CADA Risk Assessment

Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct mandatory risk assessments to determine the appropriate level of cloud sovereignty for their operations. As proposed in Article 29, this process requires identifying activities that contribute to the preservation of public order, evaluating specific risk factors (data sensitivity, third-country access, and service disruption), and assigning a specific Union assurance level (2, 3, or 4). Member States must report the results to the European Commission within three months of completion, adhering to methodologies and templates to be defined in Commission implementing acts. This assessment is the critical gateway that determines whether a public body can procure standard cloud services or must restrict procurement to highly sovereign, audited providers.

Detail

The Cloud and AI Development Act (CADA) introduces a rigorous, legally mandated framework for public-sector entities to evaluate the security and sovereignty risks associated with their reliance on cloud computing services. Unlike general cybersecurity assessments, CADA's risk assessment is specifically designed to safeguard the Union's public order by ensuring that the cloud infrastructure underpinning critical functions is resilient against third-country interference.

The core of this obligation is found in Article 29, which outlines a structured, four-step process. This process is not merely a compliance exercise; it is the mechanism that dictates procurement strategy. If an activity is deemed to have "public order relevance," the assessment will mandate the use of cloud services recognised at Union assurance levels 2, 3, or 4, effectively excluding providers that do not meet these stringent sovereignty criteria.

Below is a detailed, step-by-step breakdown of how to conduct a CADA risk assessment, grounded strictly in the provisions of Article 29(1) through (4), along with the necessary context from Article 29(3) regarding Commission guidance.

Step 1: Identify Public-Sector Activities Impacting Public Order

The first and foundational step is to define the scope of the assessment. According to Article 29(1), Member States and Union entities must carry out risk assessments to identify public-sector activities that use or will make use of cloud computing services and that "contribute to the preservation of public order."

The proposal does not leave the definition of "public order" entirely to discretion; it explicitly targets sectors and areas where the failure, compromise, or disruption of cloud services could have severe consequences for the Union or its Member States. Article 29(1)(a) specifies that these activities include those falling under:

• Sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive): This covers critical entities in energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space.
• National security and internal security: Activities directly related to the protection of the state's integrity and the safety of its citizens.
• External border management: Operations concerning the control and security of the Union's external borders.
• Defence: All activities related to national defence capabilities and military operations.
• Justice and law enforcement: Including the prevention, investigation, detection, and prosecution of criminal offences.

Action for Public Bodies: You must conduct a comprehensive inventory of your cloud-based services. Map each service to its underlying public-sector activity. If an activity supports any of the sectors listed above, it must be included in the risk assessment.

• Joint Assessments: Article 29(1) explicitly notes that where Union entities and Member States share responsibilities for public-sector activities, they "shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly." This provision encourages cross-border or inter-agency collaboration to avoid duplication and ensure a consistent view of risk.

Step 2: Assess Specific Risk Factors

Once the relevant activities are identified, the assessment must move from identification to evaluation. Article 29(2) mandates that Member States and Union entities consider "at least" three critical aspects during this evaluation. These factors are designed to capture the full spectrum of sovereignty risks, moving beyond simple data privacy to encompass operational autonomy and national security.

The three mandatory factors are:

1. Data Sensitivity, Criticality, and Magnitude: You must assess the sensitivity, criticality, and magnitude of the non-personal data processed. Crucially, this also includes the "nature, scope, context and purpose of processing of personal data." The assessment must evaluate the "potential impact on public order" and the "risk of varying likelihood and severity for the rights and freedoms of data subjects."

   • Practical Application: Distinguish between ordinary administrative data, commercially sensitive information, operationally critical data, and classified information. The higher the sensitivity and the greater the potential impact on public order, the higher the assurance level required.

2. Risk of Unlawful Third-Country Access: You must evaluate the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."

   • Practical Application: This factor directly addresses the threat of extraterritorial laws (such as the US CLOUD Act or similar foreign legislation) that could compel a provider to hand over data. The assessment must consider the jurisdiction of the provider, its subcontractors, and the legal environment in which they operate.

3. Risk of Service Disruption: You must assess the "risk and consequent impact on public order of possible service disruption."

   • Practical Application: This evaluates the resilience of the cloud service. Could a unilateral decision by a third-country actor, a geopolitical sanction, or a technical failure in a non-EU jurisdiction cause the service to stop? The assessment must consider the provider's ability to maintain operational continuity without external interference.

Action for Public Bodies: Develop a scoring or evaluation matrix based on these three factors. For example, if an activity involves defence data (high sensitivity) processed by a provider subject to a third country with extraterritorial data access laws (high access risk), the assessment must reflect a high risk profile. Simultaneously, evaluate the provider's operational resilience to ensure that service disruption risks are minimized.

Step 3: Assign a Union Assurance Level

Based on the factors assessed in Step 2, the risk assessment must determine which Union assurance level is appropriate for the identified public-sector activities. Article 29(1)(b) specifies that the assessment must determine the appropriate level among Union assurance levels 2, 3, or 4 as set out in Annex II of the Regulation.

It is vital to understand the distinction between the baseline and the risk-based levels:

• Union Assurance Level 1: This is the minimum baseline for all public procurement under Article 30(2). It requires a self-assessment and basic criteria (e.g., provider established in the Union, data stays in the Union). It does not require the detailed risk assessment of Article 29 unless the activity is deemed to have public order relevance.
• Union Assurance Levels 2, 3, and 4: These higher levels require independent third-party audits and significantly stricter criteria. These include requirements for Union citizenship for personnel (conditional at L2, mandatory at L3/L4), prohibition of third-country control (with specific derogations), and higher cybersecurity certification standards (e.g., "substantial" for L2/L3, "high" for L4).

The risk assessment is the mechanism that justifies moving beyond Level 1. If the activity is deemed to have "public order relevance," the assessment must mandate a higher assurance level.

• Level 2: Suitable for activities with moderate public order relevance.
• Level 3: Suitable for activities with higher sensitivity, potentially allowing for third-country control only if the Commission has adopted a specific implementing act for that country (Article 18).
• Level 4: The highest level, reserved for the most critical activities (e.g., defence, classified information), requiring no third-country control and "high" cybersecurity certification.

Action for Public Bodies: Use the Commission's guidance (to be provided via implementing acts) to map your risk findings to an assurance level. For instance, if an activity involves defence data with a high risk of third-country access, the assessment should likely point toward Level 3 or 4.

• Multi-Cloud Strategy: Article 29(9) also requires that in their risk assessments, Member States and Union entities "consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services." This is a strategic consideration to avoid single points of failure and enhance resilience.

Step 4: Report Results to the Commission

The final step in the initial process is reporting. Article 29(4) stipulates that "within three months of carrying out the risk assessments," Member States must provide the Commission with the results.

This report must indicate:

• The outcomes of the risk assessments (i.e., the assigned assurance levels for specific activities).
• Any departures from the implementing acts (methodologies and templates) referred to in Article 29(3).

The Commission retains significant oversight. Under Article 29(5), if the Commission concludes that the Union assurance level identified in a Member State's risk assessment is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts specifying the Union assurance levels needed for that public sector activity. This ensures a harmonised approach across the Union and prevents Member States from underestimating risks.

Action for Public Bodies: Ensure your internal assessment process allows for timely aggregation and submission of results to the national competent authority, which will then report to the Commission. Maintain detailed documentation of your risk analysis and any deviations from the standard methodology to justify your assurance level assignments.

The Role of Commission Methodology and Templates

It is crucial to note that the risk assessment is not an entirely free-form exercise. Article 29(3) empowers the Commission to adopt implementing acts that specify:

• The methodology to be applied: How the risk factors should be weighted and calculated.
• The templates to be used: Standardised formats for recording the assessment.
• The elements to be taken into account: Ensuring all relevant aspects are covered.

These implementing acts will provide the standardized framework for conducting the assessments, ensuring consistency across the Union. The methodology will specifically specify "how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

Until these secondary legislative acts are adopted, entities should prepare by aligning their internal risk management practices with the criteria outlined in Article 29(2). The Commission is also empowered to request information from cloud computing service providers to assist in this guidance (Article 29(8)).

What this means for you

For public-sector procurement officers, IT strategists, and legal counsel, the introduction of CADA's risk assessment framework represents a fundamental shift from ad-hoc security evaluations to a standardized, legally mandated process.

1. Proactive Mapping is Mandatory: You must proactively map your cloud services to public-sector activities. Passive use of cloud services in critical sectors will no longer be sufficient; explicit risk assessment is required to justify procurement decisions.
2. Documentation is Key: The requirement to report to the Commission within three months means your assessments must be documented, defensible, and aligned with upcoming Commission templates. Keep detailed records of your data sensitivity analyses, third-country risk evaluations, and service disruption assessments.
3. Collaboration is Encouraged: If your organisation shares responsibilities with other entities (e.g., cross-border EU projects or joint national initiatives), explore joint risk assessments as permitted by Article 29(1) to reduce administrative burden and ensure consistency.
4. Preparation for Secondary Legislation: While the exact templates are not yet finalised, begin drafting internal methodologies that address the three core factors in Article 29(2): data sensitivity, third-country access risk, and service disruption risk. This will streamline compliance once the Commission's implementing acts are published.
5. Procurement Strategy Implications: The outcome of your risk assessment will directly dictate your procurement requirements. A high-risk assessment result will limit your tender pool to providers recognised at higher Union assurance levels (2, 3, or 4), which may impact cost and availability. Plan for potential migration timelines, noting that Article 29(6) allows for a reasonable transition period (not exceeding 12 months) if migration to a new cloud service is required.

Common misconceptions

• Misconception: Risk assessments are optional for non-critical services.
  • Correction: While Article 29 focuses on activities contributing to public order, Article 30(2) mandates that all public sector bodies use cloud services recognised at Union Assurance Level 1 as a minimum. Therefore, a baseline assessment is effectively required for all cloud procurement to ensure Level 1 compliance, even if the detailed Article 29 risk assessment is only triggered for higher-risk activities.
• Misconception: Member States have complete discretion in assigning assurance levels.
  • Correction: While Member States conduct the assessments, the Commission retains oversight. Under Article 29(5), the Commission can override a Member State's assessment if it deems the chosen assurance level inadequate for public order. Additionally, the Commission will provide specific methodologies and templates to ensure harmonisation.
• Misconception: The risk assessment only looks at data privacy.
  • Correction: The assessment is broader than GDPR compliance. Article 29(2) explicitly requires assessing the risk of service disruption and the impact of third-country access on public order, not just the rights and freedoms of data subjects. It encompasses operational resilience and national security dimensions.
• Misconception: Once an assessment is done, it is valid indefinitely.
  • Correction: Article 29(1) states that risk assessments must be carried out "thereafter every two years, or whenever necessary." This means assessments are periodic and must be updated if circumstances change (e.g., new threats, changes in data sensitivity, or changes in the cloud provider's sovereignty status).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels
• CADA Article 29: Purpose, Risk Assessment & Public Order
• CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules
• CADA Risk Assessment vs. Impact Assessment: Article 29 vs. Article 31
• What is a CADA risk assessment under Article 29?

This is general information about a draft EU regulation, not legal advice.