Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must submit the results of their public sector cloud risk assessments to the European Commission within three months of completing the assessment, as mandated by Article 29(4). This report is not merely a notification; it must explicitly detail the identified Union assurance levels for public order activities and, crucially, indicate where the assessment departs from the Commission's implementing acts on methodology. The Commission retains the power to review these submissions and, if necessary, adopt binding implementing acts to specify the required assurance levels if the national assessment is deemed insufficient to protect public order.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to safeguard the Union's public order by reducing dependencies on third-country cloud providers. A cornerstone of this framework is the risk assessment mechanism detailed in Title IV, Chapter II, Section 1. Unlike voluntary compliance exercises, these assessments are legally binding prerequisites for public procurement and are subject to direct EU-level oversight to ensure a consistent baseline of sovereignty protection across all Member States.

The Reporting Obligation: Article 29(4)

The core reporting requirement is found in Article 29(4) of the proposal. This provision creates a strict procedural timeline and a specific content requirement for the submission to the Commission.

The text of Article 29(4) states:

"Within three months of carrying out the risk assessments referred to in paragraph 1, Member States shall provide the Commission with the results of those risk assessments, indicating where they depart from the implementing acts referred to in paragraph 3."

This clause establishes three critical facts for compliance:

  1. The Deadline: The submission window is exactly three months from the date the risk assessment is "carried out." This is not a rolling annual deadline but a trigger-based obligation. Once the assessment process is concluded, the clock starts immediately.
  2. The Recipient: The results must be provided directly to the European Commission, not just to national archives or internal bodies.
  3. The Content Requirement: The report must do more than list results; it must explicitly indicate where they depart from the implementing acts. This is a transparency mechanism designed to highlight national deviations from the EU-wide methodology.

The Context: Risk Assessment Cycles and Scope

To understand the report, one must understand the assessment it summarises. Under Article 29(1), Member States and Union entities must conduct these risk assessments:

  • Initial Deadline: By one year after the regulation enters into force.
  • Frequency: Thereafter, every two years, or whenever necessary.

The assessment must identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and specific areas such as national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

For each identified activity, the assessment must determine which Union assurance level (Level 2, 3, or 4) is appropriate. This determination relies on assessing the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption.

Methodology and the Requirement to Report Departures

The Commission is empowered under Article 29(3) to adopt implementing acts that specify the methodology, templates, and elements to be used for these risk assessments. This ensures that a "high risk" in one Member State is calculated using the same criteria as in another.

However, the proposal acknowledges that national circumstances may vary. Article 29(4) specifically addresses this by requiring Member States to report any departures from the Commission's methodology.

What constitutes a "departure"? A departure occurs when a Member State or Union entity:

  • Uses a different risk calculation model than the one prescribed in the implementing acts.
  • Applies a different template for documenting the assessment.
  • Considers elements not specified in the Commission's guidance, or omits elements that are required.
  • Determines an assurance level based on criteria that diverge from the standard methodology.

Why is this critical? If a Member State fails to report a departure, the Commission may assume the assessment was conducted in full compliance with the EU methodology. If the Commission later reviews the results and finds that the assurance level assigned is inappropriate (e.g., assigning Level 2 to a defence activity that should be Level 4), the lack of a reported departure could complicate the legal basis for the Commission's intervention. Conversely, a clearly reported departure allows the Commission to evaluate the justification for the deviation.

The Commission's Review and Intervention Powers

The submission of the report triggers the Commission's supervisory role under Article 29(5). This article grants the Commission the authority to intervene if the national assessment is found lacking.

The text of Article 29(5) provides:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

This creates a "safety net" for public order. Even if a Member State follows its own methodology (and reports the departure), the Commission retains the final say on whether the resulting assurance level is sufficient. If the Commission deems the level too low, it can issue a binding implementing act to override the national decision and mandate a higher assurance level.

What this means for you

For public sector bodies, national competent authorities, and procurement officers, the requirements of Article 29(4) transform risk assessment from an internal administrative task into a high-stakes compliance exercise with direct EU oversight.

1. Strict Adherence to the Three-Month Window

The three-month submission window is non-negotiable. It begins the moment the risk assessment is "carried out" (i.e., when the final determination of assurance levels is made).

  • Action: Establish an internal trigger mechanism. As soon as the risk assessment committee signs off on the final report, the clock starts. Do not wait for the end of the fiscal year or a scheduled reporting cycle.
  • Risk: Missing this deadline could be viewed as a failure to cooperate with the Commission's monitoring obligations, potentially delaying the validation of your procurement requirements.

2. The "Departure" Declaration is Mandatory

You cannot simply submit the results; you must actively identify and document any deviations from the Commission's methodology.

  • Action: Before submission, conduct a gap analysis between your assessment process and the Commission's implementing acts (once adopted). If you used a different risk matrix, a different template, or excluded a specific data category, you must explicitly state this in the report.
  • Strategy: If you have a valid reason for a departure (e.g., specific national security constraints not covered by the EU template), document the justification clearly. This prepares the ground for the Commission's review and reduces the likelihood of a corrective implementing act.

3. Prepare for Commission Intervention

Under Article 29(5), the Commission can override your assessment.

  • Action: Ensure your assessment is robust and evidence-based. If you assign a lower assurance level (e.g., Level 2) to a critical activity, be prepared to defend it with data on mitigating controls. If the Commission disagrees, they can legally mandate a higher level (e.g., Level 3 or 4), which would immediately alter your procurement strategy under Article 30.
  • Impact: A Commission-imposed assurance level change could invalidate existing tenders or require immediate migration to a higher-assurance provider.

4. Link to Procurement Strategy

The risk assessment report is the legal foundation for your procurement obligations.

  • Action: Align your procurement teams with the assessment timeline. Under Article 30(3), if an activity is identified as contributing to public order, you must procure only services recognised at Union assurance levels 2, 3, or 4. If the Commission reviews your report and changes the required level, your procurement specifications must be updated immediately to reflect the new binding requirement.

Common misconceptions

Misconception 1: "The report is just a formality; the Commission won't change our assessment." Reality: Article 29(5) explicitly grants the Commission the power to adopt implementing acts to specify assurance levels if they find the national assessment "not appropriate." The Commission can override national decisions to ensure public order is adequately protected.

Misconception 2: "We can wait until the end of the year to submit all our assessments." Reality: Article 29(4) mandates submission "within three months of carrying out the risk assessments." The deadline is triggered by the completion of the assessment, not by a calendar date. If you complete an assessment in March, you must submit by June, regardless of the annual cycle.

Misconception 3: "If we follow our own national methodology, we don't need to report it." Reality: Article 29(4) specifically requires Member States to indicate "where they depart from the implementing acts." Failing to report a departure is a failure to comply with the reporting obligation. The Commission needs to know if you deviated to properly evaluate the results.

Misconception 4: "Only national security activities need to be assessed." Reality: The scope is broader. Article 29(1) includes sectors under the NIS2 Directive (energy, transport, health, etc.) and areas like internal security, border management, and law enforcement. Any public sector activity in these domains that uses cloud services and contributes to public order must be assessed and reported.

Related

This is general information about a draft EU regulation, not legal advice.