CADA public sector body

Summary Under the proposed Cloud and AI Development Act (CADA), a 'public sector body' is defined by reference to the Open Data Directive (Directive (EU) 2019/1024), covering state authorities, bodies governed by public law, and publicly funded associations. This definition is the gateway to CADA's demand-side measures. Crucially, while the default rule for cloud services is strict data residency within the EU, public sector bodies hold the unique power to explicitly authorize data placement outside the Union. This exception, embedded in the criteria for Union assurance levels 1, 2, and 3, allows these bodies to override standard residency requirements for legitimate operational needs. Compliance requires conducting risk assessments under Article 29 to determine the necessary assurance level (1 to 4) and procuring only from the central repository of recognized services.

Detail

The scope of the proposed Cloud and AI Development Act (CADA) hinges on the precise definition of the entities it regulates. Article 2(6) of the proposal defines a 'public sector body' by importing the definition from Article 2(1) of Directive (EU) 2019/1024 (the Open Data Directive). This legal cross-reference ensures a harmonized understanding across EU digital law, encompassing:

• The State, regional or local authorities;
• Bodies governed by public law; or
• Associations formed by one or more such authorities or bodies.

For associations to qualify, they must be mainly financed by public authorities or subject to their management supervision. This broad scope ensures that CADA's sovereignty framework applies not only to national ministries but also to municipalities, publicly funded agencies, and state-controlled entities.

The Sovereignty Framework and the Public Sector Gatekeeper

The public sector body is the central actor in the Union cloud computing sovereignty framework established by Article 16(1). This article mandates that cloud computing service providers must meet specific criteria to be recognized as offering "Union assurance levels" (1 through 4) when serving these bodies. The public sector body is not merely a passive consumer; it acts as the active gatekeeper of sovereignty, determining the required assurance level through risk assessments and, critically, by exercising its power to authorize data residency exceptions.

The Power to Authorize Non-EU Data Placement

A defining feature of the CADA proposal is the conditional nature of data residency rules. While the default position for Union assurance levels is that customer data must remain exclusively within the EU, the proposal explicitly empowers public sector bodies to override this.

Under Annex II, point 1.1(c) (Union assurance level 1), the criteria state that customer data "remain exclusively within the Union, unless the public sector body explicitly requires otherwise." This exact phrasing is replicated for Union assurance level 2 (Annex II, point 2.1(c)) and Union assurance level 3 (Annex II, point 3.1(c)).

This mechanism creates a targeted exception to strict data residency. It acknowledges that certain operational scenarios—such as cross-border collaboration with partners in third countries that have adequacy decisions, or specific research requirements—may necessitate data leaving the Union. However, this is not a passive right; the public sector body must explicitly require such placement. Without this explicit instruction, the cloud provider must assume the default requirement of intra-EU residency to maintain their assurance certification.

It is important to note that Union assurance level 4 (Annex II, point 4.1(c)) applies a stricter standard: sensitive data identified following a risk assessment must remain exclusively within the Union. The "unless" exception is not explicitly repeated in the same form for Level 4 in the text of Annex II, reflecting the heightened sensitivity of data handled at this tier, which typically involves classified information or critical public order functions.

Risk Assessments and Procurement Obligations

The obligations of a public sector body are operationalized through Article 29 and Article 30.

1. Risk Assessments (Article 29): By one year after entry into force, and every two years thereafter, public sector bodies must conduct risk assessments. These assessments identify activities that contribute to the preservation of public order (e.g., national security, justice, law enforcement, defense) and determine the appropriate Union assurance level (2, 3, or 4) for those activities.
2. Procurement Rules (Article 30):
   • Article 30(2): For activities not identified as contributing to public order, contracting authorities must procure services recognized at Union assurance level 1.
   • Article 30(3): For activities identified as contributing to public order, authorities must procure services recognized at Union assurance levels 2, 3, or 4.

These procurement decisions must be made exclusively from the central repository of recognized services established under Article 22. A public sector body cannot procure a service that has not been formally audited and recognized by a national competent authority.

What this means for you

For public-sector procurement officers, IT managers, and legal counsel, the definition of 'public sector body' triggers a specific compliance lifecycle under the proposed CADA:

1. Verify Your Status: Confirm whether your organization falls under the Open Data Directive definition. If you are a state authority, a public-law body, or a publicly funded association, you are subject to CADA's sovereignty rules.
2. Conduct Mandatory Risk Assessments: You must carry out the risk assessment required by Article 29. This is not optional. The outcome dictates your procurement floor: Level 1 for general administration, or Levels 2–4 for public-order-critical functions.
3. Exercise Data Residency Powers Explicitly: If your operational needs require data to be processed or stored outside the EU, you must explicitly require this in your procurement specifications or contractual terms. Silence is not consent; under CADA, the default is strict EU residency. Documenting this explicit requirement is essential for the cloud provider to legally justify non-EU data flows while maintaining their assurance level.
4. Procure from the Repository: You are prohibited from purchasing cloud services that are not listed in the central repository (Article 22) and recognized at the required assurance level. Ensure your tender documents reference the specific Union assurance level mandated by your risk assessment.
5. Understand the Tier Differences: Recognize that while Levels 1, 2, and 3 allow for the "explicit requirement" exception, Level 4 imposes a stricter regime for sensitive data, likely limiting the scope for such exceptions.

Common misconceptions

Misconception 1: "Public sector body" only refers to government ministries.

• Reality: The definition is expansive. It includes regional and local authorities, bodies governed by public law, and associations formed by them if they are publicly financed or supervised. This captures a wide range of entities, from municipal utilities to state-funded research institutes.

Misconception 2: Data can never leave the EU for public sector clouds.

• Reality: While the default is strict EU residency, the proposal explicitly allows public sector bodies to authorize non-EU data placement. This is a deliberate design feature to facilitate international cooperation where appropriate, provided the public sector body actively and explicitly opts in.

Misconception 3: All public sector bodies must use the highest sovereignty tier (Level 4).

• Reality: CADA is proportionate. Only activities identified as contributing to the preservation of public order (via the Article 29 risk assessment) require Levels 2, 3, or 4. Standard administrative tasks, such as internal HR or non-sensitive communications, typically only require Union assurance level 1.

Misconception 4: The "explicit requirement" exception applies to Level 4.

• Reality: The text of Annex II explicitly includes the "unless the public sector body explicitly requires otherwise" clause for Levels 1, 2, and 3. For Level 4, the criteria for sensitive data (point 4.1(c)) state they must remain exclusively within the Union without this specific exception phrasing, reflecting the higher security threshold for classified or critical public order data.

Related

• Does CADA let a public body waive EU data residency?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• What happens to existing public-sector cloud contracts under CADA tiers?
• CADA Data Residency: How Rules Differ Across Assurance Levels 1–4
• Can a public body require data outside the EU under CADA?

This is general information about a draft EU regulation, not legal advice.