What is systemic digital infrastructure risk under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), systemic digital infrastructure risk is the threat posed by the EU's critical dependence on a limited pool of third-country cloud providers, which jeopardises economic security, operational continuity and public order. As proposed, CADA would require Member States and Union entities to conduct risk assessments (Article 29) to identify which public sector activities need higher Union assurance levels (Article 16, with criteria in Annex II), and would also boost domestic capacity to reduce the underlying dependency.

Detail

The proposed CADA frames the EU's reliance on non-European cloud and AI infrastructure not merely as a competition issue but as a systemic risk to the Union's digital resilience. The explanatory memorandum states that the initiative supports the Preparedness Union Strategy, "which identifies dependence on critical digital infrastructure as a systemic risk and calls for a whole-of-government approach to ensuring the continuity of essential services in crisis scenarios."

This systemic risk manifests through several interconnected vulnerabilities:

1. Concentration and external control. As the memorandum notes, three non-EU hyperscalers control over 70% of the European cloud market. This concentration creates dependence on entities subject to third-country jurisdictions with extraterritorial laws (such as the US CLOUD Act) that may compel data access or service disruption in ways that conflict with EU operational autonomy.
2. Operational discontinuity. The proposal highlights "potential disruptions affecting the continuity, quality and resilience of cloud computing services" (Recital 46). For public sector bodies, unilateral decisions by third-country actors could mean loss of control over critical services, undermining public order.
3. Reduced oversight of data. Dependence on third-country-controlled providers means "reduced control and oversight over personal and non-personal data and infrastructure" (Recital 46). CADA would respond with a harmonised "Union cloud computing sovereignty framework" of four assurance levels.

To address these systemic risks, CADA would introduce mandatory risk assessments for the public sector. Under Article 29, Member States and Union entities would (by one year after entry into force, then every two years) carry out risk assessments to:

• identify public sector activities that contribute to the preservation of public order, in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal/external security, defence, justice or law enforcement; and
• determine which Union assurance level (2, 3 or 4) is appropriate for those activities.

The assessments must consider the sensitivity, criticality and magnitude of the data processed (and the impact on public order), the risk of unlawful access under Union law by a third country, and the risk of possible service disruption (Article 29(2)). Based on the results, Article 30 would bind contracting authorities: activities not contributing to public order use Level 1 (Article 30(2)); those that do must procure only Levels 2, 3 or 4 (Article 30(3)).

The proposal also addresses the private sector. While Article 29 applies to public entities, Article 31 would allow NIS2 entities that are not public sector bodies to carry out similar impact assessments. The Commission may issue guidance (Article 31(2)) and, in duly justified cases, adopt delegated acts requiring such assessments for entities in sectors of high criticality (Article 31(3)) — recognising that systemic risk extends into critical economic infrastructure.

CADA would also aim to reduce systemic risk by boosting domestic capacity: it would establish Cloud and AI Leadership Initiatives to support sovereign cloud capacity and AI, and it would oblige Member States to designate data centre acceleration zones to simplify data-centre deployment. Increasing the supply of sovereign, secure computing capacity within the EU is intended to attack the structural dependency at the root of the systemic risk.

What this means for you

For CTOs, architects and SMEs, treating systemic digital infrastructure risk as a regulatory concept has practical implications:

• For public sector suppliers: To compete for contracts in critical sectors (defence, justice, health), you would need recognition at Union assurance levels 2, 3 or 4, requiring independent audits (Article 20) demonstrating controls over data location, personnel, and absence of third-country control.
• For SMEs in critical sectors: If your SME operates in a NIS2 Annex I sector (e.g. energy, transport, health, digital infrastructure), you may carry out impact assessments similar to Article 29 under Article 31(1). These are not mandatory for all private entities under the proposal, but the Commission retains power to require them for high-criticality sectors. Prepare to evaluate your cloud dependencies and document mitigation.
• For cloud architects: Designing for sovereignty is no longer optional for public sector work. Architect for data residency within the Union, limited third-country access, and full transparency into subcontractors and software supply chains. Multi-cloud or multi-vendor strategies (considered under Article 29(9)) can reduce concentration risk.
• For investors and providers: The proposal would create a new market for sovereign cloud services. Providers that can demonstrate the higher assurance levels would gain an edge in public procurement; those unable to decouple from third-country control may be excluded from critical tenders.

Common misconceptions

• "CADA only applies to the public sector." Reality: The mandatory risk assessments (Article 29) and procurement rules (Article 30) target public authorities, but the framework affects the whole market. NIS2 private entities are encouraged to assess similarly (Article 31), the Commission can mandate it, and public-sector demand would drive market-wide changes (see Recital 66 on spillover effects).
• "Systemic risk only means cybersecurity threats." Reality: CADA distinguishes cybersecurity from sovereignty. While cybersecurity is addressed by the Cybersecurity Act and EUCS, systemic digital infrastructure risk also covers operational autonomy, third-country access laws and supply-chain dependencies. A service can be secure but still pose systemic risk if controlled by a third country that can disrupt it or access data.
• "All cloud services must be sovereign." Reality: CADA takes a proportionate approach. Only activities identified as contributing to public order require higher levels (2, 3 or 4); other public sector activities may use Level 1. The goal is to protect critical functions, not to mandate sovereignty for everything.
• "EU providers are automatically sovereign." Reality: Being EU-established is not enough. Providers must meet specific criteria for each level — controls over subcontractors, data location, personnel, and software supply chains. An EU provider controlled by a third-country entity could still fail the higher levels unless the Article 18 derogation and safeguards apply.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is EU dependence on foreign cloud providers seen as a risk under CADA?
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk
• Cloud Sovereignty & Digital Decade 2030: How CADA Links Capacity to Autonomy
• What is operational continuity risk in cloud services under CADA?

This is general information about a draft EU regulation, not legal advice.