What is a high-risk cloud dependency under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a "high-risk cloud dependency" is not defined by a single technical metric but is a strategic vulnerability identified through mandatory risk assessments. It arises when public sector activities rely on cloud services that expose the Union to critical strategic dependencies, market concentration risks, or the extraterritorial application of third-country laws. As proposed in Recital 46 and operationalized by Article 29, these dependencies threaten the Union's operational autonomy and public order. Public procurement officers must identify these risks to determine if a service requires higher "Union assurance levels" (2, 3, or 4) rather than the baseline Level 1.

Detail

To understand what constitutes a high-risk cloud dependency under CADA, one must look beyond simple vendor lock-in or technical performance. The proposal defines the problem through the lens of strategic autonomy, operational continuity, and public order.

The Core Definition: Strategic Dependence and Public Order

The cornerstone of CADA's approach to dependency is found in Recital 46. It explicitly states that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries."

This dependence is not merely a market share issue; it is a security vulnerability. A high-risk dependency exists when this reliance exposes the Union to four specific categories of threat:

1. Critical Strategic Dependencies: Over-reliance on a limited pool of non-EU providers creates a single point of failure for the Union's digital infrastructure.
2. Concentration Risks: The market dominance of non-European incumbents reduces the Union's ability to act autonomously and increases vulnerability to market manipulation.
3. Vulnerabilities from Extraterritorial Laws: The risk that third-country laws (such as the US CLOUD Act) may compel providers to grant access to EU data or disrupt services, regardless of where the data is physically stored.
4. Operational Discontinuity: The risk that unilateral decisions by third-country actors could halt service provision, causing "operational discontinuity" for essential public services.

How Dependencies Are Identified: Article 29 Risk Assessments

CADA does not provide a static list of "high-risk" providers. Instead, it mandates a dynamic, context-specific process. Article 29 requires Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

According to Article 29(1), these assessments must identify activities that use cloud services in sectors falling under Annex I or II of the NIS2 Directive, as well as in the areas of "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."

Article 29(2) specifies the precise criteria authorities must consider when evaluating these dependencies. In their assessments, Member States and Union entities must consider at least:

• Data Sensitivity: The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature of personal data processing.
• Unlawful Access Risks: The risk and consequent impact on public order of "unlawful access under Union law to such data by a third country or a legal entity established in a third country."
• Service Disruption Risks: The risk and consequent impact on public order of "possible service disruption."

If a risk assessment determines that a cloud dependency poses a threat to public order due to these factors, the activity is classified as high-risk. This classification triggers mandatory procurement rules under Article 30, requiring the use of cloud services recognized as offering Union assurance levels 2, 3, or 4 (rather than the baseline Level 1).

The Role of Third-Country Control

A key element of a high-risk dependency is control. CADA distinguishes sharply between providers established in the Union and those controlled by third countries.

• Union Assurance Level 1: Requires the provider to be established in the Union. It allows for some subcontracting outside the EU but requires strict legal, technical, and organizational measures to ensure traceability and security.
• Union Assurance Levels 2, 3, and 4: These higher levels increasingly restrict third-country control. For example, Annex II generally prohibits providers and subcontractors from being subject to the control of a third country for Levels 3 and 4. Limited exceptions exist for "associated third countries" that meet strict criteria under Article 18, but these are the exception, not the rule.

Therefore, a high-risk dependency is often characterized by a reliance on a provider that is either:

1. Not established in the EU.
2. Controlled by a third-country entity that does not meet the strict sovereignty criteria of Levels 2–4.

Extraterritorial Law and Disruption Vulnerabilities

CADA explicitly addresses the threat of extraterritorial laws. Recital 46 highlights the "extraterritorial application of third-country laws" as a primary driver of dependency risk. This refers to laws like the US CLOUD Act, which can require US-based cloud providers to hand over data stored anywhere in the world if they are subject to US jurisdiction.

Additionally, Recital 50 outlines specific risks that define a high-risk dependency in the context of public order:

• Misuse: Manipulation, remote access, sabotage, or weaponization of services.
• Access to Information: Unauthorised communication, technology leakage, data manipulation, or espionage.
• Dependency Vulnerabilities: Political or economic coercion, vendor lock-in, embargoes, sanctions, or monopoly pricing damaging the financial interest of the Union and Member States.

If a cloud service exposes the public sector to these risks, it is considered a high-risk dependency that must be mitigated through the sovereignty framework.

What this means for you

As a public-sector procurement officer or IT strategist, you are no longer just buying compute power; you are managing strategic risk. Here is how the proposed CADA changes your workflow:

1. Conduct Mandatory Risk Assessments: You must participate in or conduct risk assessments as per Article 29. You cannot assume all cloud services are equal. You must evaluate whether your specific use case (e.g., healthcare data, border control, tax administration) falls under the "public order" criteria.
2. Map Your Dependencies: Identify all current and planned cloud providers. Determine if they are established in the EU and if they are controlled by third countries. If a provider is controlled by a non-EU entity, assess whether they meet the criteria for Union Assurance Levels 2–4.
3. Apply Assurance Levels in Procurement:
   • If your risk assessment shows no public order relevance, you must procure services with at least Union Assurance Level 1.
   • If your risk assessment shows public order relevance, you must only procure services recognized as offering Union Assurance Levels 2, 3, or 4.
4. Plan for Migration: If you currently use a non-compliant provider for a high-risk activity, Article 29(6) requires migration within a reasonable transition period, not exceeding 12 months. Start planning this now.
5. Leverage Common Procurement: Consider using the EuroCloud Federation or Commission-led joint procurement (Articles 34–40) to access sovereign services. These mechanisms are designed to pool buying power and reduce dependency on single vendors.

Common misconceptions

Misconception 1: "High-risk" means the cloud provider is technically insecure.

• Reality: A provider can be technically secure (cyber-resilient) but still pose a high-risk dependency due to jurisdictional control. CADA's sovereignty framework addresses legal and operational risks (extraterritorial access, disruption) that traditional cybersecurity certifications do not cover.

Misconception 2: Only EU-based companies can provide compliant services.

• Reality: While Level 1 requires EU establishment, Levels 2–4 are primarily about control. A provider established in the EU but controlled by a non-EU parent may still qualify for higher assurance levels if it meets strict separation and compliance criteria (e.g., under Article 18 for associated third countries). Conversely, a purely EU-owned company may fail if it lacks the necessary technical or operational safeguards.

Misconception 3: I can ignore this if I'm a small local authority.

• Reality: Article 29 applies to all Member States and Union entities. Even local authorities processing data relevant to public order (e.g., local law enforcement, social services) must conduct risk assessments. The scale of the authority does not exempt it from the sovereignty framework.

Misconception 4: GDPR compliance is enough.

• Reality: The GDPR protects personal data, but it does not address operational autonomy or strategic dependency. Recital 46 explicitly states that the EU-US Data Privacy Framework does not remove sovereignty concerns about dependence on third-country providers. CADA fills this gap by focusing on control and continuity.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does a CADA risk assessment identify single-provider dependency?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Why does CADA treat dependence on non-EU providers as a strategic risk?
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?

This is general information about a draft EU regulation, not legal advice.