What is the minimum cloud assurance level for public-sector procurement under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the absolute minimum requirement for public-sector procurement is Union assurance level 1. Article 30(2) mandates this baseline for all public sector activities that have not been identified as contributing to the preservation of public order. However, for activities deemed critical to public order—such as those in national security, defence, justice, or law enforcement—Article 30(3) requires contracting authorities to procure only services recognised at Union assurance levels 2, 3, or 4. The specific level required depends on the outcome of a mandatory risk assessment under Article 29. As Recital 64 clarifies, this tiered approach establishes a "consistent baseline of safeguards" across the Union while allowing for stricter controls where public order is at stake.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally reshapes how public authorities in the EU procure cloud computing services. Moving away from fragmented national approaches, the proposal establishes a harmonised "Union cloud computing sovereignty framework" comprising four distinct assurance levels. Article 30 serves as the operational engine of this framework, dictating exactly which level a contracting authority must procure based on the sensitivity of the activity being supported.

The Universal Baseline: Union Assurance Level 1

The cornerstone of the CADA procurement regime is the establishment of a mandatory floor. Article 30(2) explicitly states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This baseline is not optional. It applies to the vast majority of standard administrative functions, such as internal HR systems, non-sensitive email services, or general public information portals. To qualify for Union assurance level 1, a provider must meet the cumulative criteria set out in Annex II, Section 1, which include:

• Establishment: The provider must be established in the Union.
• Infrastructure Location: Infrastructure and assets (including those of subcontractors) must be located in the Union, unless the public sector body explicitly requires otherwise.
• Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless explicitly authorised otherwise by the public sector body.
• Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
• Transparency: Full transparency regarding the use of subcontractors is required.

The rationale for this baseline is rooted in the need for a unified internal market. Recital 64 of the proposal explains that "a minimum assurance level, by mandating Union assurance level 1 across the Union, is necessary to establish a consistent baseline of safeguards for the public sector, thereby reducing vulnerabilities in the public sector to third country access to Union data and disruption of services." This ensures that even for non-critical services, the EU public sector is not exposed to uncontrolled third-country access or operational discontinuity.

The Public Order Threshold: Levels 2, 3, and 4

For activities where the stakes are higher, the baseline is insufficient. Article 30(3) introduces a stricter regime: "Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

The determination of whether an activity contributes to public order is not left to the discretion of individual procurement officers. It is the result of a mandatory risk assessment process mandated by Article 29. Member States and Union entities must carry out these assessments to identify activities in sectors falling under Annex I or II of the NIS2 Directive, as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

Once an activity is flagged as public-order-relevant, the contracting authority must procure at level 2, 3, or 4. The distinction between these levels lies in the stringency of the sovereignty criteria:

• Union Assurance Level 2: This level tightens the requirements on personnel and data usage. Under Annex II, Section 2, the provider and subcontractors must be established in the Union, and their infrastructure, assets, and personnel must be located in the Union. Crucially, it prohibits the use of customer data to train or fine-tune AI systems operated by third countries. It also mandates specific software supply chain measures, including a complete Software Bill of Materials (SBOM) and controls against remote tampering.
• Union Assurance Level 3: This level introduces a significant personnel constraint. Annex II, Section 3 requires that the personnel involved in the service provision (including subcontractors) are Union citizens. Where appropriate, they must also hold national security clearances. Furthermore, the provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. A limited derogation exists under Article 18 for "associated third countries" that meet specific adequacy and sovereignty criteria, but the default rule is a ban on third-country control.
• Union Assurance Level 4: The highest tier, reserved for the most sensitive operations (e.g., handling classified information). Annex II, Section 4 requires that sensitive data identified via risk assessment remains exclusively within the Union. It mandates Union citizenship for personnel and strict separation from third-country control. Additionally, it requires that the provider retains effective control over software components, ensuring that no third country holds effective control over the design, development, maintenance, or evolution of critical software.

The Role of Risk Assessment (Article 29)

The link between the activity and the required assurance level is forged by Article 29. This article obliges Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate. The assessment must consider the sensitivity, criticality, and magnitude of the data processed, the risk of unlawful access by third countries, and the risk of service disruption.

The outcome of this assessment dictates the procurement floor. If the risk assessment determines that an activity contributes to public order, the authority is legally barred from procuring a Level 1 service under Article 30(3). Instead, they must procure at Level 2, 3, or 4, as specified by the assessment. Article 29(3) empowers the Commission to specify the methodology for these assessments, ensuring consistency across Member States.

Derogations: When the Rules Can Be Waived

Recognising that market readiness may lag behind regulatory ambition, Article 30(4) provides for derogations on an exceptional and duly justified basis. A contracting authority may decide not to procure a recognised service if:

1. The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists (provided this is not due to an artificial narrowing of the tender).
2. A similar procurement process was launched within the previous year but received no suitable tenders.
3. Applying the requirements would result in disproportionate costs.

These derogations are designed to prevent market failure from paralyzing public services while incentivizing the growth of the sovereign cloud ecosystem.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the implementation of CADA represents a paradigm shift from "best value" to "sovereign value" as a primary constraint.

1. The Risk Assessment is the First Step

You cannot issue a tender for cloud services without first determining the assurance level. If your activity has not yet been assessed under Article 29, you must engage with your national competent authority. If the activity is deemed to contribute to public order, you are legally prohibited from accepting a Level 1 bid. The risk assessment is not a formality; it is the legal trigger that elevates your procurement requirements.

2. Verification is Mandatory

When evaluating tenders, you must verify the provider's status in the central repository established under Article 22. A provider claiming to be "sovereign" or "EU-based" is insufficient. They must hold a formal recognition decision from a national competent authority for the specific assurance level required by your risk assessment. Article 30(3) is explicit: you shall only procure services recognised at the required level.

3. Migration Deadlines are Tight

If your current cloud provider does not meet the required assurance level, you face a migration obligation. Article 29(6) stipulates that if a risk assessment requires migration, it must occur within a reasonable transition period that shall not exceed 12 months. This timeline accounts for technical feasibility and data portability but leaves little room for delay. Procurement strategies must now include immediate migration planning for non-compliant services.

4. Multi-Cloud as a Risk Mitigation Strategy

Article 29(9) explicitly encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate. Relying on a single provider, even one with a high assurance level, may not satisfy the resilience requirements of a robust risk assessment. Diversifying your cloud footprint can be a strategic response to the "public order" mandate.

5. Union Added Value Criteria

Beyond the mandatory assurance levels, Article 32 requires contracting authorities to include non-price award criteria evaluating the "European added value" of the tender. This includes the use of hardware or software designed or manufactured in the Union. While these criteria are ancillary and not decisive for the award, they provide a mechanism to further strengthen the EU supply chain in line with CADA's objectives.

Common misconceptions

"All public sector cloud must be Level 4." This is a dangerous overestimation. Level 4 is reserved for the most critical activities involving classified information or extreme sensitivity. The vast majority of public sector activities (e.g., general administration, non-sensitive citizen services) will only require the baseline Level 1. Even many security-sensitive activities may only require Level 2 or 3, depending entirely on the outcome of the Article 29 risk assessment.

"CADA overrides the GDPR." CADA does not replace the GDPR; it complements it. A cloud service must still comply with the GDPR's data protection rules. However, CADA adds a layer of sovereignty requirements—such as data localisation, provider establishment, and freedom from third-country control—that go beyond standard data protection. A service can be GDPR-compliant but fail CADA's Level 1 criteria if, for example, its infrastructure is located outside the Union.

"Private companies must follow these rules." Article 30 applies specifically to Union entities and public sector bodies. Private sector entities, even those in critical sectors defined by the NIS2 Directive, are not legally bound by the same mandatory procurement assurance levels. However, Article 31 encourages private entities to conduct similar impact assessments, and the public sector's massive demand for sovereign services is expected to drive market-wide alignment.

"A 'sovereign' label is enough." CADA avoids the ambiguous marketing term "sovereign" in its operational definitions. A service is not compliant simply because it is marketed as such. It must undergo a formal recognition process by a national competent authority, pass an audit (for levels 2-4) or self-assessment (for level 1), and be listed in the central repository. Without this formal recognition, the service cannot be procured under CADA.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Cloud Procurement for Public Banks: Assurance Levels Explained
• Which CADA assurance level should defence workloads use?
• Which CADA assurance level applies to patient and medical records?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• What sovereign-cloud pressure does CADA place on the public sector?

This is general information about a draft EU regulation, not legal advice.