What is a sovereignty risk assessment under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a sovereignty risk assessment is a mandatory process for Member States and Union entities to determine which cloud assurance level a public-sector activity requires. As proposed in Article 29, these assessments identify use cases that contribute to the preservation of public order, such as national security, defence or critical infrastructure, and map them to Union assurance level 2, 3 or 4 (with level 1 as the default baseline). The mechanism keeps procurement proportionate, avoiding unnecessary burdens for low-risk services while mandating strong safeguards for critical functions.

Detail

CADA would introduce a risk-based approach to cloud sovereignty rather than blanket bans or uniform standards. The sovereignty risk assessment is the bridge between abstract sovereignty criteria and concrete procurement decisions.

The legal basis and obligation

As proposed in Article 29(1), Member States and Union entities must carry out risk assessments by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. The assessments must:

1. Identify public-order activities: Determine which public-sector activities using or planning to use cloud services contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), and in the areas of national security, internal security, external border management, defence, justice or law enforcement (Article 29(1)(a)).
2. Determine assurance levels: Decide which Union assurance level (2, 3 or 4) is appropriate for those identified activities (Article 29(1)(b)).

Union assurance level 1 is the default baseline for activities not identified as contributing to public order (Article 30(2)). The risk assessment specifically targets activities that may require the higher levels (2, 3 or 4).

What the assessment must consider

Article 29(2) requires considering at least:

• Data sensitivity and criticality: The sensitivity, criticality and magnitude of the non-personal data processed, including the potential impact on public order, and the nature, scope, context and purpose of any personal-data processing, as well as the risk to the rights and freedoms of data subjects.
• Third-country access risks: The risk, and consequent impact on public order, of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
• Service-disruption risks: The risk, and consequent impact on public order, of possible service disruption.

Ensuring proportionality and subsidiarity

CADA links these assessments to proportionality and subsidiarity. Recital 52 states that the Union assurance levels provide "a proportionate framework to ensure that public order is preserved," that "Most public services would not require the highest levels of assurance," and that the risk assessment "ensures that the principles of proportionality and subsidiarity are complied with, by assessing the specific cases in which protection of public order requires the highest level of assurance."

The explanatory memorandum reinforces this, stating that the proposal obliges Member States to undertake sovereignty risk assessments to determine which sub-sectors and use cases should be served by services aligned with the respective sovereignty levels.

Methodology and Commission guidance

To ensure consistency, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates and elements to be taken into account, including how Member States use the highest level of assurance for the most critical activities, "including, but not limited to, defence."

Member States must provide the results to the Commission within three months of carrying out an assessment, indicating where they depart from the implementing acts (Article 29(4)). If the Commission concludes that an identified level is not appropriate or does not adequately address public-order concerns, it may adopt implementing acts specifying the required levels (Article 29(5)). This creates a feedback loop validating national assessments against EU-wide standards.

Migration and transition

Where an assessment requires migration to a different cloud service, the migration must occur within a reasonable transition period not exceeding 12 months, taking into account technical feasibility, continuity of service and data portability (Article 29(6)).

What this means for you

For procurement officers and IT directors, the risk assessment is the foundational document justifying your procurement strategy.

1. Map your assets: Inventory all current and planned cloud services and, for each, determine the nature of the data and the criticality of the underlying public service.
2. Apply the NIS2 lens: Watch sectors listed in Annex I or II of the NIS2 Directive; if you operate in them, your services likely face higher scrutiny.
3. Justify your assurance level: You cannot choose a provider on price or features alone. Under Article 30(3), an activity contributing to public order (e.g., border management) must use a service recognised at Union assurance level 2, 3 or 4.
4. Plan for migration: If a current provider would not meet the required level, you have at most 12 months to migrate (Article 29(6)). Plan exit strategies and data-portability measures now.
5. Document your process: Keep detailed records linking data sensitivity and service criticality to the chosen level; these are subject to Commission and national review.

Common misconceptions

• "All public-sector cloud services need the highest security level." Incorrect. Recital 52 states that "Most public services would not require the highest levels of assurance." Only activities contributing to public order require levels 2, 3 or 4; standard administrative services will likely require only level 1.
• "The risk assessment is a one-time event." No. Article 29(1) requires assessments at least every two years, or whenever necessary, as technologies, threats and needs evolve.
• "Only national governments need to do this." No. Article 29(1) applies to both Member States and Union entities, so EU institutions, agencies, offices and bodies must also assess their own activities.
• "I can choose any provider as long as they are EU-based." EU establishment is required for level 1 (Annex II, point 1.1(a)) but is not sufficient for higher levels. Providers must be formally recognised at the level your assessment requires; an EU-based provider may still fail level 3 or 4 (e.g., on third-country control or personnel requirements).

Related

• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• Why is sovereignty a competitiveness issue, not just a security one? | CADA

This is general information about a draft EU regulation, not legal advice.