What sovereign-cloud pressure does CADA create for healthcare?

Summary The proposed Cloud and AI Development Act (CADA) creates significant sovereignty pressure on the healthcare sector by mandating that public hospitals and health authorities procure cloud services meeting strict "Union assurance levels." As proposed, public bodies processing health data must conduct risk assessments to determine if their activities affect public order, often requiring them to switch to sovereign cloud providers recognized under the new framework. This creates a direct procurement constraint, limiting the use of non-compliant third-country providers for critical health infrastructure while simultaneously signaling to private healthcare entities that similar standards will likely follow.

Detail

CADA aims to reduce the EU's dependence on non-European cloud providers by establishing a harmonized sovereignty framework. For the healthcare sector, this introduces specific legal obligations and market pressures designed to ensure that sensitive health data and critical operational infrastructure remain under EU control.

Healthcare as a Strategic Sector

The proposal explicitly identifies healthcare as a domain involving critical data. Recital 24 states that the Cloud and AI Leadership Initiatives should ensure the uptake of cloud services provided by European providers, "particularly in sectors such as healthcare and education which involve the processing of critical data." This recognition elevates healthcare from a general public service to a strategic priority for technological sovereignty, implying that the data processed in this sector is too sensitive for unverified external dependencies. The proposal further notes in Recital 22 that AI models and systems should be used to support better decision-making in "critical public domains such as healthcare," reinforcing the sector's centrality to the Act's objectives.

The Sovereignty Framework and Assurance Levels

At the core of CADA's pressure on healthcare is the "Union cloud computing sovereignty framework" established in Article 16. This framework defines four "Union assurance levels" (1 through 4) with cumulative criteria for cloud providers. These criteria include requirements for infrastructure location, data residency, personnel citizenship, and cybersecurity certification. Providers must be recognized by national competent authorities as meeting these levels before they can serve certain public sector contracts.

Crucially, the cybersecurity certification requirements differ by level. Under Annex II, Union assurance levels 2 and 3 require a European cybersecurity certificate of at least assurance level "substantial," while level 4 requires a certificate of at least assurance level "high." This distinction is vital for healthcare providers handling highly sensitive or classified information, as the "high" assurance level imposes stricter cybersecurity standards.

Procurement Obligations for Public Hospitals

Article 30 imposes direct procurement obligations on contracting authorities, including public hospitals and health agencies. The requirements are tiered based on a mandatory risk assessment:

1. Baseline Requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognized as having at least Union assurance level 1 (Article 30(2)).
2. Enhanced Requirement: Contracting authorities whose activities have been identified as contributing to the preservation of public order—specifically in sectors falling under Annex I or II of the NIS2 Directive, which includes healthcare—must procure services recognized as having Union assurance level 2, 3, or 4 (Article 30(3)).

Because healthcare is listed as a critical sector under NIS2, public health providers are highly likely to fall into the second category. This means they cannot simply choose the cheapest or most convenient global cloud provider; they must select from a pool of providers that have undergone rigorous independent audits and met strict sovereignty criteria, such as ensuring that no third-country legal entity can access the data or disrupt service continuity.

Risk Assessments and Migration

To determine which assurance level applies, Member States and Union entities must carry out risk assessments (Article 29). These assessments evaluate the sensitivity of data, the risk of unlawful access by third countries, and the impact of potential service disruptions on public order. If a risk assessment determines that a public hospital's current cloud provider does not meet the required assurance level, the authority must migrate to a compliant service within a reasonable transition period, not exceeding 12 months (Article 29(6)).

The risk assessment must consider the "sensitivity, criticality, and magnitude of the non-personal data processed" and the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country" (Article 29(2)). For healthcare, where data breaches can directly impact patient safety and public trust, the threshold for "public order" relevance is low, making the higher assurance levels (2, 3, or 4) the likely default.

Spillover to Private Healthcare

While Article 30 primarily binds public contracting authorities, CADA anticipates a broader market shift. Recital 66 notes that "requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

Consequently, private healthcare providers operating in high-criticality sectors (as defined in Annex I of the NIS2 Directive) may be subject to impact assessments and risk mitigation measures (Article 31). This creates a de facto pressure for private hospitals and health-tech companies to adopt sovereign cloud solutions to maintain interoperability with public systems and meet emerging regulatory expectations. The Commission may even adopt delegated acts to specify the need for such impact assessments for private entities in sectors of high criticality (Article 31(3)).

What this means for you

For public-sector procurement officers in the healthcare sector, CADA introduces a fundamental shift in vendor selection criteria. You can no longer treat cloud computing as a purely technical or commercial decision; it is now a sovereignty and security compliance issue.

• Conduct Early Risk Assessments: You must prepare for the mandatory risk assessments under Article 29. Identify which of your cloud workloads process sensitive health data or support critical hospital operations. Determine if these activities fall under the "preservation of public order" threshold. If they do, you are legally required to procure only from providers with Union assurance levels 2, 3, or 4.
• Audit Your Current Providers: Review your existing cloud contracts. Do your current providers have recognition under the proposed CADA framework? If they are third-country providers without an associated adequacy decision or specific Commission recognition (Article 18), they may not qualify for the higher assurance levels. Begin planning for migration if necessary, keeping the 12-month transition window in mind.
• Prioritize Sovereign Options: In your tender documents, include the new "Union added value" criteria (Article 32). You can now evaluate tenders based on the provider's contribution to the European cloud ecosystem, including the use of EU-designed hardware and software. This allows you to favor European providers without violating competition law, as long as technical and financial criteria remain primary.
• Monitor the Central Repository: The Commission will maintain a central repository of recognized services (Article 22). Use this list to identify compliant vendors. Do not assume a provider is compliant based on marketing claims; verify their recognition status in the official repository.
• Prepare for Private Sector Alignment: Even if you are a private healthcare provider, be aware that public partners may require interoperability with sovereign clouds. Adopting a multi-cloud strategy that includes a sovereign EU provider may be necessary to maintain partnerships with public health agencies.

Common misconceptions

"CADA bans all non-European cloud providers." This is incorrect. CADA does not ban third-country providers outright. However, for public sector entities dealing with critical data like healthcare, the sovereignty criteria (such as data residency and absence of third-country control) are so strict that most non-EU hyperscalers will struggle to qualify for the higher assurance levels (2, 3, or 4). Furthermore, third-country providers can only be considered for Union assurance level 3 if the Commission has specifically recognized their country as providing sufficient safeguards (Article 18), which is a high bar.

"Only the most sensitive military or defense data needs sovereign clouds." CADA extends sovereignty requirements to a broader range of public services. Because healthcare is explicitly named as a sector involving critical data (Recital 24) and is covered by NIS2, public health infrastructure is subject to the same rigorous procurement rules as other critical sectors. The risk assessment determines the level, but the baseline for healthcare is high.

"GDPR compliance is enough for healthcare clouds." GDPR focuses on data protection and privacy rights. CADA focuses on sovereignty and operational autonomy. A provider can be GDPR-compliant but still fail CADA's sovereignty criteria if, for example, their infrastructure is subject to the extraterritorial laws of a third country that could allow unauthorized data access or service disruption. CADA addresses these non-technical, geopolitical risks that GDPR does not cover.

"Private hospitals are exempt from CADA." While Article 30's direct procurement mandates apply to public bodies, Recital 66 and Article 31 indicate that private entities in critical sectors will face similar pressures. The EU expects private healthcare providers to conduct impact assessments and adopt mitigation measures, effectively creating a market standard for sovereign cloud usage across the entire health sector.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for financial services?
• What sovereign-cloud pressure does CADA create for automotive?

This is general information about a draft EU regulation, not legal advice.