What is the Article 29 risk assessment and which activities does it cover?

Summary Under the proposed Cloud and AI Development Act (CADA), Article 29 imposes a mandatory obligation on Member States and Union entities to conduct periodic risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine the required Union assurance level (2, 3, or 4) for cloud services supporting those activities. Unlike the baseline requirement of Level 1, activities flagged as having public order relevance—spanning sectors like defence, justice, law enforcement, and critical infrastructure under the NIS2 Directive—must procure only cloud services recognised at the higher assurance tiers. This mechanism ensures that critical public functions are shielded from third-country interference, operational disruption, and unlawful data access.

Detail

The Article 29 risk assessment serves as the critical demand-side trigger within the CADA sovereignty framework. While the supply-side measures (defined in Annex II) establish the technical and legal criteria for what constitutes a "sovereign" cloud service, Article 29 determines when and for which activities public authorities are legally required to utilise those higher-tier services. It acts as the bridge between abstract sovereignty criteria and concrete public procurement obligations, ensuring that the level of protection matches the sensitivity of the public function being performed.

The Legal Basis and Scope of Application

Article 29, titled "Risk assessments," creates a direct, recurring obligation for Member States and Union entities (such as EU institutions, bodies, offices, and agencies). The provision is designed to safeguard the Union's public order by ensuring that cloud computing services underpinning critical public functions are resilient against risks stemming from dependence on third-country providers.

As proposed, the regulation mandates that these entities carry out risk assessments according to a strict timeline:

1. Initial Deadline: Within one year of the Regulation's entry into force.
2. Periodic Review: Thereafter, every two years.
3. Ad Hoc Triggers: "Whenever necessary," such as following significant shifts in the geopolitical threat landscape, changes in the nature of the public activity, or the emergence of new third-country legal risks.

The scope of the assessment is explicitly defined in Article 29(1)(a). It requires entities to identify public sector activities that use or will use cloud computing services and that contribute to the preservation of public order. The definition of "public order" is broad and encompasses:

• Sectors falling under Annex I or Annex II of Directive (EU) 2022/2555 (the NIS2 Directive), which covers critical sectors such as energy, transport, banking, health, drinking water, wastewater, digital infrastructure, and public administration.
• Specific areas of national security, internal security, external border management, defence, justice, and law enforcement.
• Activities related to the prevention, investigation, detection, and prosecution of criminal offences.

This scope ensures that the assessment is not limited to traditional "state secrets" but extends to the operational continuity of essential societal functions.

Determining the Required Assurance Level

The primary output of an Article 29 risk assessment is the determination of the appropriate Union assurance level for the identified activities. CADA establishes four assurance levels (Level 1 through Level 4). While Article 30(2) sets Level 1 as the mandatory baseline for all public sector procurement, Article 29(1)(b) specifically empowers the risk assessment to mandate higher tiers.

The assessment must determine which Union assurance level 2, 3, or 4 is appropriate for the identified public sector activities. This determination is not discretionary; it must be grounded in a rigorous evaluation of the specific risks associated with the data and services involved. The higher the risk identified, the higher the assurance level required.

Factors to Consider in the Assessment

To ensure that the chosen assurance level is proportionate to the actual risk, Article 29(2) outlines specific aspects that Member States and Union entities must consider. These factors prevent arbitrary classification and ensure a consistent, risk-based approach across the Union:

1. Data Sensitivity, Criticality, and Magnitude: Entities must assess the nature of the data processed, distinguishing between ordinary business information, commercially sensitive data, operationally critical data, and personal data. The assessment must evaluate the potential impact on public order and the nature, scope, context, and purpose of processing personal data, including the risk to the rights and freedoms of data subjects.
2. Risk of Unlawful Third-Country Access: A critical factor is the risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country. This directly addresses concerns regarding extraterritorial data access laws (such as the US CLOUD Act) that may conflict with EU fundamental rights and data protection frameworks.
3. Risk of Service Disruption: Entities must assess the risk and impact on public order of possible service disruption. This covers scenarios where a third-country provider might degrade, halt, or manipulate services due to geopolitical pressures, sanctions, embargoes, or unilateral decisions by a third-country government.

The Role of the Commission and Methodology

To prevent fragmentation and ensure a harmonised application of the sovereignty framework, the Commission plays a central supervisory and guiding role. Under Article 29(3), the Commission is empowered to adopt implementing acts that specify:

• The methodology to be applied for the risk assessments.
• The templates to be used by Member States and Union entities.
• The specific elements to be taken into account.

Crucially, these implementing acts will specify how Member States must use the highest level of assurance for the most critical public sector activities, explicitly including defence. This ensures that the most sensitive functions receive the maximum level of protection available under CADA.

Furthermore, Article 29(4) imposes a transparency obligation: Member States must provide the Commission with the results of their risk assessments within three months of carrying them out. They must also indicate any departures from the Commission's implementing acts. If the Commission concludes that a Member State's identified assurance level is inappropriate or fails to adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels for that specific activity (Article 29(5)). This creates a "backstop" mechanism to ensure minimum standards are met across the Union.

Link to Procurement Obligations

The outcome of the Article 29 risk assessment is the direct trigger for the procurement rules set out in Article 30. The relationship is binary and mandatory:

• Default Rule (Non-Critical): Public sector activities not identified as contributing to the preservation of public order under the Article 29 assessment must use cloud computing services recognised as having at least Union assurance level 1 (as per Article 30(2)).
• Public Order Rule (Critical): Contracting authorities whose activities are identified as contributing to the preservation of public order under Article 29(1) must only procure and use cloud computing services that have been recognised as having Union assurance levels 2, 3, or 4 (as per Article 30(3)).

This creates a mandatory "sovereign-only" procurement lane for critical sectors. Additionally, Article 29(9) encourages entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement, based on the risk assessment, to enhance resilience and limit dependency on a single provider.

Migration and Transition

Recognising that transitioning to higher assurance levels may require significant operational changes, Article 29(6) provides a specific migration framework. If a risk assessment determines that a public sector activity must migrate to a cloud service with a higher assurance level (e.g., moving from a Level 1 provider to a Level 3 provider), the Member State or Union entity must migrate within a "reasonable transition period that shall not exceed 12 months."

This timeline is not absolute; it must account for technical feasibility, continuity of service, and data portability requirements applicable to such migration. However, the 12-month cap ensures that critical activities are not left in a state of non-compliance indefinitely.

What this means for you

For in-house counsel, compliance officers, and procurement managers in the public sector, Article 29 introduces a structured, recurring obligation to audit cloud dependencies and align procurement strategies with sovereignty requirements.

1. Immediate Action: Inventory and Classification You must immediately map all public sector activities that currently use or plan to use cloud computing services. For each activity, you must determine if it contributes to the preservation of public order in the sectors listed in Article 29(1)(a). This includes not only traditional security sectors but also critical infrastructure under NIS2 (energy, health, transport, etc.). If an activity falls within these sectors and uses cloud services, it is subject to the enhanced risk assessment.

2. Conduct the Risk Assessment Once the Commission adopts the implementing acts (methodology and templates), you must conduct the assessment using those tools. You must evaluate the sensitivity of the data processed and the specific risks of third-country access or service disruption. This is not a one-time exercise; it must be repeated every two years or whenever circumstances change significantly.

3. Determine the Assurance Level Based on the assessment, you must assign a required Union assurance level (2, 3, or 4) to each critical activity. This determination will dictate your procurement specifications. You cannot procure from providers who have not been formally recognised at the required level. Note that the assessment must be rigorous; if the Commission deems your chosen level insufficient, it can override your decision.

4. Procurement Alignment Ensure that all tender documents for cloud services in critical sectors explicitly require Union assurance levels 2, 3, or 4, as determined by your risk assessment. Failure to do so would constitute a breach of Article 30, which is directly linked to the Article 29 assessment. You must also consider multi-cloud strategies to mitigate single-point-of-failure risks.

5. Migration Planning If your current cloud provider does not meet the required assurance level, you must plan a migration within 12 months. This requires early engagement with alternative sovereign providers and careful management of data portability and service continuity to avoid operational disruption.

6. Reporting Obligations You must report the results of your risk assessments to the national competent authority and, subsequently, to the Commission within three months of completion. Ensure your records are robust and defensible, as the Commission may challenge your chosen assurance levels if they deem them insufficient to protect public order.

Common misconceptions

Misconception 1: Only the highest-security sectors (like defence) need risk assessments. Reality: Article 29 covers a broad range of sectors, including those listed in Annex I and II of the NIS2 Directive. This includes energy, transport, banking, health, and digital infrastructure. Any public sector activity in these areas that uses cloud services and contributes to public order requires an assessment.

Misconception 2: The risk assessment is a one-time compliance checkbox. Reality: The assessment must be repeated every two years and whenever necessary. The dynamic nature of geopolitical risks and technological change means that the required assurance level for a specific activity may change over time.

Misconception 3: Assurance Level 1 is sufficient for all public sector cloud use. Reality: While Level 1 is the baseline for non-critical activities, Article 29 identifies activities with public order relevance that must use Levels 2, 3, or 4. Using a Level 1 service for a critical activity identified in the risk assessment would be non-compliant.

Misconception 4: Private companies are subject to Article 29 risk assessments. Reality: Article 29 applies specifically to Member States and Union entities. Private sector entities (particularly those in high-criticality sectors under NIS2) are addressed under Article 31, which allows them to conduct similar impact assessments but does not mandate them in the same binding way as Article 29 for public bodies.

Related

• Which CADA obligations bite hardest for fintech companies?
• Which CADA assurance level should defence workloads use?
• Which CADA assurance level applies to patient and medical records?
• CADA Article 32: What is the Union added value criterion in public procurement?
• CADA for Water & Waste Utilities: Article 31 Impact Assessments Explained

This is general information about a draft EU regulation, not legal advice.