Summary Article 29 of the proposed Cloud and AI Development Act (CADA) establishes a mandatory, coherent, and risk-based approach to cloud sovereignty. As proposed, it requires Member States and Union entities to conduct regular risk assessments to identify public sector activities that contribute to the preservation of public order. Based on these assessments, authorities must determine the appropriate Union assurance level (2, 3, or 4) required for cloud services in those specific areas. This mechanism ensures that procurement decisions are proportionate to the actual risk of third-country interference, operational disruption, or data compromise, rather than applying a blanket "one-size-fits-all" sovereignty rule.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, seeks to address the EU's critical dependence on non-European cloud providers. While the Act establishes a four-tier sovereignty framework (Union assurance levels 1 to 4), it does not mandate that all public sector activities must use the highest level of assurance. Instead, Article 29 serves as the critical filter that determines which activities require which level of protection.

A Coherent, Risk-Based Approach to Autonomy

The primary purpose of Article 29 is to operationalize the principle of proportionality within the EU's cloud sovereignty strategy. Recital 62 of the proposal explicitly states that to ensure a "coherent and risk-based approach to the autonomy of the Union," Member States and Union entities must carry out risk assessments. These assessments are designed to identify public sector activities that concern public order and to determine which Union assurance level is appropriate for them.

This approach acknowledges that not all public sector data carries the same risk profile. While some activities (e.g., general administrative tasks) may only require a baseline level of assurance, others (e.g., defense, law enforcement, or critical infrastructure) face significant risks from third-country control, extraterritorial access, or service disruption. Article 29 ensures that the regulatory burden is aligned with the actual threat to public order.

The Mandate: Identifying Public Order Activities

Under Article 29(1), Member States and Union entities are legally obligated to conduct these risk assessments by the date of entry into force plus one year, and subsequently every two years, or whenever necessary. The assessment must specifically identify public sector activities that:

  1. Use or will make use of cloud computing services; and
  2. Contribute to the preservation of public order.

The proposal provides a non-exhaustive list of sectors and areas where public order is presumed to be at stake. These include sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as specific areas such as:

  • National security
  • Internal security
  • External border management
  • Defence
  • Justice
  • Law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences)

Determining the Required Assurance Level

The core output of the Article 29 process is the determination of the minimum Union assurance level required for the identified activities. Article 29(1)(b) mandates that the assessment must determine which of Union assurance levels 2, 3, or 4 is appropriate.

This determination is not arbitrary; it is based on a structured evaluation of specific risk factors outlined in Article 29(2). Authorities must consider:

  • Data Sensitivity: The sensitivity, criticality, and magnitude of non-personal and personal data processed, including the potential impact on public order and the risks to the rights and freedoms of data subjects.
  • Third-Country Access: The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
  • Service Continuity: The risk and consequent impact on public order of possible service disruption.

Methodology, Guidance, and Commission Oversight

To prevent fragmentation and ensure a consistent application of sovereignty standards across the single market, the Commission plays a central role in the Article 29 framework. Article 29(3) empowers the Commission to adopt implementing acts that specify the methodology, templates, and elements to be taken into account. Crucially, this guidance must specify how Member States should apply the highest level of assurance for the most critical public sector activities, such as defence.

Furthermore, Article 29(5) provides a safeguard against under-protection. If the Commission reviews a Member State's risk assessment and concludes that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required level for that activity. This ensures a Union-wide floor of protection while respecting national discretion where justified.

Linking Assessment to Procurement and Migration

The risk assessment under Article 29 is the direct trigger for procurement obligations under Article 30. Once an activity is identified as contributing to public order and assigned a specific assurance level (2, 3, or 4), contracting authorities are legally bound to procure only services that meet that level.

Additionally, Article 29(6) addresses the practical reality of migration. If a risk assessment requires a Member State or Union entity to migrate to a different cloud service to meet the required assurance level, the migration must occur within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and continuity of service.

Finally, Article 29(9) encourages resilience by requiring authorities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement, thereby limiting dependency on any single provider.

What this means for you

For public sector bodies, Union entities, and their procurement officers, Article 29 represents a fundamental shift from cost-driven cloud procurement to sovereignty-driven procurement.

  1. Mandatory Risk Mapping: You must actively participate in the national or Union-level risk assessment process. You cannot assume your cloud needs are generic; you must map your specific activities against the "public order" criteria (e.g., law enforcement, border management, critical infrastructure).
  2. Assurance Level Determination: Your activities will be assigned a specific Union assurance level (2, 3, or 4) based on the risk assessment. This level dictates your procurement constraints. If your activity is deemed critical to public order, you will be restricted to providers who have passed rigorous third-party audits and meet strict criteria regarding establishment, data localization, and personnel citizenship.
  3. Migration Planning: If your current provider does not meet the assurance level determined by the risk assessment, you have a maximum of 12 months to migrate. This requires immediate planning for data portability, service continuity, and vendor transition.
  4. Strategic Diversification: You should evaluate whether a multi-cloud strategy is necessary to mitigate the risk of single-provider failure or coercion, as encouraged by Article 29(9).

Common misconceptions

"All public sector cloud use requires the highest sovereignty level (Level 4)."

  • Reality: CADA is explicitly risk-based. Only activities identified as contributing to the preservation of public order under Article 29 require levels 2, 3, or 4. General administrative activities that do not impact public order only require Union assurance level 1, which has significantly lower barriers to entry.

"Risk assessments are optional or purely internal."

  • Reality: Article 29 imposes a binding obligation on Member States and Union entities. The results are subject to Commission guidance and potential override (Article 29(5)). Failure to conduct a proper assessment could render subsequent procurement non-compliant with Article 30.

"The assessment only looks at technical cybersecurity."

  • Reality: While cybersecurity is a factor, Article 29 focuses on sovereignty risks. It specifically assesses the risk of third-country control, extraterritorial legal access, and service disruption. These are political and operational risks that go beyond traditional technical cybersecurity metrics.

"Article 29 replaces existing cybersecurity laws like NIS2."

  • Reality: Article 29 complements NIS2. It explicitly references sectors under the NIS2 Directive but adds a layer of sovereignty assessment that NIS2 does not cover. NIS2 ensures technical resilience; Article 29 ensures that the provider is not subject to third-country control that could undermine public order.

Related

This is general information about a draft EU regulation, not legal advice.