Summary As proposed, operational continuity under the Cloud and AI Development Act (CADA) is about more than technical uptime: it concerns the risk that cloud services could be degraded or cut off because of unilateral decisions or legal pressure from third countries. CADA's explanatory memorandum lists protecting public order by making cloud supply more resilient — particularly in the public sector — among its objectives, and Article 1(1)(c) makes a sovereign cloud and AI offer "to safeguard the Union's public order" part of the Regulation's subject matter. The proposal would address this through a four-level sovereignty framework (Article 16), mandatory risk assessments (Article 29) and corresponding procurement obligations (Article 30).

Detail

The proposed CADA treats operational continuity as a strategic concern, not just a service-level one. Unlike classic cybersecurity, which centres on malicious attacks, operational continuity here addresses service degradation or cessation driven by geopolitical, legal or commercial decisions taken by third-country entities.

The risk of third-country interference

CADA's explanatory memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market, that large incumbents are subject to third-country jurisdictions with extraterritorial laws (including laws mandating data access), and that this dependence "exposes European users to the risks related to operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision." In practice this could mean frozen accounts, throttled service, or withdrawal of services driven by sanctions, embargoes or political pressure. For public bodies, such disruption could halt essential services.

Public-order resilience as a core objective

CADA links operational continuity to the protection of public order. Article 1(1)(c) lists, among the Regulation's measures, "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." The explanatory memorandum likewise lists, as an objective, the aim to "help protect public order by making the supply of cloud computing services more resilient, in particular in the public sector." This framing would elevate continuity from an SLA matter to one of strategic autonomy.

The sovereignty framework as a mitigation tool

To address these risks, CADA would establish a Union cloud computing sovereignty framework of four Union assurance levels, with the criteria set out in Annex II (Article 16). The framework would work through risk assessments under Article 29: Member States and Union entities identify which public-sector activities contribute to the preservation of public order and which assurance level is appropriate. For activities identified as contributing to public order, contracting authorities would have to procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)); other public-sector activities would use at least Union assurance level 1 (Article 30(2)).

The higher levels impose progressively stricter Annex II criteria — for example, that the provider and its relevant subcontractors are established in the Union, that infrastructure, assets and (at higher levels) personnel are located in the Union, that customer data remain exclusively within the Union, and — for the most demanding levels — that the provider is not subject to third-country control that could enable unlawful data access or service disruption. As proposed, CADA also encourages considering multi-cloud or multi-vendor strategies to enhance resilience (Recital 65, operationalised in Article 29(9)).

What this means for you

For public-sector procurement officers, operational continuity would become a primary compliance driver, not a secondary one.

Conduct mandatory risk assessments

Under Article 29, Member States and Union entities must carry out risk assessments to identify public-sector activities that contribute to the preservation of public order and to determine the appropriate assurance level. You would weigh data sensitivity and criticality, the risk of unlawful third-country access, and the risk and impact of service disruption (Article 29(2)).

Align procurement with assurance levels

Your procurement choices would be constrained by Article 30. If your activity has public-order relevance, you must procure services recognised at Union assurance level 2, 3 or 4 — you could not simply pick the cheapest or most feature-rich option that fails to meet the required level.

Evaluate provider resilience

You would look beyond standard SLAs to a provider's resilience against unilateral third-country decisions — its legal independence, the location of its infrastructure, and its ability to resist external pressure. The central repository of recognised services (Article 22) would be the reference point for identifying compliant providers.

Consider multi-cloud strategies

Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of your procurement, based on a context-specific risk assessment (Recital 65).

Common misconceptions

Misconception 1: Operational continuity is only about technical uptime. As proposed, CADA's concept of continuity also covers legal and geopolitical resilience. A service can be technically "up" yet be legally compelled to degrade or become inaccessible.

Misconception 2: GDPR already covers this. The GDPR protects personal data but does not address the risk of service disruption or the extraterritorial reach of foreign laws that could force a provider to cease operations. CADA's sovereignty framework is intended to fill that gap.

Misconception 3: All cloud services must meet the highest assurance level. No. CADA takes a proportionate approach. Under Article 30(2), activities not identified as contributing to public order need only Union assurance level 1; the higher levels (2–4) apply to public-order activities identified through the Article 29 risk assessment.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.