What mitigation measures follow from a CADA risk assessment?

Summary Under the proposed Cloud and AI Development Act (CADA), risk assessments conducted by Member States and Union entities are the primary trigger for binding mitigation measures designed to safeguard the Union's public order. If an assessment identifies that specific public-sector activities contribute to the preservation of public order, the primary mitigation is the mandatory procurement of cloud services with a higher Union assurance level (Level 2, 3, or 4) instead of the baseline Level 1. Secondary mitigations include the adoption of multi-vendor or multi-cloud strategies to limit dependency on single providers. Crucially, if a risk assessment necessitates a change in provider, Article 29(6) mandates migration within a maximum transition period of 12 months. All measures must be selected proportionately, based on the sensitivity, criticality, and magnitude of the data processed, as well as the specific risks of third-country access or service disruption.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework to address the EU's strategic dependence on third-country cloud providers and to ensure the resilience of critical public functions. Central to this framework is the obligation for Member States and Union entities to conduct regular, structured risk assessments under Article 29. These assessments are not merely administrative exercises; they function as the diagnostic engine that dictates specific, binding operational and procurement changes.

The Diagnostic Role of Risk Assessments

Article 29(1) requires Member States and Union entities to carry out risk assessments at least every two years, or whenever necessary. The dual purpose of these assessments is to:

1. Identify public sector activities that use cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and areas such as national security, internal security, external border management, defence, justice, and law enforcement.
2. Determine the appropriate Union assurance level (2, 3, or 4) required for those identified activities.

Recital 50 contextualizes the necessity of these assessments by highlighting the specific risks posed by dependence on third-country providers. It notes that such dependence can lead to "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation)," "access to information (i.e. access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage)," and "dependency vulnerabilities (i.e. political and/or economic coercion)." The risk assessment serves as the mechanism to diagnose which of these threats are relevant to a specific public function and to prescribe the corresponding mitigation.

Primary Mitigation: Mandatory Higher Assurance Levels

The most direct and binding mitigation measure flowing from a positive risk assessment is the requirement to procure cloud services with a higher Union assurance level.

Article 30(2) establishes the baseline: Union entities and public sector bodies whose activities are not identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1.

However, if the risk assessment under Article 29(1) identifies activities as contributing to the preservation of public order, Article 30(3) imposes a strict prohibition: contracting authorities must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4. The specific level required is not arbitrary; it must be determined by the risk assessment itself.

Article 29(2) mandates that the assessment consider specific factors to ensure the selected mitigation is proportionate to the threat:

• The sensitivity, criticality, and magnitude of the non-personal data processed.
• The nature, scope, context, and purpose of processing personal data, including the risk to the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

This ensures that the mitigation (the assurance level) matches the severity of the risk. For instance, an activity involving classified defence data would likely trigger a requirement for Level 4, while a less critical but still public-order-relevant function might only require Level 2.

Secondary Mitigation: Multi-Vendor and Multi-Cloud Strategies

Beyond the selection of a specific assurance level, CADA explicitly promotes architectural diversification as a critical resilience measure. Recital 65 states that to enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should consider whether a multi-vendor or multi-cloud strategy is appropriate.

This is formalized in Article 29(9), which requires that risk assessments explicitly consider whether a multi-vendor or multi-cloud strategy is appropriate as part of the procurement of cloud computing services. This strategy acts as a mitigation against vendor lock-in and single points of failure. By distributing workloads across multiple providers or architectures, the risk that the disruption of one provider compromises the continuity of essential public services is significantly reduced.

The decision to adopt such an architecture must be context-specific. The assessment must identify relevant operational, regulatory, or resilience-related circumstances that support the adoption of a multi-vendor or multi-cloud strategy. It is not a blanket mandate for all public bodies, but a required consideration for those managing public-order-relevant activities.

Operational Mitigation: Migration and Transition Periods

When a risk assessment determines that current cloud services do not meet the required assurance level, or when a shift in the risk profile necessitates a change in provider, migration becomes the necessary operational mitigation.

Article 29(6) addresses this scenario directly and imposes a strict timeline. It stipulates that where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months.

This 12-month limit is a critical component of the mitigation framework. It balances the urgency of mitigating sovereignty risks with the technical realities of moving complex workloads. The provision explicitly requires that the transition period take into account "technical feasibility, continuity of service and data portability requirements." However, these factors cannot be used to justify indefinite delays; the 12-month cap ensures that public order risks are addressed within a predictable and enforceable timeframe.

Proportionality and Context-Specific Selection

The CADA proposal emphasizes that mitigation measures must be proportionate to the risk identified. Recital 52 notes that "most public services would not require the highest levels of assurance." The risk assessment ensures that the principles of proportionality and subsidiarity are complied with by assessing specific cases where the protection of public order requires the highest level of assurance.

The selection of measures is therefore not a "one-size-fits-all" approach. Article 29(2) ensures that the assessment considers the specific sensitivity and criticality of the data. Furthermore, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account, ensuring a consistent approach across the Union while allowing Member States to tailor the depth of their mitigation strategies to their specific national contexts.

What this means for you

For public-sector procurement officers, IT leaders, and legal counsel, the CADA proposal transforms risk assessment from a theoretical compliance exercise into a binding driver of procurement strategy and operational change. You must prepare to:

1. Map Activities to Public Order: Conduct a comprehensive inventory of your organization's activities. Identify which ones fall under the sensitive sectors listed in the NIS2 Directive or relate to national security, defence, justice, or law enforcement. These are the activities that will trigger the requirement for higher assurance levels (2, 3, or 4).
2. Audit Current Contracts: Review existing cloud contracts to determine the current assurance level of your providers. If your current provider only holds Level 1 recognition, but your risk assessment deems your activity critical to public order, you are legally mandated to migrate to a provider with Level 2, 3, or 4 recognition.
3. Plan for Migration Immediately: If migration is required, initiate the process without delay. The 12-month transition period in Article 29(6) is a hard limit. Begin assessing technical feasibility, data portability, and continuity plans immediately to avoid disruption. Do not assume technical complexity will grant an extension beyond this statutory limit.
4. Evaluate Multi-Cloud Options: Do not view mitigation solely as switching to a single "sovereign" provider. Evaluate whether a multi-cloud or multi-vendor architecture reduces your operational risk by eliminating single points of failure. Document this evaluation explicitly in your risk assessment as required by Article 29(9).
5. Engage with Competent Authorities: Ensure your national competent authority is involved early. They play a key role in validating the assurance levels of providers and may provide guidance on the methodology for your risk assessment.

Common misconceptions

"All public sector cloud procurement requires the highest sovereignty level." No. CADA applies a tiered, risk-based approach. Only activities identified as contributing to the preservation of public order via risk assessment require Level 2, 3, or 4. General administrative activities that do not impact public order may only require Level 1, as established in Article 30(2).

"Multi-cloud is mandatory for all critical services." No. Multi-cloud is a recommended mitigation strategy that must be considered in the risk assessment under Article 29(9), but it is not a blanket requirement. The decision depends on the specific operational, regulatory, and resilience risks identified for the specific activity.

"Migration can take as long as technically necessary." No. Article 29(6) sets a strict maximum transition period of 12 months for migrations triggered by risk assessments. While technical feasibility and continuity of service are factors in planning the migration, they do not allow for indefinite delays beyond this statutory cap.

"Risk assessments are one-off events." No. Article 29(1) requires assessments to be carried out every two years, or whenever necessary. As cloud services, threat landscapes, and the sensitivity of data evolve, your mitigation measures must be updated accordingly.

Related

• CADA Risk Assessment: What happens if a Member State departs from the methodology?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?

This is general information about a draft EU regulation, not legal advice.