Summary Under the proposed Cloud and AI Development Act (CADA), risk assessments are the mandatory mechanism that translates the abstract concept of digital sovereignty into concrete public procurement rules. Article 29 requires Member States and Union entities to conduct these assessments to identify which public-sector activities contribute to the preservation of "public order." The outcome of this assessment dictates the specific "Union assurance level" (ranging from 1 to 4) that must be procured. This process is explicitly designed to reduce strategic dependencies on non-European providers and ensure operational autonomy for critical state functions, as highlighted in Recitals 46–48.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses a critical vulnerability in the European digital ecosystem: the Union's heavy reliance on cloud computing services controlled by third countries. The explanatory memorandum notes that three non-EU hyperscalers currently control over 70% of the European cloud market. This concentration exposes the Union to risks of operational discontinuity, extraterritorial data access, and potential political coercion.

To mitigate these risks, CADA establishes a "Union cloud computing sovereignty framework" with four distinct assurance levels. However, the proposal does not impose a "one-size-fits-all" mandate requiring the highest level of sovereignty for every public service. Instead, it employs a proportionate, risk-based approach where risk assessments serve as the essential bridge between the technical sovereignty criteria and actual procurement decisions.

The Legal Basis: Article 29 and Recitals 46–48

The role of the risk assessment is explicitly defined in Article 29 of the proposal. This article imposes a mandatory obligation on Member States and Union entities to carry out risk assessments. These assessments must be conducted within one year of the Regulation's entry into force, and thereafter every two years, or whenever necessary.

The primary objectives of these assessments, as outlined in Article 29(1), are twofold:

  1. To identify public-sector activities that use or will use cloud computing services and that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
  2. To determine which specific Union assurance level (2, 3, or 4) is appropriate for those identified activities.

Recitals 46–48 provide the strategic context for why this mechanism is necessary. Recital 46 states that the Union remains critically dependent on a limited number of providers subject to third-country control, exposing the Union to "critical strategic dependencies and concentration risks," including vulnerabilities arising from the extraterritorial application of third-country laws. Recital 47 notes that while existing EU law addresses cybersecurity and data protection, there is no cross-cutting framework for "trusted" cloud services that mitigates these broader sovereignty risks. Recital 48 emphasizes that current market offerings do not adequately address core sovereignty issues, such as the extraterritorial reach of third-country laws and the potential degradation of service continuity. Therefore, the risk assessment is the tool that allows public authorities to map their specific vulnerabilities against the four-tier sovereignty framework.

Operationalising the Sovereignty Framework

The risk assessment operationalises the sovereignty framework by ensuring proportionality. Not all public data carries the same weight, and not all services require the highest level of assurance. Article 29(2) requires assessors to consider several specific factors when determining the appropriate assurance level:

  • The sensitivity, criticality, and magnitude of the non-personal data processed.
  • The potential impact on public order and the nature, scope, context, and purpose of processing personal data.
  • The risk of unlawful access to such data by a third country or a legal entity established in a third country.
  • The risk of possible service disruption.

By evaluating these factors, a public authority can determine whether a standard service (Union Assurance Level 1) is sufficient, or if a higher level of protection (Levels 2, 3, or 4) is required to preserve public order. For instance, a municipality managing library bookings might only require Level 1, whereas a defence ministry handling classified strategic plans would likely require Level 4.

The Commission is empowered to specify the methodology, templates, and elements to be taken into account for these assessments via implementing acts (Article 29(3)). This ensures a consistent approach across the Union while allowing Member States the discretion to determine the specific sensitivity of their data.

Reducing Strategic Dependencies

A core objective of CADA is to reduce strategic dependencies. The risk assessment mechanism drives this by creating a clear, legally binding demand signal for sovereign cloud services. When a risk assessment determines that a high assurance level is necessary, the subsequent procurement is restricted to providers recognized as meeting those specific criteria.

Article 30 links directly to the outcome of the Article 29 assessment. It states that contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services that have been recognized as having the appropriate Union assurance level (2, 3, or 4). This creates a closed loop: the risk assessment identifies the risk, the sovereignty framework defines the mitigation, and the procurement rules enforce the mitigation.

Furthermore, Article 29(9) explicitly requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This is a direct measure to avoid single-point-of-failure dependencies, reinforcing the resilience of the public sector's digital infrastructure against the concentration risks highlighted in the proposal's preamble.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the introduction of mandatory risk assessments under CADA represents a significant shift in how cloud services are evaluated and purchased.

1. Mandatory Documentation and Timelines You must establish a process to conduct risk assessments for your entity's cloud usage. The first assessment must be completed within one year of the Regulation's entry into force. This is not a one-time exercise; it must be repeated every two years or whenever significant changes occur in your cloud usage or the threat landscape. Failure to conduct these assessments could render subsequent procurement procedures non-compliant.

2. Mapping Activities to Assurance Levels You will need to inventory your public-sector activities and categorize them based on their contribution to public order. For each activity, you must determine the sensitivity of the data involved. This mapping will dictate the minimum Union Assurance Level you can legally procure. If your risk assessment identifies a high risk to public order, you cannot simply choose the cheapest or most feature-rich provider; you must choose one that holds the recognized certification for the required assurance level.

3. Procurement Restrictions Your tender documents must reflect the outcome of the risk assessment. If your assessment requires Union Assurance Level 3, your procurement notice must specify this as a mandatory requirement. You will be sourcing from the central repository of recognized services maintained by the Commission. This may limit the pool of eligible bidders, potentially increasing costs in the short term, but it ensures compliance with the new sovereignty standards.

4. Multi-Cloud Strategies Consider your dependency on single vendors. The regulation encourages multi-cloud strategies to mitigate concentration risk. Your risk assessment should include an evaluation of whether relying on a single provider for critical services poses an unacceptable operational risk, and if so, plan for diversification.

5. Coordination with National Authorities The Commission will provide guidance and methodologies for these assessments. You should monitor communications from your national competent authority and the Commission to ensure your assessment methodology aligns with the implementing acts that will specify the templates and elements to be taken into account.

Common misconceptions

Misconception 1: All public sector cloud use requires the highest level of sovereignty. Reality: CADA adopts a proportionate approach. Article 29 only requires higher assurance levels (2, 3, or 4) for activities that contribute to the preservation of public order and have been identified as such through the risk assessment. Standard administrative tasks may only require Union Assurance Level 1, which has a simpler conformity self-assessment process.

Misconception 2: The risk assessment is purely a cybersecurity exercise. Reality: While cybersecurity is a component, the CADA risk assessment is broader. It focuses on sovereignty and public order. It evaluates risks related to third-country control, extraterritorial legal reach, and operational autonomy, not just technical vulnerabilities. It is designed to address strategic dependencies, not just IT security flaws.

Misconception 3: Private sector entities are required to conduct these specific risk assessments. Reality: Article 29 mandates risk assessments for Member States and Union entities. Article 31 allows private sector entities (specifically those listed in Annex I of the NIS2 Directive) to carry out similar impact assessments, but it is not a strict obligation for all private companies. However, the Commission may adopt delegated acts requiring impact assessments for private entities in sectors of high criticality if specific circumstances justify it.

Misconception 4: The risk assessment is a static document. Reality: The assessment must be reviewed every two years and updated whenever necessary. It must also account for changes in the cloud service provider's status, as providers must report material changes that could affect their assurance level.

Related

This is general information about a draft EU regulation, not legal advice.