Summary As proposed, Article 30(2) of the Cloud and AI Development Act (CADA) would set a floor for public cloud procurement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised under Article 17 as having a Union assurance level 1. Level 1 is the mandatory minimum for those activities — but it is the floor, not the ceiling. Where the Article 29(1) risk assessment identifies an activity as contributing to public order, the higher rule in Article 30(3) (levels 2, 3 or 4) applies instead.
Detail
CADA would establish a "Union cloud computing sovereignty framework" of four assurance levels (Article 16), with the criteria set out in Annex II. Level 1 is the entry tier and, for public procurement of ordinary activities, the mandatory baseline.
The baseline rule (Article 30(2))
Article 30(2) provides that "Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1." So a body buying cloud for standard administration, general IT or other non-public-order activities cannot simply pick the cheapest or most familiar offering: the specific service must hold a level-1 recognition.
What level 1 requires (Annex II)
Annex II sets the level-1 criteria as cumulative requirements on the provider and its service. They include:
- the provider is established in the Union;
- the provider's infrastructure and assets, including those of subcontractors involved in the service, are located in the Union unless the public sector body explicitly requires otherwise;
- customer data — including metadata and telemetry — that the provider and its subcontractors process, store or transfer remains exclusively within the Union, unless the public sector body explicitly requires otherwise, at any time before, during or after use of the service;
- where support is outsourced to providers outside the Union, legal, technical and organisational measures ensure traceability, security and governance and preserve the provider's operational autonomy;
- the service complies with state-of-the-art cybersecurity standards;
- the provider gives full transparency about subcontractors and subjects them to due diligence, contractual obligations and ongoing oversight; and
- where the provider is controlled by a third country (or an entity established in one), it guarantees — demonstrated by independent sources — that no third-country law or practice requires it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited.
Note what level 1 does not do: it does not bar third-country control as such. That is what distinguishes it from the higher levels, where third-country control is progressively constrained.
Recognition under Article 17
A provider cannot simply assert level 1; it must be recognised. Under Article 17, a provider applies to the national competent authority of establishment. For level 1, it submits the EU statement of conformity referred to in Article 19(2) plus the necessary evidence (Article 17(3)). For SMEs, that EU statement of conformity is directly and automatically recognised across all Member States without prior recognition by the evaluating authority. Recognised services are entered in the central repository maintained by the Commission (Article 22), which is publicly available, so buyers can identify compliant providers.
The link to the risk assessment (Article 29)
The level-1 floor is conditional on the Article 29 risk assessment. Member States and Union entities must, by entry into force plus one year and every two years thereafter, identify activities that contribute to the preservation of public order — in NIS2 Annex I or II sectors and in national security, internal security, external border management, defence, justice or law enforcement — and determine the appropriate level (2, 3 or 4) for them. So:
- activity not identified as public-order → at least level 1 (Article 30(2));
- activity identified as public-order → level 2, 3 or 4 (Article 30(3)).
Exceptions (Article 30(4))
Article 30(4) allows narrow, duly justified derogations: where the subject matter cannot be supplied by recognised services in the central repository and no reasonable alternative exists (and that gap is not the result of artificial narrowing of the tender parameters); where a similar procurement in the previous year drew no suitable tenders or participants; or where compliance would mean disproportionate cost.
What this means for you
For public-sector procurement teams, the level-1 floor changes how cloud is sourced.
1. Update tender specifications. Require proof of level-1 recognition and reference the central repository (Article 22). Disqualify bidders that are not recognised (or, for SMEs, cannot provide a valid EU statement of conformity).
2. Verify the risk-assessment outcome. If your activity has not been classified as public-order under Article 29, level 1 is your obligation; if your assessment is out of date, update it, because it may push you into levels 2–4.
3. Verify status, not marketing. "Sovereign cloud" and "EU data residency" are not CADA-defined labels. Confirm the specific service is recognised under Article 17.
4. Plan transitions. Where a risk assessment requires migrating to another service, Article 29(6) allows a transition period of up to 12 months, considering technical feasibility, continuity and portability.
5. Engage your national competent authority early if recognised providers are scarce or you think an Article 30(4) derogation may apply.
Common misconceptions
"Level 1 means 100% EU ownership." No. A provider established in the Union can be under third-country control and still qualify at level 1 if it meets the Annex II criteria, including the vulnerability-reporting guarantee. The higher levels constrain third-country control much more tightly.
"Any EU-based provider qualifies for level 1." No. EU establishment is necessary but not sufficient; the service must be recognised under Article 17 and meet all level-1 criteria.
"Level 1 is only for unimportant data." No. Level 1 is the minimum for activities not classified as public-order; it still mandates EU establishment and EU data residency.
"The risk assessment is one-off." No. Article 29(1) requires it by entry into force plus one year and every two years thereafter, or whenever necessary.
Related
- What is the minimum cloud assurance level for an ordinary public body under CADA?
- CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
- Which sectors trigger Level 2, 3 or 4 cloud procurement under CADA?
- CADA Procurement: Level 1 vs Level 2-4 Obligations Explained
- CADA Cloud Procurement in Healthcare: Assurance Levels & Rules
This is general information about a draft EU regulation, not legal advice.