Summary Under the proposed Cloud and AI Development Act (CADA), the relationship between a risk assessment and the four sovereignty tiers is one of determination and mandate. Member States and Union entities must conduct risk assessments to identify which public sector activities concern public order, as required by Article 29(1)(b). This assessment then dictates which of the four "Union assurance levels" (the sovereignty tiers) defined in Annex II must be applied to the procurement of cloud computing services. Essentially, the risk assessment acts as the diagnostic tool that selects the appropriate level of sovereignty assurance from the framework established in Article 16. Without a valid assessment, public bodies cannot legally determine whether they are permitted to use baseline services or must procure higher-tier sovereign solutions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a structured, risk-based approach to reducing the European Union's dependence on non-European cloud providers while safeguarding public order. Central to this approach is the interplay between two distinct but inextricably connected mechanisms: the Union cloud computing sovereignty framework (comprising four assurance levels) and the mandatory risk assessments that public bodies must conduct.

The Four Sovereignty Tiers (Union Assurance Levels)

As proposed in Article 16, CADA establishes a Union cloud computing sovereignty framework comprising four "Union assurance levels." These levels are not arbitrary; they represent a graduated scale of trust, control, and autonomy. The specific technical, legal, and operational criteria for each level are detailed in Annex II of the regulation.

  • Union Assurance Level 1: The baseline level. It requires the cloud computing service provider to be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. It mandates compliance with state-of-the-art cybersecurity standards and transparency regarding subcontractors. Crucially, Level 1 relies on a conformity self-assessment by the provider (Article 19), rather than an independent audit.
  • Union Assurance Levels 2, 3, and 4: These higher tiers introduce progressively stricter requirements. They typically involve independent third-party audits (Article 20), stricter rules on personnel, prohibitions on third-country control, and requirements that technical and operational support be performed exclusively within the Union.
    • Level 2: Requires personnel to be available if a public body imposes Union citizenship requirements (conditional). It requires a European cybersecurity certificate of at least assurance level 'substantial'.
    • Level 3: Requires personnel to be Union citizens (mandatory) and, where appropriate, hold national security clearance. It also requires a European cybersecurity certificate of at least assurance level 'substantial'.
    • Level 4: The highest tier, reserved for the most sensitive classified information. It requires personnel to be Union citizens with necessary security clearance and a European cybersecurity certificate of at least assurance level 'high'. It also ensures that no third country holds effective control over the software supply chain.

These tiers provide a standardized, auditable set of criteria. However, CADA does not mandate that every public sector activity use the highest tier. Instead, it requires a proportionate approach based on risk.

The Role of the Risk Assessment (Article 29)

This is where Article 29 becomes the critical link. CADA obliges Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.

The core function of this risk assessment is explicitly defined in Article 29(1)(b). It requires the assessing body to:

"(b) determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

In other words, the risk assessment is the decision-making mechanism that maps specific public sector use cases to the appropriate sovereignty tier. It answers the question: "Given the sensitivity of this data and the criticality of this service, how much sovereignty assurance do we need?"

What the Risk Assessment Considers

To make this determination, Article 29(2) outlines the specific aspects that Member States and Union entities must consider:

  1. Data Sensitivity and Criticality: The assessment must evaluate the sensitivity, criticality, and magnitude of both non-personal and personal data processed. This includes analyzing the potential impact on public order and the risks to the rights and freedoms of data subjects.
  2. Third-Country Access Risks: It must assess the risk of unlawful access to data by a third country or a legal entity established in a third country under Union law.
  3. Service Disruption Risks: It must evaluate the risk and consequent impact on public order of possible service disruption.

By analyzing these factors, the risk assessment ensures that the sovereignty requirements are proportionate. Not all public sector activities require the stringent controls of Assurance Level 4. For example, a local library's digital catalog might only require Level 1, whereas a national defense database handling classified intelligence would likely require Level 4.

Linking Assessment to Procurement

The outcome of the Article 29 risk assessment directly dictates procurement rules under Article 30.

  • Default Rule: Public sector bodies whose activities have not been identified as contributing to the preservation of public order in the risk assessment must use cloud computing services recognized as having Union Assurance Level 1.
  • Public Order Relevance: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defense, justice, etc.) must only procure services recognized as having Union Assurance Level 2, 3, or 4. The specific level (2, 3, or 4) is determined by the outcome of the Article 29(1)(b) assessment.

This creates a clear chain of command: Risk Assessment (Article 29) → Determines Appropriate Assurance Level (Article 29(1)(b)) → Mandates Procurement Criteria (Article 30) → Based on Defined Criteria (Annex II via Article 16).

Commission Oversight and Guidance

The CADA proposal recognizes that divergent national approaches could undermine the single market. Therefore, the Commission plays a supervisory role. Under Article 29(3), the Commission will issue implementing acts specifying the methodology and templates for these risk assessments. Furthermore, Article 29(5) allows the Commission to intervene if it concludes that a Member State's identified assurance level is not appropriate or does not adequately address public order concerns. The Commission can adopt implementing acts to specify the Union assurance levels needed for specific public sector activities, ensuring a harmonized application across the Union.

If a risk assessment requires migration to another cloud computing service, Article 29(6) mandates that the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and data portability.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, understanding this relationship is operational, not just theoretical. Here is how it translates to your daily work:

  1. You Cannot Procure Blindly: You can no longer simply choose a cloud provider based on cost or features alone. Before launching a tender for cloud services, your organization must have a valid risk assessment in place. If your activities are deemed to concern public order, you are legally prohibited from procuring services that do not meet the specific Union Assurance Level (2, 3, or 4) determined by that assessment.
  2. Documentation is Key: Ensure your risk assessment explicitly documents why a specific assurance level was chosen. Did you consider the sensitivity of the data? The risk of third-country access? The impact of service disruption? This documentation will be subject to review by national competent authorities and potentially the Commission.
  3. Check the Repository: When issuing tenders, you must look for services that have been formally recognized under Article 17 and listed in the central repository maintained by the Commission (Article 22). You need to verify that the provider's recognized level matches the level mandated by your risk assessment.
  4. Plan for Migration: If your current cloud provider does not meet the assurance level required by your new risk assessment, Article 29(6) requires you to migrate within a reasonable transition period, not exceeding 12 months. Start planning your exit strategies and data portability measures now.
  5. Stay Updated on Methodologies: The Commission will provide specific templates and methodologies for risk assessments via implementing acts. Align your internal processes with these upcoming guidelines to ensure compliance and avoid having your assessment challenged.

Common misconceptions

Misconception 1: The risk assessment is a one-time event. Reality: Article 29 requires risk assessments to be carried out every two years, or whenever necessary. As data sensitivity changes, new threats emerge, or services evolve, your assessment must be updated. A static assessment will quickly become non-compliant.

Misconception 2: All public sector data requires the highest sovereignty tier. Reality: CADA promotes a proportionate approach. Article 29(1)(b) allows for the selection of Level 2, 3, or 4 based on the specific risk. Most public services will likely operate at Level 1 or 2. Only highly critical use cases (e.g., defense, high-level national security) will typically require Level 3 or 4. Applying the highest tier unnecessarily can limit the market and increase costs without adding meaningful security.

Misconception 3: The risk assessment replaces cybersecurity certifications. Reality: The risk assessment determines which tier you need, but it does not replace the technical requirements of that tier. For example, if your assessment mandates Level 3, the provider must still obtain a European cybersecurity certificate of at least assurance level 'substantial' (as per Annex II). The assessment is the strategic decision; the certification is the technical proof.

Misconception 4: Private sector entities are exempt from similar considerations. Reality: While Article 29 mandates assessments for public bodies, Article 31 allows private sector entities (specifically those in Annex I of the NIS2 Directive) to carry out similar impact assessments. The Commission may also issue guidance or require impact assessments for private entities in high-criticality sectors. While not strictly mandatory in the same way, the market signal is clear: sovereignty assurance is becoming a standard requirement across critical infrastructure.

Related

This is general information about a draft EU regulation, not legal advice.