CADA risk assessments

Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are required to conduct sovereignty risk assessments for public sector cloud activities on a recurring bi-annual basis. As explicitly set out in Article 29(1), these assessments must be carried out initially within one year of the regulation's entry into force, and thereafter every two years, or whenever necessary to address emerging risks. Crucially, the results of each assessment cycle must be reported to the European Commission within three months of completion, as mandated by Article 29(4). This cycle ensures that the Union assurance levels applied to public order-relevant activities remain appropriate amidst evolving threats and technological changes.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a dynamic framework for cloud sovereignty, moving beyond static compliance to continuous risk management. A central pillar of this framework is the obligation for Member States and Union entities to perform regular risk assessments to determine the appropriate "Union assurance level" (ranging from 1 to 4) for specific public sector activities. These assessments are not a one-off event but a recurring operational cycle designed to safeguard the Union's public order.

The Legal Basis: Article 29(1) and the Bi-Annual Mandate

The primary legal driver for this recurring obligation is Article 29(1) of the CADA proposal. This provision establishes a clear timeline for risk assessments, ensuring that the sovereignty framework adapts to changing circumstances.

The article mandates that Member States and Union entities shall carry out risk assessments:

1. Initial Assessment: By the date of entry into force plus one year.
2. Recurring Cycle: Thereafter every two years.
3. Ad-Hoc Trigger: Or whenever necessary.

This structure creates a mandatory bi-annual cycle for reviewing the sensitivity, criticality, and magnitude of data processed in cloud environments. The purpose of this regular review is to ensure that the chosen Union assurance level remains appropriate as the technological landscape, threat environment, and the nature of public sector activities evolve. The "whenever necessary" clause provides critical flexibility, allowing authorities to bypass the standard two-year wait if a significant change in risk profile occurs, such as a new geopolitical threat or a change in a cloud provider's ownership structure.

Scope of the Assessment: Public Order and Assurance Levels

During each two-year cycle, the risk assessment must identify public sector activities that use or will use cloud computing services. The scope is specifically targeted at activities that contribute to the preservation of public order.

As defined in Article 29(1), these activities include sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as specific areas of national importance:

• National security
• Internal security
• External border management
• Defence
• Justice or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences)

The core output of this assessment is the determination of which Union assurance level (2, 3, or 4) is appropriate for the identified activities. This determination is critical because it directly dictates procurement obligations. Under Article 30(3), contracting authorities whose activities are identified as contributing to public order must procure only cloud services recognised at the specific assurance level determined by the risk assessment. Conversely, for activities not identified as contributing to public order, Article 30(2) mandates a minimum of Union assurance level 1.

The Three-Month Reporting Deadline

The CADA proposal emphasizes transparency and Union-level oversight. It is not sufficient for Member States to simply conduct the assessment internally; they must report their findings to the European Commission.

Article 29(4) sets a strict deadline for this reporting: Member States must provide the Commission with the results of their risk assessments within three months of carrying them out.

This three-month window serves several purposes:

• Consistency: It allows the Commission to monitor the application of the sovereignty framework across the Union.
• Deviation Tracking: The reporting must explicitly indicate where a Member State departs from the implementing acts (methodologies and templates) provided by the Commission under Article 29(3).
• Intervention Mechanism: If the Commission concludes, after reviewing the results, that the Union assurance level identified by a Member State is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the correct Union assurance levels needed for that public sector activity, as per Article 29(5).

This tight reporting cycle ensures that the Commission can act swiftly to correct any misalignments in the Union's sovereignty posture before they result in procurement of inadequate cloud services.

The "Whenever Necessary" Flexibility

While the standard rhythm is a two-year cycle, Article 29(1) includes a vital flexibility clause: assessments must be carried out "whenever necessary."

This provision acknowledges that the risk landscape is not static. A Member State may be required to conduct an assessment outside the standard bi-annual schedule if:

• There is a significant change in the threat landscape (e.g., new extraterritorial laws in a third country).
• The nature of the public sector activity changes (e.g., a new law enforcement capability is deployed).
• The status of a cloud service provider changes (e.g., a change in ownership or a revocation of their Union assurance level).

This ensures that the protection of public order is not compromised by waiting for the next scheduled two-year review.

What this means for you

For public-sector procurement officers, IT strategists, and compliance teams, the bi-annual cycle of CADA risk assessments has significant operational implications:

1. Calendar Integration: You must integrate the risk assessment process into your organizational calendar. Every two years, you will need to initiate a formal review of cloud services used for activities related to public order. This is a recurring compliance obligation, not a one-time project.
2. Documentation and Readiness: Ensure that your risk assessment methodologies are documented and aligned with the Commission's implementing acts. You will need to report the results to the national competent authority and the Commission within the strict three-month window. Maintain clear audit trails explaining why specific Union assurance levels were chosen for specific services.
3. Procurement Alignment: Your procurement strategies must be directly driven by the outcomes of these assessments. If a risk assessment determines that a service requires Union assurance level 3, you cannot procure a service that only meets level 1 or 2. The assessment defines your technical specifications and award criteria.
4. Trigger Awareness: Monitor for changes that might trigger a "whenever necessary" assessment. If a cloud provider changes its ownership structure, moves infrastructure, or if your use case becomes more critical, you may need to reassess immediately rather than waiting for the two-year mark.
5. Multi-Cloud Strategies: Article 29(9) explicitly notes that risk assessments should consider whether a multi-vendor or multi-cloud strategy is appropriate. Use the bi-annual review to evaluate if diversifying providers reduces dependency risks and enhances resilience against service disruption.

Common misconceptions

• Misconception: "We only need to do this assessment once when we first adopt CADA."
  • Reality: Article 29(1) explicitly states assessments must be carried out "thereafter every two years." It is a continuous, recurring compliance obligation.
• Misconception: "The assessment is only for high-security government bodies like intelligence agencies."
  • Reality: While it focuses on activities contributing to public order (e.g., defence, justice, border management), many public sector bodies engage in activities that fall under this definition. Any public sector body using cloud services for these purposes must participate in the risk assessment process.
• Misconception: "If we don't change our cloud provider, we don't need to reassess."
  • Reality: The risk assessment evaluates the activity and the data, not just the provider. Changes in data sensitivity, threat landscapes, or the provider's compliance status (e.g., a revoked Union assurance level) can trigger a need for reassessment "whenever necessary," regardless of the two-year cycle.
• Misconception: "The Commission decides the assurance level for every service."
  • Reality: Member States and Union entities conduct the risk assessments themselves. The Commission provides guidance and can intervene if an assessment is deemed inappropriate, but the primary responsibility for the assessment lies with the national or Union entity.

Related

• CADA risk assessment reporting timeline: the 3-month rule explained
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessments: What Cloud Providers Must Know

This is general information about a draft EU regulation, not legal advice.