CADA Risk Assessments

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) face a critical new dynamic: while public sector bodies and Union entities are legally required to conduct risk assessments to determine sovereignty levels, providers may be directly compelled to supply the data underpinning those decisions. Crucially, if a public sector activity is deemed to concern "public order," providers must hold a specific Union assurance level (2, 3, or 4) and be formally recognised under Article 17 to be eligible for those contracts. Failure to align with the outcome of these assessments could result in immediate exclusion from public procurement.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereignty framework designed to reduce the EU's dependence on non-European cloud providers and safeguard public order. A central mechanism for achieving this is the mandatory risk assessment process outlined in Title IV. For cloud service providers and data centre operators, understanding the interplay between these assessments, the Commission's information powers, and the resulting procurement obligations is essential for market access.

The Obligation to Assess Risk

As proposed, Article 29 places the primary obligation for risk assessments on Member States and Union entities, not on the cloud providers themselves. However, the outcome of these assessments acts as a gatekeeper for market access.

By one year after the regulation's entry into force, and thereafter every two years or whenever necessary, Member States and Union entities must carry out risk assessments. These assessments serve two primary purposes:

1. Identifying public sector activities that use or will use cloud computing services and contribute to preserving public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as in areas such as national security, internal security, external border management, defence, justice, and law enforcement.
2. Determining which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

When conducting these assessments, Member States and Union entities must consider specific aspects, including:

• The sensitivity, criticality, and magnitude of the non-personal data processed.
• The nature, scope, context, and purpose of processing personal data, including risks to the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The Commission will provide implementing acts specifying the methodology, templates, and elements to be taken into account for these risk assessments. Member States must provide the results of these assessments to the Commission within three months of carrying them out. If the Commission concludes that the assurance level identified in a Member State's risk assessment is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required Union assurance levels.

Provider Involvement and Information Requests

Although CSPs do not conduct the risk assessments, they are not passive observers. The proposal explicitly empowers the Commission to engage directly with providers to ensure the assessments are accurate and comprehensive.

Article 29(9) states: "For the purpose of paragraph 3, the Commission shall be empowered to request cloud computing service providers to provide all the necessary information."

This provision is critical for providers. It means that to support the guidance and methodology for risk assessments, the Commission may ask CSPs for specific details about their services, infrastructure, data residency, or security measures. Providers should be prepared to respond to such requests, as the information provided may directly influence the determination of assurance levels for various public sector activities. This power ensures that the Commission can verify the facts underpinning national risk assessments and adjust requirements if necessary.

Furthermore, if a risk assessment determines that a current service no longer meets the required assurance level, the Member State or Union entity must migrate to a compliant service within a reasonable transition period that shall not exceed 12 months, as specified in Article 29(6). This migration obligation takes into account technical feasibility, continuity of service, and data portability requirements. For providers, this creates a defined window for clients to transition away from non-compliant services, necessitating proactive communication and migration support strategies.

Link to Public Procurement

The results of the risk assessments directly trigger procurement obligations under Article 30. This article establishes a mandatory baseline for cloud procurement in the public sector, creating a direct link between the risk assessment outcome and market eligibility.

For public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment, the minimum requirement is to use cloud computing services that have been recognised as having a Union assurance level 1.

However, for contracting authorities whose activities have been identified as contributing to the preservation of public order, the requirements are significantly stricter. Article 30(3) mandates: "Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a binary market reality. If a CSP does not hold the required assurance level and formal recognition, it is legally excluded from bidding for these critical public sector contracts. The assessment effectively segments the public market into "general" (Level 1) and "public order" (Levels 2–4) categories.

The Role of Recognition

To be eligible for procurement under Article 30, a cloud service must be "recognised" as offering a specific Union assurance level. This recognition process is governed by Article 17. CSPs must submit an application for recognition to the national competent authority of their establishment.

• For Union assurance level 1, providers carry out a conformity self-assessment and issue an EU statement of conformity. Notably, for SMEs, the EU statement of conformity issued under Article 19(2) shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority, as per the derogation in Article 17(3).
• For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits and obtain a "positive" audit opinion from an auditing organisation.

Once recognised, the service is registered in a central repository maintained by the Commission. This recognition is valid across the entire Union, meaning a service recognised in one Member State is accepted in all others. However, providers must promptly report any material changes in circumstances that may affect their recognition status, as outlined in Article 23, to avoid the revocation of their status.

What this means for you

For cloud service providers and data centre operators targeting the EU public sector, the proposed CADA framework introduces several actionable requirements and strategic imperatives:

1. Prepare for Information Requests: Be ready to provide detailed information to the Commission if requested under Article 29(9). This may include data on your infrastructure location, data residency practices, security measures, and supply chain details. Establishing internal processes to gather and verify this information quickly will be beneficial, as delays could impact the accuracy of risk assessments and your market positioning.
2. Achieve and Maintain Recognition: If you wish to bid for public sector contracts, especially those involving public order, you must secure recognition for the relevant Union assurance level(s) under Article 17. This involves either self-assessment (for level 1) or independent audits (for levels 2–4). Ensure your compliance documentation is robust and up-to-date. For SMEs, leverage the automatic recognition derogation for Level 1 to accelerate market entry.
3. Monitor Risk Assessment Outcomes: Keep track of the risk assessments conducted by Member States and Union entities. Understanding which sectors and use cases are classified as "public order" will help you target your marketing and compliance efforts effectively. If a sector you serve is reclassified to require a higher assurance level, you must be prepared to meet the new criteria or lose access to those contracts.
4. Plan for Migration Scenarios: If you are currently serving public sector clients and a new risk assessment determines that your service no longer meets the required assurance level, be aware that clients will have up to 12 months (per Article 29(6)) to migrate. Use this period to demonstrate the value of upgrading your service to a higher assurance level or to assist clients in transitioning to compliant alternatives. Proactive migration planning can turn a compliance risk into a retention opportunity.

Common misconceptions

• Misconception: Cloud providers must conduct their own risk assessments for public order.
  • Reality: The obligation to conduct risk assessments lies with Member States and Union entities (Article 29). Providers may be asked for information to support these assessments under Article 29(9), but they do not perform the assessment themselves.
• Misconception: Union assurance level 1 is sufficient for all public sector contracts.
  • Reality: While level 1 is the minimum for general public sector use, any activity identified as contributing to public order requires at least Union assurance level 2, 3, or 4 (Article 30(3)). Many critical infrastructure and security-related services will fall into this category, rendering Level 1 insufficient.
• Misconception: Recognition in one Member State is not valid in others.
  • Reality: Recognition under Article 17 is valid throughout the entire Union. Once a service is recognised by the competent authority of the provider's establishment, it is accepted across all Member States, facilitating cross-border sales without the need for duplicate national procedures.
• Misconception: The Commission cannot ask providers for data during the risk assessment process.
  • Reality: The Commission is explicitly empowered to request all necessary information from cloud computing service providers to support the risk assessment methodology and guidance (Article 29(9)).

Related

• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• Can the Commission request information from cloud providers for CADA risk assessments?
• Why does CADA treat dependence on non-EU providers as a strategic risk?
• Who sets the methodology for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.