What is operational continuity risk in cloud services under CADA?

Summary As framed by the proposed Cloud and AI Development Act (CADA), operational continuity risk is the threat that a cloud service provider — particularly one subject to third-country control — could have its service disrupted, degraded, or terminated because of external legal or political pressure. It is treated not as ordinary IT reliability but as a strategic risk to public order and economic security. CADA would address it through the Union cloud computing sovereignty framework (Article 16), whose higher assurance levels require demonstrable protection against third-country interference with service continuity.

Detail

Defining operational continuity risk in the CADA context

In the proposed CADA, operational continuity risk is not just about server uptime or maintenance windows. It is a strategic and legal risk: the potential for a provider to cease or degrade service for reasons outside the EU user's control, tied to the provider's jurisdictional exposure and the extraterritorial reach of third-country laws.

The CADA explanatory memorandum identifies this risk, noting that dependence on non-European providers "exposes European users to the risks related to operational discontinuity," particularly where unilateral decisions by third-country actors could disrupt service provision. The core of the risk is the loss of agency: if a provider is subject to a third country's legal system, that country may compel it to cut off data access, suspend the service, or degrade performance for reasons unrelated to the EU user's interests.

The legislative response: Article 16 and the sovereignty framework

To mitigate this, CADA would establish a harmonised Union cloud computing sovereignty framework. Its cornerstone is Article 16, which sets up four Union assurance levels. As Article 16(1) puts it, the Chapter "establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."

The Annex II criteria address operational continuity directly for the audited levels (2, 3 and 4). For example, at Union assurance level 3 a provider that is subject to third-country control under the Article 18 derogation must demonstrate that the "possibility of disruption of the service continuity and/or the degradation of the service quality by a third country or a legal entity established in a third country is prevented" (Annex II, point 3.1(g)(iii)). The default at level 3, however, is stronger: the provider and its subcontractors must not be subject to third-country control at all, with the Article 18 route available only as a narrow derogation.

At Union assurance level 4, the criteria are stricter still: the audited provider and its subcontractors must "not [be] subject to the control of a third country or a legal entity established in a third-country" (Annex II, point 4.1(g)), with no derogation. That structurally removes the third-country-coercion vector for services operating at the top tier.

Link to CADA's core objectives

This focus reflects CADA's stated aims. Among the proposal's objectives is to "address concerns regarding data sovereignty and operational continuity of cloud and AI." By mandating risk assessments (Article 29) and tying procurement to assurance levels (Article 30), CADA would make public sector bodies evaluate the risk of disruption before contracting. The memorandum frames operational continuity as a matter of public order and economic security — not just IT reliability.

Risk assessments and procurement implications

Under Article 29, Member States and Union entities would conduct risk assessments to identify which public sector activities contribute to the preservation of public order, considering at least the sensitivity and criticality of the data, the risk of unlawful third-country access, and "the risk and consequent impact on public order of possible service disruption" (Article 29(2)(c)).

Based on those assessments, Article 30 would require contracting authorities whose activities are identified as contributing to public order — in NIS2 Annex I/II sectors and in national security, internal security, external border management, defence, justice or law enforcement — to procure only services recognised at Union assurance level 2, 3 or 4. That creates a direct line from the theoretical risk of discontinuity to concrete procurement decisions.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers, the proposed CADA signals a shift in how reliability is measured. Uptime is no longer the only metric; jurisdictional resilience would become a compliance requirement.

1. Re-examine vendor jurisdiction. If you serve the public sector, scrutinise the ultimate control of your infrastructure. EU data centres are not enough: a third-country-controlled provider may fail the level 3 or 4 criteria. Verify not just where the data sits, but who holds the legal power to disrupt it.
2. Be ready to evidence sovereignty. Public-sector tenders would increasingly require proof of compliance with Union assurance levels. Prepare documentation showing your service is insulated from third-country legal pressure — contractual guarantees, technical isolation, and EU-based operational control.
3. Support your clients' risk assessments. Public sector bodies must perform Article 29 risk assessments. Be ready to share detail on your supply chain, subcontractors, and governance so they can place your service at the right level.
4. SME advantage. For Union assurance level 1, an SME's EU statement of conformity is directly and automatically recognised across all Member States without prior recognition by the evaluating national competent authority (Article 17(3)) — lowering the barrier for smaller EU-based providers.

Common misconceptions

• "Operational continuity is only about technical redundancy." Backups and failover matter, but CADA frames continuity risk through a legal and geopolitical lens. A service can be technically robust yet still fail the continuity test if a third country can lawfully compel the provider to cut off access.
• "Data localisation solves continuity risk." Keeping data in the EU is a baseline (level 1), but it does not guarantee continuity. A third-country-controlled provider may still be compelled to disrupt the service remotely, wherever the servers sit. The higher assurance levels address this by restricting third-country control.
• "This only applies to large hyperscalers." The framework applies to any provider seeking to serve the public sector at a given level. SMEs that can demonstrate EU control and operational autonomy may find new opportunities, especially as level 1 recognition is streamlined for them.

Related

• Why is EU dependence on foreign cloud providers seen as a risk under CADA?
• Why most public services don't need the highest CADA sovereignty tier
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk
• Sovereignty vs trust in cloud services: what CADA changes
• What is systemic digital infrastructure risk under CADA?

This is general information about a draft EU regulation, not legal advice.