Summary Under the proposed Cloud and AI Development Act (CADA), a mandatory cloud migration is triggered when a Member State's or Union entity's risk assessment determines that current cloud services do not meet the required Union assurance level necessary to preserve public order. Article 29(6) explicitly mandates that where such a migration is required, the Member State or Union entity must complete the transition within a reasonable period that shall not exceed 12 months. This deadline accounts for technical feasibility, service continuity, and data portability, creating a strict compliance window for public-sector bodies to switch to sovereign providers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on reducing dependencies on third-country providers and safeguarding public order. At the heart of this framework lies the risk assessment mechanism detailed in Article 29. This mechanism is not merely a compliance exercise; it is the primary trigger for operational change. When a risk assessment concludes that a current cloud service poses a risk to public order due to insufficient sovereignty guarantees, it legally compels the public body to migrate to a compliant service.

The Trigger: Misalignment Between Risk and Assurance

The obligation to conduct risk assessments is established in Article 29(1). Member States and Union entities must carry out these assessments within one year of the Regulation's entry into force, and subsequently every two years, or "whenever necessary." The purpose of these assessments is twofold:

  1. To identify public sector activities that contribute to the preservation of public order, particularly in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.
  2. To determine the appropriate Union assurance level (Level 2, 3, or 4) required for those specific activities.

A migration is triggered when a gap is identified between the current state of the cloud service and the required state determined by the assessment. For instance, if a public body currently utilizes a cloud service recognised only at Union assurance level 1 (the baseline), but the risk assessment determines that the activity involves critical public order functions requiring Level 2, 3, or 4, a migration becomes mandatory. Similarly, if a provider is subject to third-country control that cannot be mitigated under the criteria for any assurance level, the assessment will necessitate a switch to a provider that can meet the required criteria.

The Legal Mandate: Article 29(6) and the 12-Month Deadline

The specific provision that converts a risk finding into a binding migration order is Article 29(6). This paragraph addresses the operational reality of moving from a non-compliant or lower-assurance service to a compliant one.

The text of Article 29(6) states:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This provision establishes a clear, non-negotiable timeline. The phrase "shall migrate" creates a mandatory obligation. The "reasonable transition period" offers a degree of flexibility to account for the complexity of moving large-scale public infrastructure, but the clause "shall not exceed 12 months" sets an absolute upper limit. This means that regardless of the complexity of the migration, the public body must complete the switch within one year of the assessment requiring it.

Factors Influencing the Migration Timeline

While the 12-month cap is strict, Article 29(6) requires entities to balance this deadline against three critical operational factors:

  1. Technical Feasibility: The migration must be technically possible within the timeframe. This includes the ability to move workloads, applications, and data architectures to the new sovereign environment without requiring a complete rebuild of the IT stack that would exceed the 12-month window.
  2. Continuity of Service: Public services, particularly in critical sectors like healthcare, justice, and emergency response, cannot be interrupted. The migration plan must ensure that service delivery remains uninterrupted during the transition.
  3. Data Portability Requirements: The migration must adhere to data portability standards. This aligns with the broader EU data governance framework, including the Data Act, which aims to reduce vendor lock-in. The entity must ensure that data can be securely and completely transferred to the new provider without loss or corruption.

Interaction with Procurement Rules (Article 30)

The migration triggered by the risk assessment is inextricably linked to the procurement obligations set out in Article 30. Once the risk assessment determines the required assurance level, Article 30 dictates the procurement constraints:

  • Article 30(2) mandates that Union entities and public sector bodies whose activities are not identified as contributing to public order preservation must use services recognised at Union assurance level 1.
  • Article 30(3) mandates that contracting authorities whose activities are identified as contributing to public order preservation must only procure services recognised as having Union assurance level 2, 3, or 4.

Therefore, the risk assessment does not just suggest a migration; it legally restricts the procurement options. If a public body's current provider cannot be recognised at the required level (e.g., due to third-country control issues that cannot be mitigated), the body is legally barred from renewing its contract and must migrate to a compliant provider.

The Commission's Oversight Role

To ensure consistency across the Union, the Commission plays a supervisory role. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements for risk assessments. Furthermore, Article 29(5) grants the Commission the power to intervene if it concludes that a Member State's risk assessment has identified an inappropriate assurance level. If the Commission determines that the level identified by a Member State does not adequately address public order concerns, it can adopt implementing acts specifying the required Union assurance levels. This could indirectly trigger a migration if a Member State had previously assessed a lower risk than the Commission deems necessary, forcing a re-evaluation and subsequent migration.

What this means for you

For public-sector IT directors, procurement officers, and legal counsel, the CADA proposal introduces a rigorous, time-bound compliance regime. The era of indefinite contract renewals with non-compliant providers is ending.

Actionable Steps for Compliance:

  1. Immediate Audit of Current Services: Map your existing cloud services against the proposed Union assurance levels defined in Annex II. Determine if your current provider can realistically achieve the necessary certification (Level 2, 3, or 4) within a reasonable timeframe. If they cannot, a migration is inevitable.
  2. Prepare Migration Plans Early: Do not wait for the risk assessment to be completed. If your activity is likely to be classified as "public order" relevant, start planning your migration immediately. The 12-month clock starts the moment the assessment requires the migration, not when the Regulation enters into force. Delaying the assessment could compress your transition window dangerously.
  3. Evaluate Data Portability and Technical Debt: Assess the technical debt and data lock-in risks with your current provider. Ensure that data export mechanisms are robust and that you have a clear strategy for data transfer that meets security and integrity standards, as required by Article 29(6).
  4. Align Procurement Cycles: Coordinate your IT migration strategy with your procurement cycles. Ensure that upcoming tenders explicitly require the Union assurance level determined by your risk assessment, as mandated by Article 30.
  5. Engage with National Competent Authorities: Designate your national competent authority early, as they will oversee the recognition process for cloud providers. Understanding their procedures for auditing and recognizing providers will help you select a compliant vendor faster.

Common misconceptions

Misconception 1: The 12-month period is a guarantee of success. Reality: The 12-month period is a maximum deadline, not a promise that migration will be easy. Article 29(6) requires the period to be "reasonable," considering technical feasibility. If a migration is technically impossible within 12 months, the entity still must complete it within that timeframe, implying that preparation must begin well in advance. The law does not provide an extension for technical difficulty; it places the burden of preparation on the public body.

Misconception 2: Only critical sectors need to migrate. Reality: While the highest assurance levels (2-4) apply to activities preserving public order, Article 30(2) mandates that all Union entities and public sector bodies use at least Union assurance level 1. If your current provider cannot meet even Level 1 criteria (e.g., due to third-country control issues that cannot be mitigated), a migration is still triggered. No public body is exempt from the baseline sovereignty requirement.

Misconception 3: Risk assessments are one-time events. Reality: Article 29(1) requires assessments every two years, or "whenever necessary." This means your cloud strategy must be dynamic. A change in the threat landscape, the nature of your data processing, or the emergence of new third-country laws could trigger a new assessment and a subsequent migration requirement at any time.

Misconception 4: Data portability is handled automatically by providers. Reality: While the Data Act facilitates switching, Article 29(6) places the onus on the Member State or Union entity to manage the migration. You are responsible for ensuring that data portability requirements are met during the transition, not your cloud provider. The "reasonable transition period" is your responsibility to manage.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.