Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct periodic risk assessments to identify public sector activities that contribute to the preservation of public order. As explicitly mandated by Article 29(1)(a), this scope covers activities in sectors listed in Annex I or Annex II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as activities in the specific areas of national security, internal security, external border management, defence, justice, or law enforcement. Correctly identifying these activities is critical: they trigger a mandatory procurement shift from the baseline Union Assurance Level 1 to the stricter Union Assurance Levels 2, 3, or 4 under Article 30(3).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a sovereignty-driven framework where procurement decisions are directly linked to a risk-based assessment of public order. Unlike previous digital regulations that focused primarily on technical cybersecurity or data protection, CADA targets the structural resilience of the cloud ecosystem against third-country interference. The mechanism for this is the risk assessment obligation found in Article 29.

The Legal Obligation: Article 29(1)(a)

The core requirement is established in Article 29(1) of the proposal. It mandates that Member States and Union entities must carry out risk assessments by one year after the Regulation's entry into force, and subsequently every two years, or whenever necessary.

Article 29(1)(a) specifically requires these assessments to:

  1. Identify public sector activities that use or will make use of cloud computing services.
  2. Determine which of these activities contribute to the preservation of public order.

The proposal does not leave "public order" as an open-ended political concept. Instead, Article 29(1)(a) provides a precise, two-pronged definition of the scope:

  • Sectors falling under Annex I or Annex II of Directive (EU) 2022/2555 (NIS2): This leverages the existing EU classification of essential and important entities.
  • Specific High-Sensitivity Areas: The text explicitly lists "the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."

This dual scope ensures that the assessment captures both the systemic economic infrastructure defined by NIS2 and the core sovereign functions of the state.

The NIS2 Connection: Annex I and Annex II

The reference to the NIS2 Directive is a deliberate legislative choice to align CADA with the EU's existing cybersecurity risk taxonomy. By referencing Annex I and Annex II of Directive (EU) 2022/2555, CADA automatically incorporates the following sectors into the public order assessment scope:

  • Annex I (Essential Entities): This includes sectors of critical systemic importance such as energy (electricity, district heating, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health (healthcare providers, labs, pharmacies), drinking water, digital infrastructure (IXPs, DNS, cloud, data centres), ICT management services, public administration, and space.
  • Annex II (Important Entities): This covers sectors with significant societal impact, including postal and courier services, waste management, chemical production, food production, manufacturing (medical devices, computers, electronics), and digital providers (search engines, marketplaces).

For a public sector body, if an activity falls within these sectors and relies on cloud computing, it is presumed to have a potential impact on public order. The risk assessment must then scrutinize the specific nature of the activity to determine the appropriate level of assurance required.

Sovereign Functions: National Security, Defence, and Justice

Beyond the economic sectors defined by NIS2, Article 29(1)(a) explicitly carves out the core functions of the state. These areas are considered inherently sensitive due to their direct link to the state's monopoly on force, justice, and security. The proposal lists:

  • National and Internal Security: Activities related to counter-terrorism, intelligence gathering, and domestic safety operations.
  • External Border Management: Systems managing the EU's external borders, visa processing, migration control, and asylum procedures.
  • Defence: Military operations, defence procurement, strategic planning, and the protection of defence-related data.
  • Justice and Law Enforcement: This encompasses court systems, prison management, police operations, and the entire criminal justice chain, specifically including "the prevention, investigation, detection and prosecution of criminal offence."

The inclusion of "law enforcement" and "justice" is particularly significant. It means that cloud services used for criminal databases, evidence management, or judicial case files are subject to the highest scrutiny. The proposal recognizes that unauthorized access to these systems could undermine the rule of law, compromise ongoing investigations, or endanger public safety.

The Consequence: Triggering Higher Assurance Levels

The identification of an activity as contributing to public order is not merely an administrative exercise; it has immediate and binding procurement consequences.

  • Baseline Rule (Article 30(2)): For public sector activities not identified as contributing to public order, the requirement is to use cloud services recognized at Union Assurance Level 1. This level relies on self-assessment and basic establishment criteria.
  • Public Order Rule (Article 30(3)): For activities identified under Article 29(1)(a) as contributing to public order, contracting authorities must only procure cloud computing services recognized as offering Union Assurance Levels 2, 3, or 4.

This creates a "sovereignty floor" for critical functions. The risk assessment effectively acts as a gatekeeper:

  1. If the activity is in NIS2 Annex I/II or involves defence/justice, it is flagged.
  2. The flag triggers the requirement for Level 2, 3, or 4 services.
  3. These higher levels impose strict criteria, such as:
    • Level 2: Infrastructure and personnel located in the Union; data not used to train third-country AI models.
    • Level 3: Personnel must be Union citizens (if required by the public body); no third-country control (unless a specific derogation under Article 18 applies).
    • Level 4: The highest tier, typically for classified information, requiring "high" cybersecurity certification and strict separation from third-country influence.

Methodology and Commission Guidance

While Article 29(1) sets the scope, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be considered. These acts will detail how Member States should assess:

  • The sensitivity, criticality, and magnitude of the data processed (both personal and non-personal).
  • The risk of unlawful access by a third country or legal entity established in a third country.
  • The risk of service disruption and its impact on public order.

Crucially, Article 29(3) notes that the methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, "including, but not limited to, defence." However, the proposal maintains that the determination of the specific sensitivity of information lies within the competence of the Member States, subject to the Commission's guidance. If the Commission concludes that a Member State's assessment is inappropriate, it may adopt implementing acts to specify the required assurance level (Article 29(5)).

What this means for you

For public sector procurement officers, IT directors, and legal counsel, the CADA risk assessment represents a fundamental shift in how cloud services are selected for critical functions.

1. Conduct a Comprehensive Activity Inventory

You must map every cloud computing service currently in use or planned for the future to the specific public sector activity it supports. Do not rely on generic service descriptions; drill down to the functional level (e.g., "cloud storage for criminal investigation files" rather than just "IT storage").

2. Apply the Article 29(1)(a) Filter

Cross-reference your inventory against the two criteria in Article 29(1)(a):

  • Is the activity in a NIS2 Annex I or II sector? (e.g., energy grid management, hospital patient records, public administration databases).
  • Does the activity fall under national security, internal security, border management, defence, justice, or law enforcement? (e.g., police case management, border control systems, military logistics).

If the answer is "yes" to either, the activity is identified as contributing to the preservation of public order.

3. Trigger the Higher Assurance Requirement

Once an activity is identified, you are legally bound by Article 30(3) to procure only services recognized at Union Assurance Level 2, 3, or 4. You cannot procure Level 1 services for these activities. This will likely require a significant shift in your vendor landscape, potentially excluding non-EU hyperscalers unless they have established a fully sovereign EU subsidiary meeting the strict criteria of Annex II.

4. Plan for Migration and Transition

If your current providers do not meet the required assurance levels for these identified activities, you must plan for migration. Article 29(6) provides a transition period of up to 12 months to migrate to a compliant service, taking into account technical feasibility, continuity of service, and data portability. This is not an indefinite grace period; it is a strict deadline.

5. Document and Report

The risk assessment must be documented and submitted to the Commission within three months of its completion (Article 29(4)). Your documentation must clearly justify why an activity was classified as contributing to public order and why a specific assurance level (2, 3, or 4) was chosen. Be prepared for the Commission to review these assessments and potentially intervene if the chosen level is deemed insufficient (Article 29(5)).

6. Consider Multi-Cloud Strategies

Article 29(9) explicitly encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate. For high-assurance activities, relying on a single provider may introduce unacceptable risks of service disruption. A diversified approach can enhance resilience and ensure continuity of critical public order functions.

Common misconceptions

"All public sector cloud usage requires Assurance Level 2 or higher." This is incorrect. Article 30(2) clearly states that public sector bodies whose activities have not been identified as contributing to the preservation of public order only need to use services recognized at Union Assurance Level 1. The risk assessment is the specific filter that determines which activities trigger the higher levels. Routine administrative tasks (e.g., internal email for non-critical staff) may remain at Level 1.

"Being in a NIS2 sector automatically means Assurance Level 4." Not necessarily. While NIS2 sectors are in scope for the public order assessment, the specific assurance level (2, 3, or 4) depends on the risk assessment's findings regarding the sensitivity of the data and the criticality of the service. Level 4 is reserved for the most critical use cases, often involving classified information or the highest levels of operational risk. A hospital's administrative scheduling system (NIS2 sector) might only require Level 2, while its patient diagnostic AI system might require Level 3 or 4.

"The Commission will dictate exactly which level to use for every activity." The Commission will provide guidance and methodologies (Article 29(3)), but the primary responsibility for conducting the risk assessment lies with the Member State or Union entity. The Commission retains a supervisory role and can intervene only if it concludes that the identified assurance level is inappropriate or does not adequately address public order concerns (Article 29(5)).

"This only applies to new contracts." No. Article 29(1)(a) refers to activities that "use or will make use of cloud computing services." This explicitly includes existing contracts. If an existing provider does not meet the required assurance level for an activity newly identified as contributing to public order, the public body must migrate to a compliant provider within the 12-month transition period.

Related

This is general information about a draft EU regulation, not legal advice.