What is the CADA sovereignty risk assessment (Article 29)?

Summary As proposed, Article 29 of the Cloud and AI Development Act (CADA) would require Member States and Union entities to carry out mandatory sovereignty risk assessments to decide which Union assurance level applies to their cloud use. The assessment identifies which public-sector activities contribute to the preservation of public order and determines whether a service must meet the stricter Union assurance levels 2, 3 or 4 rather than the baseline level 1. The first assessments would be due by entry into force plus one year, then every two years (or whenever necessary).

Detail

Under the proposed CADA, the sovereignty framework is risk-based rather than one-size-fits-all. Article 29 sets up the mechanism, requiring public-sector bodies to assess their dependencies and sensitivities instead of applying a blanket rule to all cloud use.

Who must conduct the assessment?

Article 29(1) places the obligation on Member States and Union entities (the EU institutions, bodies, offices and agencies). They must carry out risk assessments by entry into force plus one year, and thereafter every two years, or whenever necessary. Where Member States and Union entities share responsibility for an activity, they may consider doing the assessment jointly.

What is the purpose?

Under Article 29(1), the assessment is twofold:

1. Identify public-order activities: determine which public-sector activities using cloud services contribute to the preservation of public order, in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in national security, internal security, external border management, defence, justice or law enforcement.
2. Determine assurance levels: decide which Union assurance level (2, 3 or 4) is appropriate for those identified activities.

How is risk evaluated?

Article 29(2) requires consideration of at least:

• the sensitivity, criticality and magnitude of the non-personal data processed — including the potential impact on public order and the nature, scope, context and purpose of processing personal data, and the risk to the rights and freedoms of data subjects;
• the risk and consequent public-order impact of unlawful access (under Union law) to such data by a third country or a third-country-established legal entity; and
• the risk and consequent public-order impact of possible service disruption.

The link to public procurement

The outcome of the Article 29 assessment drives the procurement obligations in Article 30:

• If an activity is not identified as contributing to the preservation of public order, the entity uses services recognised at Union assurance level 1 (Article 30(2)).
• If an activity is so identified (e.g. in defence or law enforcement), the entity must only procure services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)).

Commission methodology and oversight

Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates and elements for the assessments, including how Member States use the highest assurance level for the most critical activities — among them, but not limited to, defence. Member States must give the Commission the results within three months, indicating any departures from that methodology (Article 29(4)). If the Commission concludes that a Member State's identified assurance level is not appropriate or does not adequately address public-order concerns, it may adopt implementing acts specifying the required levels (Article 29(5)).

Migration and multi-cloud strategies

Where a risk assessment requires migration to another service, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months, taking into account technical feasibility, continuity of service and data portability (Article 29(6)). And under Article 29(9), they must consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement.

What this means for you

For public-sector procurement officers and IT leaders, Article 29 would shift you from passive compliance to active risk management — you would categorise the activity before buying any service.

1. Map activities to public order. Review your functions: do you handle data tied to national security, law enforcement or NIS2-sector critical infrastructure? If so, the activity likely contributes to public order — the trigger for stricter procurement rules.

2. Prepare for the two-year cycle. Assessments are not one-off; you must update them every two years, or sooner if circumstances change, which means ongoing monitoring of data flows and third-country exposure.

3. Align with Commission guidance. Watch for the implementing acts under Article 29(3) for the methodology and templates — using the correct approach matters, because the Commission may specify a different level if it finds yours inadequate (Article 29(5)).

4. Plan for migration. If your provider does not meet the required level for a high-risk activity, you would have at most 12 months to migrate once the assessment requires the change (Article 29(6)). Plan exit and data-portability now.

5. Consider multi-cloud architectures. Article 29(9) requires you to consider a multi-vendor or multi-cloud strategy — a regulatory nudge to reduce single-provider dependency.

Common misconceptions

Misconception: All public-sector cloud use requires Level 3 or 4. As proposed, no. Under Article 30(2), activities not identified as contributing to public order need only Union assurance level 1. Levels 2–4 are reserved for public-order activities identified through the Article 29 assessment.

Misconception: The Commission sets the level for every entity. The primary responsibility lies with the Member State or Union entity to assess and determine the appropriate level (Article 29(1)). The Commission provides the methodology and may intervene if it finds an assessment inadequate (Article 29(5)), but the initial determination is national or entity-led.

Misconception: Risk assessments are optional for non-critical departments. Article 29(1) makes the assessment mandatory for Member States and Union entities. The outcome may be that only Level 1 is needed, but the process of assessing is required to reach that conclusion.

Misconception: Migration timelines can be ignored. Article 29(6) sets a cap of 12 months for migration where the assessment requires a change of service.

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• When will CADA be reviewed? Article 47 review clause explained
• What problem drivers does CADA's impact assessment identify?
• What is the EU Tech Sovereignty package and how does CADA fit in?
• CADA vs SecNumCloud: what is the difference between CADA and a national sovereignty label?

This is general information about a draft EU regulation, not legal advice.