What should a public-sector body do before CADA's application date?

Summary Before the Cloud and AI Development Act (CADA) becomes applicable, public-sector bodies must execute a three-step compliance sprint: prepare the risk assessment required under Article 29, map workloads to the correct Union assurance levels based on public-order relevance, and review procurement pipelines to align with the mandatory rules in Article 30. Crucially, buyers must verify that potential suppliers are listed in the central repository established under Article 22, as Article 30(4) explicitly ties derogations to the availability of services within that repository. Failure to prepare risks non-compliance with the binding procurement obligations that take effect on the application date, which is set for one year after entry into force under Article 48.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a fundamental shift in how the EU public sector procures cloud computing services. Unlike previous regulations that focused primarily on data protection or cybersecurity, CADA introduces a sovereignty framework designed to reduce dependencies on third-country providers and safeguard the Union's public order. For public-sector bodies, the transition is not merely a technical upgrade but a legal imperative requiring proactive preparation before the regulation's application date.

The Critical Timeline: Article 48 and the One-Year Window

Understanding the legislative timeline is the first step in compliance. Article 48 of the proposal establishes that the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. However, the Regulation would apply from a date set as one year after its entry into force.

This one-year interim period is not a grace period for inaction; it is a mandatory preparation window. Article 29(1) explicitly mandates that Member States and Union entities must carry out their first risk assessments "by [date of entry into force plus one year]". Since the application date of the Regulation coincides with this deadline, public-sector bodies must have their risk assessments completed and their procurement strategies aligned before the Regulation becomes legally binding. Waiting until the application date to begin these processes would result in immediate non-compliance.

Step 1: Prepare the Risk Assessment (Article 29)

The cornerstone of CADA's sovereignty framework is the risk assessment. Article 29 requires Member States and Union entities to identify public-sector activities that use or will use cloud computing services and contribute to the preservation of public order. This is not a generic IT audit; it is a specific legal determination.

Scope of the Assessment: The assessment must cover activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as specific areas including national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

Key Actions for Public Bodies:

1. Identify Critical Activities: Review all current and planned cloud-based services to determine which ones fall within the scope of Article 29(1)(a). This includes not only direct government functions but also services that support essential public order functions.
2. Evaluate Data Sensitivity and Risk: Under Article 29(2), the assessment must consider the sensitivity, criticality, and magnitude of the data processed. It must also assess the risk of unlawful access by a third country or legal entity established in a third country, as well as the risk of service disruption.
3. Determine the Assurance Level: Based on the findings, the body must determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities, as per Article 29(1)(b).
4. Utilize Commission Methodology: While the determination is a national obligation, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. Public bodies should prepare to use these implementing acts once adopted to ensure their assessments align with Union-wide standards.

Step 2: Map Workloads to Assurance Levels

Once the risk assessment is underway or completed, public-sector bodies must map their specific workloads to the four Union assurance levels established by the sovereignty framework. Article 16(1) establishes this framework, noting that the detailed criteria are set out in Annex II.

The Assurance Levels:

• Level 1: The baseline. Applicable to activities not identified as contributing to the preservation of public order.
• Levels 2, 3, and 4: Required for activities identified as contributing to the preservation of public order. The specific level depends on the severity of the risk and the nature of the data (e.g., classified information).

Mapping Strategy: Public bodies must inventory their cloud workloads and classify them against the criteria in Annex II. Key differentiators include:

• Location of Infrastructure: Levels 2, 3, and 4 generally require infrastructure and assets to be located in the Union.
• Personnel: Levels 3 and 4 impose stricter requirements on personnel, including Union citizenship and, where appropriate, national security clearance.
• Third-Country Control: A critical distinction exists regarding third-country control. Annex II, Section 3.1(g) and Section 4.1(g) state that providers subject to third-country control are generally excluded from Levels 3 and 4. However, a specific derogation exists: a provider may be audited for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This mechanism is vital for bodies considering providers with non-EU ownership structures.
• Cybersecurity Certification: Levels 2 and 3 require a European cybersecurity certificate of at least "substantial" assurance, while Level 4 requires "high" assurance.

Step 3: Review Procurement Pipelines (Article 30)

With the risk assessment and workload mapping complete, public bodies must align their procurement pipelines with the binding rules of Article 30. This article applies to contracting authorities procuring cloud computing services for their exclusive use.

The Binding Rules:

• Article 30(2): Entities whose activities are not identified as contributing to public order must procure services recognized as offering Union assurance level 1.
• Article 30(3): Entities whose activities are identified as contributing to public order must only procure services recognized as offering Union assurance levels 2, 3, or 4.

The Central Repository Check: A critical compliance step is verifying the status of potential suppliers in the central repository established under Article 22. Article 30 implicitly requires that the services procured are those "recognised under Article 17," which are registered in this repository.

Understanding Derogations (Article 30(4)): Public bodies often fear that the new rules will lock them out of necessary services. Article 30(4) provides a narrow derogation mechanism for exceptional circumstances. However, the conditions are strict and explicitly tied to the repository:

1. No Service in Repository: The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository referred to in Article 22.
2. No Adequate Alternative: No adequate or reasonable alternative or comparable cloud computing service exists.
3. No Artificial Narrowing: The absence of a service must not be the result of an artificial narrowing of the tender parameters.
4. Disproportionate Cost: Applying the requirements would require the authority to procure services at disproportionate cost.

Crucially, a public body cannot simply claim a service is unavailable; it must demonstrate that no recognized service exists in the central repository. Therefore, monitoring the repository is not optional; it is a prerequisite for invoking a derogation.

Additional Preparations: Open Source and EuroCloud

Beyond the core sovereignty framework, public bodies should prepare for the open-source and federation measures. Article 41 encourages the use of open-source solutions. Article 42 and Article 43 establish the EU Open Source Solutions Catalogue, while Article 34 creates the EuroCloud Federation. Public bodies should assess whether open-source alternatives or federation membership could provide a compliant, cost-effective path to meeting their assurance level requirements.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the period before CADA's application date is a critical window for action. You must move from awareness to execution.

1. Initiate the Risk Assessment Immediately: Do not wait for the Commission's implementing acts under Article 29(3). Begin the internal process of identifying activities that contribute to public order under Article 29(1). Document your methodology and data sensitivity analysis now.
2. Audit Your Cloud Inventory: Create a comprehensive list of all cloud services in use and planned. Map each service to the required assurance level based on your risk assessment. Identify any gaps where current providers cannot meet the criteria in Annex II.
3. Engage with the Central Repository: As soon as the repository is operational, check it daily. Verify which providers are recognized for the levels you need. If your current provider is not listed, engage them immediately to understand their recognition timeline.
4. Revise Procurement Templates: Update all tender documents to include the mandatory assurance level requirements. Ensure that the "no service available" derogation clause in Article 30(4) is only invoked after a documented check of the central repository.
5. Plan for Migration: If your current provider cannot achieve the required level (e.g., due to third-country control issues not covered by an Article 18 decision), start planning your migration strategy now. Consider the Data Act's switching provisions to facilitate this transition.
6. Explore Open Source and Federation: Evaluate whether the EuroCloud Federation or open-source solutions can fill gaps in your procurement pipeline, potentially offering a more resilient and sovereign alternative.

Common misconceptions

"CADA only applies to high-risk AI systems."

• Reality: CADA's sovereignty framework applies to all cloud computing services procured by public-sector bodies, regardless of whether AI is involved. The risk assessment under Article 29 determines the assurance level for the cloud service itself, not just the AI running on it.

"The GDPR is enough to protect data sovereignty."

• Reality: While the GDPR protects personal data, it does not address operational autonomy, third-country control, or the risk of service disruption. CADA's framework, specifically the criteria in Annex II regarding personnel citizenship and infrastructure location, goes beyond data protection to ensure the EU retains control over its digital infrastructure.

"I can continue using my current provider if they sign a GDPR-compliant contract."

• Reality: A GDPR-compliant contract does not automatically make a provider compliant with CADA. Providers must undergo a formal recognition process, including independent audits for levels 2–4, and be listed in the central repository under Article 22. Without this recognition, a public body cannot procure their services for public-order-relevant activities under Article 30(3).

"The risk assessment is a one-time exercise."

• Reality: Article 29(1) requires risk assessments to be carried out every two years or whenever necessary. Public-sector bodies must establish a continuous process for reviewing and updating their assessments to reflect changing threats and operational needs.

"Third-country control is an absolute bar for Level 3 and 4."

• Reality: While generally restrictive, Annex II provides a derogation mechanism. A provider subject to third-country control may be recognized for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. Public bodies should monitor the list of such countries.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• What should a cloud provider do before CADA's application date?
• CADA Application Date: What Organisations Must Do Before Compliance Kicks In
• How does a public buyer verify a provider's CADA assurance level before awarding?
• How does a public body share cloud or data centre services in the EuroCloud Federation?
• How does a public body join the EuroCloud Federation under CADA?

This is general information about a draft EU regulation, not legal advice.