Summary As proposed, the Cloud and AI Development Act (CADA) supports the Preparedness Union Strategy by treating dependence on critical digital infrastructure as a systemic risk. The explanatory memorandum states that the sovereignty framework, and in particular the risk-assessment mechanism in Article 29, contributes directly to the digital preparedness dimension of that Strategy by ensuring that cloud and AI services underpinning emergency management, civil protection and disaster response are provided at the appropriate Union assurance level. This supports a whole-of-government approach to the continuity of essential services in a crisis. CADA is a proposal and not yet in force.

Detail

The Preparedness Union Strategy identifies dependence on critical digital infrastructure as a systemic risk to the Union and calls for a whole-of-government approach to ensuring the continuity of essential services in crisis scenarios. CADA is designed to complement this strategy by providing specific regulatory mechanisms to mitigate those digital dependencies. The explanatory memorandum states that the proposal "supports the objectives of the Preparedness Union Strategy, which identifies dependence on critical digital infrastructure as a systemic risk."

The primary mechanism linking the two is the sovereignty framework and its risk-assessment obligations. Under Article 29 of the proposed Regulation, Member States and Union entities would carry out risk assessments to identify public-sector activities that contribute to the preservation of public order. As proposed, these activities include those in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as national security, internal security, external border management, defence, justice and law enforcement.

The memorandum states that the sovereignty framework "and in particular the risk assessment mechanism in Article 29, contributes directly to the digital preparedness dimension of that Strategy" by ensuring that the cloud and AI services underpinning emergency management, civil protection coordination and disaster response operations are provided at the appropriate Union assurance level. This is intended to ensure data confidentiality and operational autonomy and to prevent harm that could undermine public order.

As proposed, Article 29 requires Member States and Union entities to carry out these risk assessments by a date one year after the Regulation's entry into force, and thereafter every two years or whenever necessary. Each assessment must identify the public-sector activities using cloud computing services that contribute to preserving public order, and determine which Union assurance level (2, 3 or 4) is appropriate. The Commission would specify, by implementing acts, the methodology, templates and elements to be used — including how Member States use the highest level of assurance for the most critical activities, including but not limited to defence.

The risk assessment must consider at least the sensitivity, criticality and magnitude of the non-personal data processed (and the nature, scope, context and purpose of any personal-data processing), the risk and impact on public order of unlawful access to such data by a third country or an entity established in a third country, and the risk and impact of possible service disruption. Where the assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability (Article 29(6)).

By tying these assessments to specific assurance levels, CADA as proposed aims to ensure critical infrastructure is not left vulnerable to third-country interference or service disruption — directly supporting the Preparedness Union Strategy's goal of maintaining continuity of essential services and keeping control with public-sector bodies rather than third-country actors.

What this means for you

For in-house counsel and compliance officers in the public sector, the intersection of CADA and the Preparedness Union Strategy would impose obligations on cloud procurement and risk management. You would need to prepare for the mandatory risk assessments under Article 29; as proposed, these are not optional and are required to determine the appropriate Union assurance level for your cloud computing services.

The initial risk assessment deadline would fall one year after the Regulation's entry into force, with subsequent assessments every two years or whenever necessary. Failure to conduct the assessments or to procure services at the required assurance level could result in non-compliance. As proposed, Member States would lay down rules on penalties for infringements, which must be effective, proportionate and dissuasive; while specific amounts are not set in the proposal, the criteria for penalties include the nature, gravity, scale and duration of the infringement, and any financial benefit gained or loss avoided (see Article 24 on penalties for providers).

Compliance officers would need to ensure their cloud services meet the assurance level determined by the risk assessment — which may require migrating to a different provider, with a maximum transition period of 12 months (Article 29(6)). You would also have to consider whether a multi-vendor or multi-cloud strategy is appropriate, which Article 29(9) explicitly requires you to weigh.

For private-sector entities operating in sectors of high criticality, such as those listed in Annex I of the NIS2 Directive, CADA as proposed allows similar impact assessments (Article 31). These are not mandatory for all private entities, but the Commission may issue guidance and, in specific, duly justified circumstances and in consultation with Member States, may require such impact assessments and risk-mitigation measures through delegated acts. Monitor these developments closely.

Common misconceptions

A common misconception is that CADA's sovereignty framework is solely about data protection or cybersecurity. While it complements laws such as the GDPR and NIS2, CADA as proposed addresses broader sovereignty concerns, including operational autonomy and protection against third-country interference. The memorandum is explicit that the EU-US Data Privacy Framework does not remove sovereignty concerns about dependence on third-country providers, because sovereignty goes beyond data transfers to operational autonomy.

Another misconception is that the Article 29 risk assessments are purely administrative. In reality they are substantive evaluations that directly drive procurement: the assessment determines the Union assurance level required, which in turn dictates which recognised providers a public body may use. It is not a box-ticking exercise but a component of the Union's digital preparedness.

Some believe CADA applies only to the public sector. While the mandatory risk assessments and procurement requirements primarily target Union entities and public sector bodies, the proposal has implications for the private sector: private entities in critical sectors may carry out similar impact assessments (Article 31), and the overall market shift towards sovereign cloud services would affect all providers and users.

Finally, there is a misconception that CADA replaces the Preparedness Union Strategy. In fact CADA is a complementary legislative instrument: the strategy identifies the risks and sets the policy goals, while CADA as proposed establishes the specific rules, assurance levels and enforcement mechanisms to mitigate those risks.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.