Summary As proposed in the Cloud and AI Development Act (CADA), Article 29 establishes a mandatory risk assessment mechanism for Member States and Union entities. Its sole purpose is to identify which public sector activities contribute to the preservation of public order. The outcome of this assessment is the legal trigger for procurement obligations: if an activity is deemed relevant to public order, the contracting authority must procure cloud services recognised at Union assurance level 2, 3, or 4 under Article 30(3). If not, the minimum requirement is Union assurance level 1 under Article 30(2). This assessment must be completed within one year of the Regulation's entry into force and updated every two years.

Detail

The proposed Cloud and AI Development Act (CADA) fundamentally shifts public procurement from a purely price-and-quality model to a sovereignty-based model. The engine of this shift is the risk assessment mandated by Article 29. Without this assessment, a public buyer cannot legally determine which cloud assurance levels are permissible for their specific use cases.

The Legal Obligation: Identifying Public Order Relevance

Article 29(1) imposes a strict timeline and scope on Member States and Union entities. They must carry out risk assessments by the date of entry into force plus one year, and subsequently every two years, or whenever necessary.

The primary objective, as defined in Article 29(1)(a), is to identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order." The proposal explicitly defines the scope of these activities to include:

  • Sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive).
  • Specific areas of national importance: national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

This is not a voluntary self-classification. The assessment is a formal administrative act that maps the public sector's critical functions against the risks posed by third-country control or service disruption.

Determining the Required Assurance Level

Once an activity is identified as contributing to public order, the assessment must proceed to the second critical step defined in Article 29(1)(b): determining which Union assurance level 2, 3, or 4 is appropriate for that specific activity.

The proposal does not leave this determination to arbitrary discretion. Article 29(2) mandates that the assessment must consider at least three specific risk factors:

  1. Data Sensitivity and Criticality: The assessment must evaluate the sensitivity, criticality, and magnitude of non-personal data, as well as the nature, scope, context, and purpose of processing personal data. It must also assess the risk to the rights and freedoms of data subjects.
  2. Third-Country Access Risks: It must consider the risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
  3. Service Disruption Risks: It must evaluate the risk and impact on public order of possible service disruption.

To ensure consistency across the Union, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. Crucially, this methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, explicitly citing defence as an example.

The Direct Link to Procurement Obligations (Article 30)

The Article 29 risk assessment is the precondition for all subsequent procurement actions under CADA. The results of the assessment directly dictate the legal constraints a contracting authority faces under Article 30.

  • Scenario A: No Public Order Relevance. If the risk assessment determines that a public sector activity does not contribute to the preservation of public order, Article 30(2) applies. In this case, Union entities and public sector bodies must use cloud computing services recognised as having at least Union assurance level 1.

  • Scenario B: Public Order Relevance. If the risk assessment identifies an activity as contributing to the preservation of public order (as defined in Article 29(1)), Article 30(3) triggers. Contracting authorities shall only procure cloud computing services that have been recognised as having Union assurance level 2, 3, or 4.

This creates a rigid compliance chain. A contracting authority cannot simply "choose" a higher assurance level for cost reasons, nor can they procure a lower level for convenience. The assurance level is legally bound to the outcome of the Article 29 assessment. If the assessment concludes that a law enforcement database requires Level 4 due to the sensitivity of the data and the risk of third-country access, the authority is legally prohibited from procuring a Level 2 or Level 3 service for that specific activity.

Transition, Migration, and Multi-Cloud Strategies

The proposal acknowledges that these assessments may necessitate significant operational changes. Article 29(6) mandates that if a risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months. This period must take into account technical feasibility, continuity of service, and data portability requirements.

Furthermore, Article 29(9) explicitly requires that risk assessments consider whether a multi-vendor or multi-cloud strategy is appropriate. This provision encourages public bodies to avoid single-provider dependencies, aligning with the broader CADA objective of reducing critical dependencies and enhancing resilience.

Commission Oversight and Guidance

The Commission plays a supervisory role to ensure the integrity of the framework. Under Article 29(4), Member States must provide the Commission with the results of their risk assessments within three months of carrying them out, indicating where they depart from the Commission's implementing acts.

If the Commission concludes that a Member State's identified assurance level is not appropriate or does not adequately address public order concerns, Article 29(5) empowers the Commission to adopt implementing acts specifying the Union assurance levels needed for that public sector activity. This ensures that national assessments do not result in a "race to the bottom" regarding sovereignty standards.

What this means for you

For public-sector procurement officers, IT strategists, and legal counsel, the Article 29 risk assessment is the foundational step in the CADA compliance journey. It is not a retrospective audit but a forward-looking strategic exercise.

1. Initiate the Public Order Mapping Immediately You must categorize every public sector activity under your jurisdiction. Identify which departments or functions fall under national security, justice, defence, or critical infrastructure (NIS2 sectors). These are your "high-assurance" zones. If you cannot definitively prove an activity does not contribute to public order, you risk non-compliance by procuring at Level 1 when Level 2+ is required.

2. Prepare for the One-Year Deadline The assessment must be completed within one year of CADA's entry into force. This is a hard deadline. You must gather data on your current cloud dependencies, data flows, and third-country exposure immediately. The Commission will issue guidance, but the burden of the initial assessment lies with the Member State or Union entity.

3. Align Procurement Tenders with Assessment Outcomes Your procurement teams must understand that the Union assurance level is a mandatory technical specification derived from Article 29. If your assessment dictates Level 3, you cannot issue a tender for Level 1 or Level 2 services for that activity. You must verify that potential providers are listed in the central repository (Article 22) with the correct recognition.

4. Plan for the 12-Month Migration Window If your current cloud provider does not meet the assurance level required by your new risk assessment, you have a maximum of 12 months to migrate. This is a tight window for complex public sector systems. Begin planning for data portability, service continuity, and the technical feasibility of switching providers now to avoid operational disruption.

5. Evaluate Multi-Cloud Architectures Use the risk assessment to evaluate if a single-provider strategy poses too great a risk to public order. Article 29(9) explicitly encourages multi-vendor strategies. If your assessment identifies high risk, structuring your procurement into lots for different providers may be the only way to meet the resilience requirements of the Act.

Common misconceptions

Misconception 1: The risk assessment is optional for smaller authorities. Incorrect. Article 29(1) applies to all Member States and Union entities. While the Commission will provide guidance, the obligation to assess public-order relevance is universal. Even if an authority determines that none of its activities contribute to public order, it must still document this conclusion to justify procuring at the minimum Union assurance level 1.

Misconception 2: You can choose any assurance level you want for critical services. Incorrect. The assurance level is not a matter of preference or budget. It is a legal requirement derived from the risk assessment. If the assessment determines that an activity requires Level 4 due to the sensitivity of the data or the criticality of the service (e.g., defence), you are legally bound to procure only Level 4 services. You cannot downgrade to Level 2 for cost reasons if the risk assessment dictates higher protection for public order.

Misconception 3: The assessment only looks at cybersecurity. Incorrect. While cybersecurity is a component, the Article 29 assessment is broader. It specifically evaluates risks related to sovereignty and public order, including the risk of unlawful data access by third countries and the risk of service disruption due to geopolitical factors. It is a sovereignty risk assessment, not just a technical security audit.

Misconception 4: Once assessed, the classification is permanent. Incorrect. Article 29(1) requires assessments to be carried out "every two years, or whenever necessary." Changes in geopolitical landscapes, technological capabilities, or the nature of the data processed may require a reassessment, potentially changing the required assurance level for a service.

Related

This is general information about a draft EU regulation, not legal advice.