What is 'public order' under CADA risk assessments?

Summary In the proposed Cloud and AI Development Act (CADA), "public order" is the decisive threshold that determines whether public sector bodies must procure sovereign cloud services at Union assurance levels 2, 3, or 4. As proposed in Article 29(1)(a), Member States and Union entities must conduct risk assessments to identify activities that "contribute to the preservation of public order." Recital 50 clarifies that this concept specifically covers three categories of risk arising from dependence on third-country providers: misuse (e.g., sabotage, weaponisation), access to information (e.g., espionage, exfiltration), and dependency vulnerabilities (e.g., economic coercion, embargoes). If an activity is deemed to impact public order, the body is legally required to procure only cloud services meeting higher assurance levels, rather than the baseline level 1.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework designed to mitigate strategic dependencies on non-European providers. Central to this framework is the concept of "public order," which acts as the operational trigger for stricter procurement obligations. Unlike general data protection concerns, "public order" in CADA is defined by the potential for external interference to undermine the Union's security, autonomy, and essential functions.

The Definition of Public Order Risks

The proposal explicitly defines the scope of "public order" through the risks it seeks to mitigate. Recital 50 states that the Union's critical dependence on a limited number of cloud providers subject to third-country control exposes it to specific risks that threaten public order. These risks are categorized into three distinct pillars:

1. Misuse: This encompasses the potential for "manipulation, remote access and control, sabotage, weaponisation" of cloud services. It addresses scenarios where a third country could actively disrupt or hijack critical infrastructure.
2. Access to Information: This covers risks of "unauthorised access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage." It focuses on the confidentiality and integrity of data held by public bodies.
3. Dependency Vulnerabilities: This involves "political and/or economic coercion," including "vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States." It addresses the risk of service discontinuity or financial harm due to external political pressure.

Therefore, "public order" under CADA is not an abstract legal concept but a practical assessment of whether a cloud service's failure, compromise, or external control could undermine the functioning of essential state functions or critical infrastructure.

The Role of Risk Assessments (Article 29)

Article 29 of the CADA proposal mandates that Member States and Union entities carry out risk assessments to determine which of their public sector activities require higher levels of assurance. This is the mechanism through which "public order" is operationalized.

Article 29(1)(a) specifies that these risk assessments must identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order." The article explicitly lists the sectors and areas where this preservation is paramount:

• Sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), which covers essential and important entities such as energy, transport, banking, digital infrastructure, and health.
• National security.
• Internal security.
• External border management.
• Defence.
• Justice or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

Article 29(1)(b) further requires that these assessments determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities. The assessment must consider the "sensitivity, criticality, and magnitude" of the data processed, as well as the risk of unlawful access by a third country or service disruption (Article 29(2)).

Linking Public Order to Procurement Obligations

The outcome of the Article 29 risk assessment directly dictates procurement behavior under Article 30. The regulation creates a binary compliance requirement based on the public order classification:

• Non-public order activities: If an activity is not identified as contributing to the preservation of public order, the contracting authority must use cloud services recognized as having at least Union assurance level 1 (Article 30(2)).
• Public order activities: If an activity is identified as contributing to the preservation of public order (per the list in Article 29(1)), the contracting authority must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4 (Article 30(3)).

Recital 52 reinforces this by stating that the framework provides a proportionate approach. It notes that while "most public services would not require the highest levels of assurance," specific cases involving public order concerns necessitate levels 3 or 4 to ensure operational autonomy and data confidentiality. The risk assessment ensures that the principles of proportionality and subsidiarity are complied with by assessing specific cases where protection of public order requires the highest level of assurance.

Methodology and Commission Oversight

To ensure consistency across the Union, the Commission plays a supervisory role. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account for these risk assessments. The methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.

Member States must provide the results of their risk assessments to the Commission within three months of carrying them out (Article 29(4)). Crucially, Article 29(5) grants the Commission the power to intervene: if it concludes that the Union assurance level identified by a Member State is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts specifying the required Union assurance levels for that specific activity. This ensures a harmonized baseline, preventing Member States from under-classifying critical activities to avoid stricter procurement rules.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the CADA proposal introduces a mandatory, two-step compliance workflow. You cannot simply choose a cloud provider based on cost or technical features; you must first categorize your organization's activities against the public order criteria defined in Article 29.

1. Conduct and Document Risk Assessments You must establish a process to identify which of your cloud-dependent activities fall under the NIS2 directive or other public order categories (defence, justice, etc.). This is not a one-time exercise; Article 29(1) requires assessments to be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." You must document the sensitivity, criticality, and magnitude of the data processed, as well as the risks of unlawful access by third countries (Article 29(2)).

2. Align Procurement with Assurance Levels Once your activities are classified:

• Non-public order activities: Ensure your vendors hold at least Union assurance level 1 recognition.
• Public order activities: You are prohibited from using level 1 services. You must procure services with level 2, 3, or 4 recognition. You must verify this recognition in the central repository maintained by the Commission (Article 22).

3. Prepare for Transition Periods If a risk assessment reveals that a current cloud service does not meet the required assurance level, Article 29(6) mandates migration within a "reasonable transition period that shall not exceed 12 months." Compliance officers must begin planning data portability and service migration strategies now to avoid service disruption when the regulation applies.

4. Monitor for Commission Guidance The Commission will issue detailed methodologies and templates for these risk assessments. Stay alert for these implementing acts, as they will provide the specific criteria for mapping data sensitivity to assurance levels. Failure to align with these standards could result in the Commission overriding national assessments under Article 29(5).

Common misconceptions

Misconception 1: "Public order" applies to all government data. Incorrect. CADA distinguishes between general public sector activities and those contributing to the preservation of public order. General administrative tasks may only require Union assurance level 1. Only activities explicitly linked to national security, defence, justice, or NIS2-critical sectors trigger the mandatory requirement for levels 2, 3, or 4.

Misconception 2: GDPR compliance is sufficient for public order. Incorrect. While CADA is consistent with GDPR, Recital 5 explicitly states that the EU-US Data Privacy Framework and GDPR "do not remove sovereignty concerns about dependence on third-country providers." Public order under CADA includes operational autonomy and protection against service disruption or coercion, which are not covered by data protection law alone.

Misconception 3: Private companies are exempt from these assessments. Partially incorrect. While Article 29 mandates risk assessments for Member States and Union entities, Article 31 allows private sector entities listed in Annex I of the NIS2 Directive (critical infrastructure) to carry out similar impact assessments. Furthermore, the Commission may adopt delegated acts requiring impact assessments for private entities in sectors of high criticality if specific circumstances justify it.

Misconception 4: You can choose any level above 1 for public order activities. While you can choose levels 2, 3, or 4, the choice is not arbitrary. The risk assessment must determine which level is appropriate based on the sensitivity and criticality of the data. Using level 2 for a high-sensitivity defence application might be deemed insufficient by the Commission under Article 29(5).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Public-Order Test: How Risk Assessments Gate Assurance Levels 2–4
• CADA Article 29: Purpose, Risk Assessment & Public Order
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.