What sectors count as preserving public order for CADA procurement?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector activities that contribute to preserving public order are strictly defined in Article 30(3). These activities fall into two categories: those in sectors listed in Annex I or Annex II of the NIS2 Directive (Directive (EU) 2022/2555), and those in specific areas of national security, internal security, external border management, defence, justice, or law enforcement. Crucially, merely operating in these sectors does not automatically mandate the highest assurance level. Instead, Article 29(1) requires Member States and Union entities to conduct a specific risk assessment to determine which activities within these sectors actually contribute to public order. Only for those identified activities must contracting authorities procure cloud services recognised at Union assurance level 2, 3, or 4, as mandated by Article 30(3). All other public sector activities remain subject to the baseline Level 1 requirement under Article 30(2).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereign cloud framework designed to mitigate risks associated with third-country control over critical digital infrastructure. A central pillar of this framework is the "public order" procurement mandate, which creates a tiered obligation for public buyers. This mandate is not a blanket requirement for all public sector cloud usage but is triggered specifically by the nature of the activity and the sector in which it operates.

The Legal Trigger: Article 30(3) and Defined Sectors

Article 30(3) of the proposal sets the mandatory procurement floor for activities deemed critical to the Union's stability. It states that contracting authorities, including entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order, "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

The proposal explicitly defines the scope of these activities in two distinct groups:

1. NIS2 Directive Sectors: Activities falling within the sectors listed in Annex I (essential entities) or Annex II (important entities) of Directive (EU) 2022/2555 (the NIS2 Directive). This encompasses critical infrastructure such as energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, and public administration.
2. Security and Justice Areas: Specific functional areas regardless of the sector, including:
   • National security
   • Internal security
   • External border management
   • Defence
   • Justice
   • Law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

It is vital to note that the text of Article 30(3) ties the procurement obligation to activities "identified as contributing to the preservation of public order" under the risk assessment mechanism. The sector listing provides the universe of potential candidates, but the identification is the trigger.

The Determination Mechanism: Article 29 Risk Assessments

The specific assurance level (2, 3, or 4) required for a given activity is not fixed by the sector alone. Instead, Article 29(1) establishes a mandatory risk assessment process. By the date of entry into force plus one year, and thereafter every two years, Member States and Union entities must carry out risk assessments to:

• Identify the public sector activities that use cloud computing services and contribute to the preservation of public order in the sectors listed above.
• Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

Article 29(2) outlines the factors these assessments must consider, ensuring a proportionate approach:

• The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

This risk-based approach ensures that not every cloud service used by a hospital (a NIS2 Annex I sector) requires the highest assurance level. A system handling non-sensitive administrative scheduling might be assessed differently than a system managing real-time critical patient data or national security intelligence. The assessment determines the level (2, 3, or 4) required, and Article 30(3) then mandates that procurement for that specific activity must be limited to services recognised at that determined level.

The Baseline: Article 30(2)

For public sector activities that are not identified as contributing to the preservation of public order under the Article 29(1) risk assessment, the strict Level 2-4 requirement does not apply. Instead, Article 30(2) applies, requiring Union entities and public sector bodies to use cloud computing services recognised as having at least Union assurance level 1. This serves as the baseline minimum for all public procurement under CADA, ensuring a consistent level of sovereignty and security even for non-critical activities.

Commission Oversight and Harmonisation

To prevent fragmentation and ensure consistent application across the Union, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements for these risk assessments. Furthermore, Article 29(5) grants the Commission the authority to intervene if a Member State's risk assessment concludes that a specific assurance level is inappropriate or fails to adequately address public order concerns. In such cases, the Commission may adopt implementing acts to specify the required Union assurance levels for the public sector activity in question.

What this means for you

For public-sector procurement officers, legal advisors, and IT directors, the implementation of CADA requires a shift from generic cloud procurement to a risk-based, sovereignty-aware strategy.

1. Initiate the Article 29 Risk Assessment Immediately

You cannot wait for the Commission's implementing acts to begin. Article 29(1) mandates that Member States and Union entities conduct these assessments within one year of the regulation's entry into force. You must map your current and planned cloud activities against the sectors listed in Article 30(3) (NIS2 Annex I/II, defence, justice, etc.). For each activity, you must evaluate the data sensitivity and the risk of third-country access or service disruption to determine if it "contributes to the preservation of public order."

2. Define Your Procurement Specifications Based on the Assessment

Once your risk assessment identifies an activity as contributing to public order, you must determine the appropriate assurance level (2, 3, or 4). Your tender documents must explicitly require suppliers to hold recognition at that specific level.

• Do not simply ask for "sovereign cloud."
• Do require "Union assurance level [X] as recognised under Article 17."
• Ensure your evaluation criteria exclude any provider that has not undergone the independent third-party audit required for Levels 2-4.

3. Plan for Migration and Transition

If your current cloud provider does not meet the required assurance level for your identified public-order activities, you must plan a migration. Article 29(6) provides a transition period for migration to another cloud computing service, which "shall not exceed 12 months," taking into account technical feasibility, continuity of service, and data portability. Start engaging with providers recognised at the required levels now to avoid service gaps.

4. Leverage Union Added Value Criteria

While the assurance level is a mandatory requirement, Article 32 allows contracting authorities to include non-price award criteria evaluating the tenderer's contribution to the European cloud and AI ecosystem. You can use this to further strengthen your supply chain resilience, provided these criteria are ancillary and not decisive for the award of the contract.

5. Monitor Commission Guidance

The Commission will issue implementing acts detailing the risk assessment methodology. These will provide the templates and specific elements you must use. Staying aligned with these guidance documents is essential to ensure your risk assessments are compliant and defensible against potential challenges or Commission review under Article 29(5).

Common misconceptions

"All NIS2 sectors automatically require Level 4 cloud services." This is incorrect. Being in a sector listed in Annex I or II of the NIS2 Directive only places your activities within the scope of the public order assessment. The required assurance level (2, 3, or 4) is determined by the specific Article 29(1) risk assessment of the activity, not the sector itself. A low-sensitivity administrative task in a healthcare provider may only require Level 2, while a system handling critical, real-time patient data or national security intelligence may require Level 4.

"National security and defence are excluded from CADA." This is incorrect. While national security remains a primary competence of Member States, Article 30(3) explicitly includes "national security" and "defence" as areas where activities contributing to public order must use Level 2-4 services. CADA aims to ensure a harmonised EU framework for cloud sovereignty in these sensitive areas, complementing rather than replacing national security protocols.

"Only the public sector needs to worry about these levels." While CADA's mandatory procurement rules apply to public authorities, Article 31 allows private sector entities operating in sectors listed in NIS2 Annex I to conduct similar impact assessments. Furthermore, the market signal from public procurement will likely drive private sector demand for higher assurance levels, making Level 2-4 compliance a competitive advantage for cloud providers serving critical infrastructure.

"A provider can be Level 1 for one activity and Level 3 for another within the same organisation." Recognition is granted per cloud computing service, not per provider. A provider may offer multiple services, each recognised at different levels. However, a specific service cannot be "partially" Level 3. If your activity requires Level 3, you must procure a service that has been fully recognised as offering Level 3 assurance across all its components relevant to that service.

Related

• Will small public bodies be able to afford CADA procurement fees?
• CADA Procurement Compliance: Who is Responsible in a Public Body?
• Which sectors trigger Level 2, 3 or 4 cloud procurement under CADA?
• What records must a public buyer keep for CADA innovation procurement?
• CADA Article 32: What is the EU hardware criterion for public procurement?

This is general information about a draft EU regulation, not legal advice.