Summary Under the proposed Cloud and AI Development Act (CADA), the "public-order test" is a mandatory risk assessment that Member States and Union entities must conduct to determine whether specific public sector activities contribute to the preservation of public order. As defined in Article 29(1)(a), this test evaluates activities in sectors listed in the NIS2 Directive (Annex I or II) and specific areas including national security, defence, justice, and law enforcement. If an activity is judged to contribute to public order, it triggers a strict procurement gate: the contracting authority must procure cloud services recognised at Union assurance levels 2, 3, or 4, rather than the baseline level 1. This mechanism, grounded in Recital 50, is designed to mitigate risks of third-country interference, sabotage, and data exfiltration.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework that distinguishes between general public sector cloud usage and activities critical to the Union's stability. This distinction is not merely theoretical; it is the operational hinge upon which the entire procurement regime turns. The "public-order test" is the formal mechanism used to make this distinction, acting as a gatekeeper that determines the minimum Union assurance level required for cloud services.

The Legal Basis: Recital 50 and Article 29(1)(a)

The rationale for the public-order test is explicitly articulated in Recital 50 of the proposal. The Commission identifies that critical dependence on a limited number of third-country cloud providers exposes the Union to severe strategic risks. These risks include "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation), access to information (i.e. access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage) and dependency vulnerabilities (i.e. political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States)."

To address these specific threats, Article 29 mandates a structured risk assessment process. Article 29(1) requires Member States and Union entities to carry out these assessments "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary."

The core of the public-order test is found in Article 29(1)(a), which defines the scope of activities to be identified:

"identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."

This provision creates a two-pronged scope for the test:

  1. Sectoral Scope: Activities falling within the sectors listed in Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive). This covers critical infrastructure such as energy, transport, banking, health, and digital infrastructure.
  2. Functional Scope: Activities specifically in the areas of national security, internal security, external border management, defence, justice, or law enforcement. This includes the prevention, investigation, detection, and prosecution of criminal offences.

How an Activity is Judged to Contribute to Public Order

The determination of whether an activity "contributes to the preservation of public order" is not a blanket classification of an entire public body. Instead, Article 29 requires an activity-based assessment. A single ministry or agency may conduct multiple activities, some of which contribute to public order and others which do not.

When conducting the assessment, Article 29(2) mandates that authorities consider at least the following aspects to judge the contribution to public order:

  • Data Sensitivity and Criticality: The "sensitivity, criticality, and magnitude of the non-personal data processed," as well as the "nature, scope, context and purpose of processing of personal data." This includes assessing the risk of varying likelihood and severity for the rights and freedoms of data subjects.
  • Third-Country Access Risks: The "risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."
  • Service Continuity Risks: The "risk and consequent impact on public order of possible service disruption."

This assessment is not static. Article 29(1) requires that assessments be repeated every two years or "whenever necessary," acknowledging that the threat landscape and the nature of public sector activities evolve.

Furthermore, Article 29(3) empowers the Commission to specify the methodology for these assessments through implementing acts. This methodology will "specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence." This ensures that while Member States conduct the initial assessment, the criteria for what constitutes a "contribution to public order" are harmonised to prevent under-assessment.

If the Commission reviews a Member State's risk assessment and concludes that the identified assurance level is not appropriate or does not adequately address public order concerns, Article 29(5) allows the Commission to adopt implementing acts specifying the required Union assurance levels. This acts as a safeguard against national discretion that might undermine the Union's strategic autonomy.

The Consequence: Gating Assurance Levels 2–4

The outcome of the public-order test is the decisive factor in procurement obligations under Article 30. The test acts as a binary gate:

  • If the activity does NOT contribute to public order: The contracting authority must procure cloud computing services recognised at Union assurance level 1 (Article 30(2)). Level 1 is the baseline, requiring Union establishment and data localisation but allowing for some third-country control and less stringent personnel requirements.
  • If the activity DOES contribute to public order: The contracting authority must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4 (Article 30(3)).

This gating mechanism is critical because the assurance levels impose progressively stricter sovereignty requirements:

  • Level 2: Requires Union establishment, data localisation, and a "substantial" cybersecurity certificate. It restricts third-country control and requires that technical support be performed exclusively within the Union.
  • Level 3: Builds on Level 2 but mandates that personnel involved in the service are Union citizens (conditional on public body requirements) and requires a "substantial" cybersecurity certificate. It also introduces a derogation mechanism under Article 18 for third-country control if specific safeguards are met.
  • Level 4: The highest level, requiring a "high" cybersecurity certificate, mandatory Union citizenship for personnel, and strict prohibitions on third-country control without derogation.

Therefore, the public-order test effectively determines whether a public body can use a standard EU cloud provider (Level 1) or must seek a provider with deep sovereignty guarantees (Levels 2–4).

Deadlines and Methodology

The timeline for compliance is strict. Article 29(1) sets the deadline for the initial risk assessment at one year after the Regulation's entry into force. Subsequent assessments must occur every two years.

The methodology for conducting these assessments will be detailed in Commission implementing acts under Article 29(3). These acts will provide templates and specify the elements to be taken into account. This secondary legislation is crucial for legal teams, as it will define the evidentiary standards required to prove that an activity contributes to public order.

Additionally, Article 29(6) addresses the transition. If a risk assessment requires migration to a higher assurance level, the Member State or Union entity must migrate within a "reasonable transition period that shall not exceed 12 months," taking into account technical feasibility and continuity of service.

What this means for you

For in-house counsel, compliance officers, and public procurement specialists, the public-order test is the primary compliance milestone under CADA. It shifts the burden from a generic "EU cloud" requirement to a specific, risk-based determination.

Immediate Actions for Legal and Compliance Teams

  1. Map Activities, Not Just Entities: Do not classify your entire organisation as "public order" or "non-public order." Instead, map every cloud-dependent activity. For example, a Ministry of Health's activity of managing patient records may contribute to public order, while its activity of managing internal cafeteria catering contracts may not.
  2. Prepare for the Article 29 Assessment: Begin gathering evidence on the sensitivity, criticality, and magnitude of data processed by each activity. Document the potential impact of service disruption. This preparation will be essential when the Commission's implementing acts under Article 29(3) are published.
  3. Monitor the Commission's Methodology: The definition of "contribution to public order" will be refined by the Commission. Your internal assessment framework must be flexible enough to align with these upcoming rules.
  4. Verify Provider Recognition: If your activity is deemed to contribute to public order, you cannot simply procure from any EU-based provider. You must verify that the provider has been formally recognised at Union assurance level 2, 3, or 4 by a national competent authority. This recognition is recorded in the central repository established under Article 22. Procuring a Level 1 service for a public-order activity would be a direct violation of Article 30(3).

Strategic Implications

The public-order test effectively creates a two-tier market for public sector cloud procurement.

  • Tier 1 (Non-Public Order): Open to Level 1 providers. This includes many administrative and non-critical functions.
  • Tier 2 (Public Order): Restricted to Level 2, 3, or 4 providers. This tier will likely see a consolidation of providers who can meet the stringent personnel, establishment, and cybersecurity criteria.

For cloud providers, this means that to serve the public sector in critical areas, they must undergo the rigorous audit and recognition process defined in Articles 17–21. For public bodies, it means that procurement strategies must be aligned with the outcome of the risk assessment. Failure to procure the correct assurance level could lead to political scrutiny and potential legal challenges, especially if the Commission invokes Article 29(5) to override a national assessment.

Common misconceptions

Misconception 1: All public sector cloud use requires Assurance Levels 2, 3, or 4. Correction: No. The public-order test is designed to be proportionate. Only activities that contribute to the preservation of public order (as defined in Article 29(1)(a)) require the higher assurance levels. General administrative tasks, such as HR management for non-critical staff or internal communications, may only require the baseline Union assurance level 1.

Misconception 2: The public-order test is solely about data secrecy or classification. Correction: While data sensitivity is a factor, the test also explicitly considers operational continuity and the risk of disruption. Recital 50 highlights risks like "sabotage" and "dependency vulnerabilities." Therefore, even if data is not classified, the critical nature of the service (e.g., emergency response coordination, power grid management) can trigger the public-order test due to the risk of service interruption.

Misconception 3: Member States have unlimited discretion to define what is "public order." Correction: While Member States conduct the assessment, the scope is legally defined in Article 29(1)(a) to specific sectors (NIS2 Annex I/II) and areas (national security, defence, etc.). Furthermore, the Commission has the power to override a Member State's assessment if it deems the chosen assurance level inadequate under Article 29(5), ensuring a harmonised minimum standard across the EU.

Misconception 4: The test is a one-time exercise. Correction: Article 29(1) mandates that risk assessments be carried out "every two years, or whenever necessary." The public-order status of an activity can change as technology evolves or the threat landscape shifts.

Related

This is general information about a draft EU regulation, not legal advice.