Summary Under the proposed Cloud and AI Development Act (CADA), public-sector procurement obligations are strictly tiered based on the sensitivity of the activity. Article 30(2) mandates that all public bodies procuring cloud services for activities not identified as contributing to public order must use services recognized at Union assurance level 1. Conversely, Article 30(3) requires that activities identified as contributing to the preservation of public orderβ€”determined through the mandatory risk assessments outlined in Article 29(1)β€”must procure services recognized at Union assurance level 2, 3, or 4. This distinction ensures that higher levels of sovereignty and security are applied only where necessary to protect critical public interests, while maintaining a baseline of trust for general administrative functions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonized framework for cloud computing sovereignty in the EU. A core component of this framework is the "Union cloud computing sovereignty framework," which categorizes cloud services into four assurance levels (Level 1 through Level 4). The procurement rules for public sector bodies are not one-size-fits-all; instead, they are risk-based and tiered. The primary difference between Level 1 and Levels 2–4 procurement obligations lies in the nature of the public sector activity being supported and the results of a mandatory risk assessment.

The Baseline: Level 1 for General Public Activities

Article 30(2) establishes the default procurement rule for the majority of public sector cloud usage. It states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) must use cloud computing services that have been recognized under Article 17 as having a Union assurance level 1.

Level 1 is designed as a baseline of trust. As defined in Annex II, it requires that the cloud computing service provider is established in the Union, that infrastructure and assets are located in the Union (unless the public sector body explicitly requires otherwise), and that customer data remains exclusively within the Union. It also demands compliance with state-of-the-art cybersecurity standards and transparency regarding subcontractors. For general administrative tasks, such as internal email systems, basic document storage, or non-sensitive citizen portals, Level 1 provides sufficient safeguards against unauthorized access and ensures data residency within the EU without imposing the heavy administrative and technical burdens of higher assurance levels.

The Enhanced Tier: Levels 2, 3, and 4 for Public Order Activities

Article 30(3) creates a stricter obligation for high-stakes activities. It mandates that contracting authorities, including entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) must only procure cloud computing services that have been recognized as having a Union assurance level 2, 3, or 4.

The determination of which activities fall under this category is not arbitrary; it is driven by the risk assessments that Member States and Union entities must carry out under Article 29. These assessments identify public sector activities that use or will use cloud services and contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

When an activity is deemed to involve public order, the procurement obligation escalates. Levels 2, 3, and 4 introduce cumulative, stricter criteria than Level 1, as detailed in Annex II:

  • Level 2 requires that the audited provider and its subcontractors are established in the Union, that personnel and infrastructure are located in the Union, and that data generated by the service is not used to train AI systems operated by third countries. It also requires a European cybersecurity certificate of at least "substantial" assurance.
  • Level 3 adds requirements such as Union citizenship for personnel and, where appropriate, national security clearance. It generally prohibits third-country control over the provider, with limited exceptions for associated third countries that meet strict criteria under Article 18.
  • Level 4 is the highest level, requiring that sensitive data identified in the risk assessment remains exclusively in the Union, and imposing the strictest controls on third-country influence, including the requirement for a European cybersecurity certificate of at least "high" assurance.

By linking the procurement obligation to the Article 29 risk assessment, CADA ensures that the most sensitive government functionsβ€”such as police databases, border control systems, or national security communicationsβ€”are protected by the highest available sovereignty standards, while less sensitive functions are not over-regulated.

The Role of the Risk Assessment (Article 29)

The bridge between Level 1 and Levels 2–4 is Article 29. Member States and Union entities must carry out risk assessments by one year after the regulation enters into force, and thereafter every two years or whenever necessary. These assessments must:

  1. Identify public sector activities using cloud services that contribute to the preservation of public order.
  2. Determine which Union assurance level (2, 3, or 4) is appropriate for those activities.

The risk assessment considers the sensitivity, criticality, and magnitude of the data processed, the risk of unlawful access by third countries, and the risk of service disruption. Without a completed Article 29 risk assessment, a public body cannot legally justify procuring a Level 1 service for an activity that might actually require Level 2, 3, or 4, nor can it unnecessarily burden itself with higher-level procurement for general tasks. The Commission is empowered to provide guidance on the methodology for these assessments to ensure consistency across the Union.

Derogations

While the distinction between Level 1 and Levels 2–4 is clear, Article 30(4) provides derogations. On an exceptional basis and where duly justified, contracting authorities may decide not to procure services with a recognized assurance level if:

  • No recognized service exists that can supply the subject matter of the tender, and no adequate alternative exists.
  • A similar procurement process was launched within the previous year but yielded no suitable tenders.
  • Applying the requirements would result in disproportionate costs.

These derogations apply to both the Level 1 minimum and the Levels 2–4 requirements, ensuring that public bodies are not paralyzed by market gaps during the transition to the new framework.

What this means for you

For public-sector procurement officers, the distinction between Level 1 and Levels 2–4 procurement obligations dictates your entire sourcing strategy.

  1. Map Your Activities: You must first complete the Article 29 risk assessment for your organization. Categorize every cloud-dependent activity. Does it involve national security, law enforcement, or critical infrastructure (NIS2 sectors)? If yes, it likely falls under "public order" and triggers Article 30(3) (Levels 2–4). If it is general administration, it triggers Article 30(2) (Level 1).
  2. Check the Central Repository: Before issuing a tender, check the central repository of recognized services (established under Article 22). For general tasks, ensure the bid includes only providers recognized at Level 1. For critical tasks, filter for providers recognized at Level 2, 3, or 4 as determined by your risk assessment.
  3. Budget for Higher Assurance: Procuring Levels 2–4 services may be more expensive and limited in vendor choice compared to Level 1. Ensure your budget accounts for the potential premium of sovereign cloud services for critical activities.
  4. Document Your Risk Assessment: Keep thorough records of your Article 29 risk assessment. If you procure a Level 1 service for an activity that could be perceived as sensitive, you must be able to demonstrate that your risk assessment did not flag it as contributing to public order.

Common misconceptions

  • "Level 1 is only for small companies." False. Level 1 is a sovereignty level, not a company-size indicator. Large EU-based providers can offer Level 1 services. It is the minimum baseline for all public sector cloud procurement, regardless of the provider's size.
  • "All public sector cloud must be Level 4." False. This would be disproportionate and inefficient. CADA explicitly distinguishes between general public activities (Level 1) and those contributing to public order (Levels 2–4). Only the most critical activities, as defined by the risk assessment, require the highest assurance levels.
  • "I can choose Level 1 even for sensitive data if I want." False. If your Article 29 risk assessment identifies an activity as contributing to public order, you are legally obligated under Article 30(3) to procure at least Level 2. You cannot voluntarily opt down to Level 1 for these activities.
  • "The risk assessment is a one-time task." False. Article 29(1) requires risk assessments to be carried out every two years, or whenever necessary. As cloud usage and threat landscapes evolve, your classification of activities may change, shifting your procurement obligations from Level 1 to Levels 2–4 or vice versa.

Related

This is general information about a draft EU regulation, not legal advice.