Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must submit the results of their cloud computing sovereignty risk assessments to the European Commission within three months of completing them. This obligation, set out in Article 29(4), applies to the initial assessment (due one year after the Regulation enters into force) and to all subsequent assessments conducted at least every two years. If a Member State's assessment deviates from the Commission's methodological guidance, this must be explicitly stated in the report. This creates a recurring, biennial reporting cycle that ensures continuous oversight of public-order risks in the cloud sector.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereign cloud framework designed to protect the Union's public order by ensuring that public-sector bodies procure cloud services at an appropriate "Union assurance level." A cornerstone of this framework is the mandatory risk assessment process, which determines which assurance levels (2, 3, or 4) are necessary for specific public activities. However, the Act does not leave these assessments as internal administrative exercises; it imposes a strict external reporting timeline to ensure consistency and allow for Commission oversight.

The Three-Month Reporting Window

The core of the reporting timeline is found in Article 29(4) of the CADA proposal. This provision establishes a non-negotiable deadline for the transmission of assessment results. The text states:

"Within three months of carrying out the risk assessments referred to in paragraph 1, Member States shall provide the Commission with the results of those risk assessments, indicating where they depart from the implementing acts referred to in paragraph 3."

This clause creates a three-month window that begins immediately after the risk assessment is "carried out." It is not a deadline calculated from the entry into force of the Regulation, but rather a rolling deadline triggered by the completion of each specific assessment.

The requirement to report "where they depart from the implementing acts" is critical. Under Article 29(3), the Commission is empowered to adopt implementing acts specifying the methodology, templates, and elements to be considered in these assessments. These acts will likely define how to map specific public-sector activities (e.g., law enforcement, defence, justice) to specific assurance levels. If a Member State concludes that a certain activity requires a lower or higher assurance level than the Commission's baseline guidance suggests, it must explicitly document this deviation in its submission. This transparency mechanism allows the Commission to identify inconsistencies across the single market and intervene if necessary.

The Biennial Cadence and Recurring Cycle

The reporting timeline is inextricably linked to the frequency of the assessments themselves. Article 29(1) mandates a recurring schedule:

"By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments..."

This creates a biennial cadence for the standard reporting cycle. The timeline operates as follows:

  1. Initial Cycle: Member States must conduct their first assessment within one year of the Regulation's entry into force. The three-month reporting window opens immediately upon completion of this first assessment.
  2. Recurring Cycle: Thereafter, assessments must be repeated every two years. Consequently, the three-month reporting window will open every two years, creating a predictable, recurring rhythm for compliance.
  3. Ad-Hoc Triggers: The phrase "or whenever necessary" introduces flexibility for dynamic risk environments. If a Member State identifies a new threat, a significant change in data sensitivity, or a shift in the geopolitical landscape affecting third-country control, it may need to conduct an ad-hoc assessment. In such cases, the three-month reporting clock resets, and the results must be submitted within three months of that specific ad-hoc assessment.

This structure ensures that the Commission receives up-to-date information on the Union's cloud sovereignty posture at least every two years, while retaining the ability to react to urgent changes in the threat landscape.

Commission Oversight and Corrective Powers

The reporting timeline is not merely a formality; it is the trigger for the Commission's supervisory powers. Once the results are submitted within the three-month window, the Commission reviews them. Article 29(5) grants the Commission the authority to intervene if the submitted assessment is deemed insufficient:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

Thus, the three-month reporting deadline is the starting point for a potential regulatory correction. If a Member State fails to report within three months, or if the report reveals a misalignment with public-order requirements, the Commission can step in to mandate specific assurance levels, overriding the national assessment.

What this means for you

For public-sector bodies, national competent authorities, and procurement officers, the CADA reporting timeline imposes a structured operational rhythm that must be integrated into national cloud strategies.

1. Calendar Management for the Biennial Cycle You must align your internal planning with the two-year assessment cycle. If your Member State schedules its primary risk assessment for Q1 of Year 1, your team must have the final report compiled and ready for submission by Q2 of Year 1 (within three months). This rhythm repeats every two years. Failure to meet the three-month deadline could be viewed as a failure to comply with the Regulation's procedural obligations, potentially triggering Commission scrutiny.

2. Preparing for "Departure" Documentation The requirement to report departures from Commission implementing acts means that your risk assessment process must be robust enough to justify deviations. If your national assessment assigns a lower assurance level than the Commission's guidance, you must prepare a detailed justification explaining why the specific public-order risks in your jurisdiction are adequately mitigated at that lower level. This documentation must be ready within the three-month window.

3. Monitoring for "Whenever Necessary" Triggers Do not rely solely on the biennial schedule. Significant events—such as a major data breach, a change in third-country legislation affecting data access, or a shift in the criticality of a public service—may trigger an ad-hoc assessment. Your internal governance frameworks must include mechanisms to detect these triggers and immediately initiate a new assessment, resetting the three-month reporting clock.

4. Coordination with National Competent Authorities While the Commission receives the report, the assessment is a national responsibility. Ensure that the body responsible for the risk assessment (often the national competent authority designated under Article 25) has a clear workflow to compile the results and transmit them to the Commission within the three-month limit. Delays in internal coordination can jeopardize compliance.

Common misconceptions

Misconception 1: The three-month deadline applies only to the first assessment. Reality: The deadline applies to every risk assessment carried out under Article 29(1). This includes the initial assessment, every subsequent biennial review, and any ad-hoc assessments triggered by "whenever necessary" circumstances.

Misconception 2: The report only needs to state the final assurance level. Reality: The report must include the results of the assessment and, crucially, indicate where they depart from the implementing acts referred to in Article 29(3). A simple statement of the assurance level without context or justification for deviations is insufficient and may lead to Commission intervention.

Misconception 3: Private sector entities must report to the Commission. Reality: Article 29 applies specifically to Member States and Union entities. While private sector entities operating in sectors listed in Annex I of the NIS2 Directive may carry out similar impact assessments under Article 31, they are not subject to the mandatory three-month reporting timeline to the Commission under Article 29(4).

Related

This is general information about a draft EU regulation, not legal advice.