, and purpose of processing personal data, including the risk of varying likelihood and severity for the rights and freedoms of data subjects.
2. Risk of Unlawful Access: The assessment must analyze the risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country, under Union law. This addresses the risk of foreign governments accessing data via extraterritorial laws.
3. Risk of Service Disruption: The assessment must evaluate the risk and consequent impact on public order of possible service disruption. This addresses the risk that a third-country provider could degrade, suspend, or stop services, potentially undermining public order or national security.

Methodology, Guidance, and Commission Oversight

To ensure harmonized implementation across the EU and prevent a fragmentation of standards, the Commission plays a central role in defining the methodology. Under Article 29(3), the Commission will adopt implementing acts to specify the methodology, templates, and elements to be taken into account. These guidelines will detail how Member States should use the highest level of assurance for the most critical public sector activities, such as defence.

Furthermore, the proposal includes a "safety valve" mechanism. Under Article 29(5), if the Commission reviews the results of a Member State's risk assessment and concludes that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required Union assurance levels for that specific public sector activity. This ensures that national assessments do not fall below the Union's minimum standards for security and sovereignty.

Migration and Transition

If a risk assessment determines that a Member State or Union entity must migrate to a different cloud computing service (e.g., moving from a non-compliant provider to one with a higher assurance level), the proposal mandates a transition plan. Under Article 29(6), the migration must occur within a reasonable transition period that shall not exceed 12 months. This period must take into account technical feasibility, continuity of service, and data portability requirements applicable to such migration.

Additionally, Article 29(9) explicitly requires that in their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate. This is a key resilience measure to avoid over-dependency on a single provider, ensuring that the failure or compromise of one provider does not disrupt critical public order functions.

What this means for you

For public-sector procurement officers, IT strategists, and legal counsel, the CADA risk assessment under Article 29 is a foundational step that dictates your future cloud procurement strategy. It shifts the focus from "best price" or "best features" to "sovereign compliance" and "public order protection."

1. Map Your Critical Activities Early You must immediately identify which of your organization's activities fall under the NIS2 Directive or involve national security, defence, justice, or law enforcement. These are the activities that will trigger the requirement for higher assurance levels (2-4). Create a comprehensive inventory of these functions and the specific cloud services currently supporting them. If you are a Union entity, this applies to all your exclusive-use procurements.

2. Prepare for Higher Assurance Requirements If your risk assessment identifies an activity as critical to public order, you will be legally required to procure cloud services recognized at Union assurance level 2, 3, or 4. This means you cannot simply use any global cloud provider, even if they have a local presence. You must look for providers that have undergone independent third-party audits and received formal recognition from national competent authorities. The baseline Level 1 will no longer be sufficient for these specific use cases.

3. Engage with National Competent Authorities The risk assessment is not done in a vacuum. You will need to align with your national competent authority, which will validate your assessment and ensure it meets the Commission's methodology. Start building relationships with these authorities now to understand their specific templates and expectations. Remember that the Commission can override national assessments if they are deemed inadequate.

4. Plan for Migration Within 12 Months If you are currently using cloud services that do not meet the required assurance level for your critical activities, you must plan a migration immediately. The 12-month transition period is strict and starts from the point the risk assessment requires the change. Begin evaluating alternative providers that offer recognized Union assurance levels and develop a migration plan that ensures business continuity and data portability.

5. Consider Multi-Cloud Strategies Article 29(9) explicitly states that in their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate. This is a key resilience measure to avoid dependency on a single provider. Evaluate if splitting workloads across multiple sovereign providers reduces your risk profile and enhances operational continuity.

Common misconceptions

Misconception 1: The risk assessment is a one-time event. Reality: Article 29(1) states that risk assessments must be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." It is an ongoing, cyclical process that must adapt to changes in technology, threat landscapes, and public sector activities.

Misconception 2: All public sector cloud procurement requires Level 2-4 assurance. Reality: Only activities identified as contributing to the preservation of public order require levels 2-4. Other public sector bodies whose activities do not fall into these critical categories must use services recognized at Union assurance level 1. The risk assessment is the specific tool that distinguishes between these two categories.

Misconception 3: The risk assessment is purely a technical cybersecurity audit. Reality: While technical security is a component, the CADA risk assessment is broader. It assesses "sovereignty risks," including the risk of third-country access to data under foreign laws (extraterritoriality) and the risk of service disruption due to geopolitical factors. It is about strategic autonomy and public order, not just firewalls and encryption.

Misconception 4: Member States can set their own arbitrary standards. Reality: The Commission will provide centrally coordinated guidance and methodology to ensure harmonized implementation across the Union. If the Commission finds a national assessment inadequate or inconsistent with public order protection, it can override it with implementing acts to specify the required assurance levels.

Related

• CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels
• CADA Article 29: Purpose, Risk Assessment & Public Order
• CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules
• CADA Risk Assessment vs. Impact Assessment: Article 29 vs. Article 31
• CADA Risk Assessment: A Step-by-Step Guide to Article 29

This is general information about a draft EU regulation, not legal advice.