Summary Under the proposed Cloud and AI Development Act (CADA), safeguarding public order is a core objective driving the sovereign-cloud framework. As proposed, public-sector bodies would conduct risk assessments to identify which cloud-supported activities contribute to public order, which in turn mandates higher Union assurance levels (2, 3, or 4). The aim is to keep essential services resilient against third-country interference and disruption. CADA is a proposal and not yet in force.

Detail

CADA proposes a framework to strengthen Europe's cloud and AI ecosystem, reducing dependencies on non-European providers and protecting critical infrastructure. Protecting public order is explicitly one of its objectives.

Public order as a core objective Article 1(1)(c) states that the regulation establishes a framework for "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." This treats cloud computing as a strategic asset vital to societal stability, not merely an IT utility. The explanatory memorandum says the proposal would "help protect public order by making the supply of cloud computing services more resilient." By enabling sovereign cloud options, the EU seeks to mitigate the risk that the extraterritorial reach of third-country laws lets foreign governments access EU data or disrupt services.

The role of risk assessments To operationalise this, Article 29 requires Member States and Union entities to carry out risk assessments. These identify public-sector activities that use, or will use, cloud computing services and that contribute to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), and in the areas of national security, internal security, external border management, defence, justice, or law enforcement.

The risk assessment bridges abstract sovereignty goals and concrete procurement. It determines which Union assurance level applies. The assessment must consider at least: the sensitivity, criticality, and magnitude of the data; the risk and impact of unlawful access by a third country or an entity established there; and the risk and impact of service disruption (Article 29(2)).

Linking risk to assurance levels Article 29(1) requires risk assessments to identify public-order-relevant activities and determine which Union assurance level — 2, 3, or 4 — is appropriate. The Annex II criteria become progressively stricter:

  • Union assurance level 1 is the baseline for activities not identified as contributing to public order. It requires the provider to be established in the Union and data to remain within the Union unless the public-sector body requires otherwise.
  • Union assurance levels 2, 3, and 4 apply to public-order activities, with stricter requirements such as exclusion of third-country control, independent audits, and — at higher levels — personnel and classified-information handling requirements.

Article 30(3) reinforces this: contracting authorities whose activities are identified as contributing to public order "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." Procurement decisions must therefore track national risk-assessment outcomes.

Resilience and operational continuity Public order is tied to operational continuity. The proposal recognises that dependence on a few third-country providers creates vulnerabilities, including disruption from political or economic coercion. Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate.

What this means for you

For public-sector and procurement officers, CADA's public-order mechanism would change how cloud is evaluated and bought:

  1. Conduct mandatory risk assessments: Under Article 29, assessments must be carried out by one year after entry into force and thereafter every two years (or whenever necessary). They must evaluate whether your cloud usage contributes to public order.
  2. Map activities to assurance levels: Activities involving sensitive data or critical functions (e.g. health, justice, defence) would likely require level 2, 3, or 4.
  3. Adjust procurement specifications: You can no longer procure on price or generic features alone; specify the required Union assurance level and procure only from recognised services.
  4. Plan for migration: Where the assessment requires a switch, Article 29(6) provides a reasonable transition period not exceeding 12 months, accounting for technical feasibility, continuity, and data portability.
  5. Engage competent authorities: Work with your national competent authority on recognition and align with the Commission's methodology and templates (Article 29(3)).

Common misconceptions

  • "All public-sector cloud usage requires the highest sovereignty level." Incorrect. CADA is proportionate: only activities identified as contributing to public order require levels 2, 3, or 4. Other activities may require only level 1.
  • "Public order only applies to defence and police." Defence, justice, and law enforcement are named, but the scope is broader — it includes NIS2 sectors (such as energy, transport, and health) and other activities where disruption could undermine public order.
  • "Sovereignty means all data must stay in one Member State." No. CADA promotes free flow of data within the Union. Level 1 requires data to remain within the Union, not within a single Member State, unless the public-sector body requires otherwise.
  • "Third-country providers are completely banned." Not entirely. Article 18 allows recognising third countries as eligible for level 3 if they meet strict cumulative criteria, including an adequacy decision under GDPR. Level 4, however, generally prohibits third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.