Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for cloud services supporting public order-critical activities. To prevent market fragmentation, Article 29(7) mandates that these entities cooperate through "established consistency mechanisms" and promote the "effective exchange of information and best practices." This framework, supported by centrally coordinated Commission guidance on mapping assurance levels to data sensitivity (Recital 63), aims to ensure the "consistent application of this Regulation" and preserve the integrity of the digital single market (Recital 62). While Member States retain discretion over data sensitivity, they must report any departures from Commission methodology, and the Commission retains the power to intervene if national assessments fail to adequately address public order concerns.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. A critical component of this framework is the obligation for Member States and Union entities to perform risk assessments to identify which public sector activities contribute to the preservation of public order. These assessments dictate whether cloud services must meet Union assurance levels 2, 3, or 4. However, without a mechanism to align these national determinations, the EU risks a fragmented landscape where divergent standards undermine the single market and strategic autonomy.

The Obligation to Assess and the Risk of Fragmentation

Article 29(1) requires Member States and Union entities to carry out risk assessments within one year of the Regulation's entry into force, and subsequently every two years or whenever necessary. These assessments must identify activities in sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement. The assessment must consider the sensitivity, criticality, and magnitude of data processed, alongside the risk of unlawful third-country access or service disruption.

The challenge lies in the fact that, as Recital 62 notes, "the determination of the level of sensitivity of information that may be hosted in a cloud computing service... lies within the competence and discretion of the Member States." While this discretion is necessary to respect national security competencies, Recital 63 warns that "divergent national approaches to the classification and mapping of data sensitivity and assurance requirements may undermine the consistent application of the sovereignty framework across the Union."

The Consistency Mechanism: Article 29(7)

To mitigate this risk, Article 29(7) establishes a binding consistency mechanism. It explicitly states: "Member States shall cooperate with each other and with the Commission through established consistency mechanisms and promote cooperation and effective exchange of information and best practices."

This provision is not merely a suggestion for voluntary dialogue; it is a structural requirement designed to harmonise the application of the sovereignty framework. The mechanism operates on three levels:

  1. Cooperation with the Commission: Member States must engage with the Commission, which acts as the central coordinator. This ensures that national risk assessments are not developed in isolation but are aligned with Union-wide objectives.
  2. Inter-Member State Cooperation: Member States must cooperate with each other. This facilitates the sharing of experiences, particularly regarding complex cross-border public order activities, ensuring that a risk assessment in one Member State does not create an unintended barrier to the single market.
  3. Exchange of Information and Best Practices: The mechanism mandates the active flow of data. This includes sharing the results of risk assessments, the methodologies applied, and effective strategies for mapping assurance levels to specific public sector use cases.

The Role of Commission Guidance and Methodology

The consistency mechanism is operationalised through centrally coordinated guidance. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account for these risk assessments. Crucially, Recital 63 clarifies that the Commission, in cooperation with relevant authorities, will provide "centrally coordinated guidance on the mapping between Union assurance levels and categories of information."

This guidance is designed to take into account:

  • The sensitivity, criticality, and magnitude of the data processed.
  • The systematic importance of the activities of the contracting authorities.
  • The applicable obligations arising from Union law.

The goal is to ensure that while Member States determine the specific sensitivity of their data, the methodology for doing so remains harmonised. This prevents a scenario where identical data types are classified differently across borders, leading to inconsistent procurement requirements for cloud providers.

Reporting, Departures, and Commission Intervention

The consistency mechanism includes a robust reporting and correction loop. Article 29(4) requires Member States to provide the Commission with the results of their risk assessments within three months of completion. Crucially, they must indicate "where they depart from the implementing acts" referred to in Article 29(3).

This reporting obligation is the trigger for potential Commission intervention. Article 29(5) grants the Commission the power to act if it concludes that a Member State's identified assurance level is "not appropriate or does not adequately address the public order concerns." In such cases, the Commission may adopt implementing acts "specifying the Union assurance levels needed for the public sector activity."

This corrective power ensures that national discretion does not lead to systemic vulnerabilities. It reinforces the principle that while Member States manage their own security, the Union retains the ultimate authority to ensure the sovereignty framework functions effectively across the single market.

Multi-Cloud Strategies as a Consistency Tool

The consistency mechanism also extends to risk mitigation strategies. Article 29(9) requires Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" as part of their procurement. This requirement, integrated into the risk assessment process, encourages a harmonised approach to resilience. By promoting multi-cloud strategies across the Union, the mechanism helps limit dependency on single providers, a key objective of the sovereignty framework.

What this means for you

For legal counsel, compliance officers, and public sector bodies, the consistency mechanism under CADA introduces specific operational and strategic obligations:

  1. Mandatory Alignment with Commission Methodology: You cannot develop your risk assessment methodology in a vacuum. You must adhere to the templates and methodologies specified in the Commission's implementing acts under Article 29(3). Any deviation must be rigorously documented and justified.
  2. Active Reporting of Departures: If your national assessment requires a different assurance level than the Commission's guidance suggests, you are legally obligated to report this departure to the Commission within three months of your assessment (Article 29(4)). Failure to report could be viewed as non-compliance.
  3. Preparation for Commission Intervention: Be aware that the Commission has the power to override national decisions if they are deemed inadequate for public order protection (Article 29(5)). Your internal risk assessments must be robust enough to withstand this scrutiny, particularly for high-sensitivity sectors like defence and law enforcement.
  4. Engagement in Information Exchange: Compliance involves active participation. You should expect to engage in the exchange of information and best practices with other Member States and the Commission. This may involve participating in working groups or sharing anonymised data to help refine the centrally coordinated guidance.
  5. Multi-Cloud Documentation: As part of your risk assessment, you must explicitly evaluate and document whether a multi-cloud strategy is appropriate for your organisation. This is not optional; it is a specific requirement under Article 29(9) designed to enhance resilience.

Common misconceptions

  • "Member States have total discretion over risk assessments." While Member States determine the sensitivity of their own data, this discretion is bounded by the consistency mechanism. Recital 63 explicitly warns that divergent approaches undermine the framework, and Article 29(5) gives the Commission the power to specify assurance levels if national assessments are inadequate.

  • "The consistency mechanism is just a forum for discussion." It is a binding legal requirement. Article 29(7) mandates cooperation and the exchange of information. Furthermore, the reporting of departures (Article 29(4)) and the potential for Commission intervention (Article 29(5)) create a enforceable compliance structure.

  • "Risk assessments are static documents." Article 29(1) requires assessments to be conducted every two years or whenever necessary. The consistency mechanism ensures that these updates are aligned across the Union, preventing a "race to the bottom" or inconsistent standards over time.

  • "Private sector entities are excluded from consistency mechanisms." While Article 29 directly binds public entities, the consistency mechanism sets the standard for the entire market. Private sector entities in high-criticality sectors (Annex I of NIS2) may conduct similar impact assessments under Article 31, and the Commission may issue guidance or require impact assessments for them if justified. The public sector's harmonised approach effectively sets the baseline for the broader market.

Related

This is general information about a draft EU regulation, not legal advice.