Summary As proposed in the Cloud and AI Development Act (CADA), Member States and Union entities must complete their first sovereignty risk assessments within one year of the Regulation entering into force. Article 29(1) mandates that these assessments be repeated every two years thereafter, or whenever necessary. Under Article 29(4), the results of these assessments must be submitted to the European Commission within three months of completion. These deadlines are binding for all public sector bodies and Union entities procuring cloud services.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a rigorous timeline for public authorities to evaluate the sovereignty risks of their cloud computing services. This process is not merely a technical exercise but a legal prerequisite for determining which "Union assurance level" (1, 2, 3, or 4) must be procured. The specific deadlines and recurrence intervals are strictly codified in Article 29 of the proposal.

The Initial Deadline: One Year After Entry Into Force

The clock for CADA compliance begins the moment the Regulation enters into force. Article 29(1) explicitly states that Member States and Union entities shall carry out risk assessments "by [date of entry into force plus 1 year]."

This one-year window is the critical first milestone for public sector bodies. During this period, authorities must:

  1. Identify Activities: Map all public sector activities that use or will use cloud computing services.
  2. Determine Public Order Relevance: Assess whether these activities contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of national security, internal security, external border management, defence, justice, or law enforcement.
  3. Assign Assurance Levels: For each identified activity, determine whether Union assurance level 2, 3, or 4 is appropriate.

This initial assessment is foundational. It dictates the minimum assurance level required for all subsequent procurement under Article 30. If an activity is not identified as contributing to public order, the default minimum is Union assurance level 1. If it is identified as critical, the authority must procure services at level 2, 3, or 4.

Recurrence: Every Two Years and "Whenever Necessary"

CADA treats sovereignty risk as a dynamic variable, not a static compliance checkbox. Article 29(1) mandates that after the initial assessment, Member States and Union entities must carry out these assessments "thereafter every two years."

This biennial cycle ensures that the classification of public sector activities remains aligned with the evolving technological landscape, emerging threats, and changes in the nature of public services. The two-year interval is designed to balance the need for up-to-date risk management with the administrative burden on public authorities.

However, the Regulation includes a crucial flexibility clause: "or whenever necessary." This provision empowers Member States and Union entities to conduct ad-hoc risk assessments outside the standard two-year cycle if significant changes occur. While the text does not provide an exhaustive list of triggers, the context of the proposal suggests that the following scenarios would necessitate an immediate reassessment:

  • Data Sensitivity Shifts: A change in the nature of data being processed (e.g., moving from administrative data to classified or highly sensitive personal data).
  • Threat Landscape Evolution: New evidence of third-country interference, extraterritorial legal threats, or operational discontinuity risks.
  • Service Migration: The introduction of new cloud services, migration to new providers, or significant architectural changes (e.g., moving to a multi-cloud strategy).
  • Legal Framework Changes: Updates to national or Union laws affecting data sovereignty or public order definitions.

Reporting Results to the Commission

Completing the assessment is only half of the obligation; transparency and oversight are central to the CADA framework. Article 29(4) imposes a strict reporting deadline: "within three months of carrying out the risk assessments referred to in paragraph 1, Member States shall provide the Commission with the results of those risk assessments."

This three-month window is non-negotiable. The report must include the results of the assessment and, critically, must indicate "where they depart from the implementing acts referred to in paragraph 3."

The Commission's role in this process is supervisory but potent:

  1. Consistency Check: The Commission reviews whether Member States are applying the risk assessment methodology consistently across the Union.
  2. Deviation Justification: If a Member State chooses a different assurance level than what the Commission's methodology (to be issued under Article 29(3)) suggests, they must explicitly justify this deviation in their report.
  3. Intervention Power: Under Article 29(5), if the Commission concludes that the assurance level identified by a Member State is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the correct Union assurance levels for that specific activity. This effectively overrides the national decision.

Scope of the Assessment

To meet these deadlines, authorities must understand the depth of the analysis required. Article 29(2) lists the specific aspects that must be considered in every assessment:

  • The sensitivity, criticality, and magnitude of non-personal data processed.
  • The nature, scope, context, and purpose of processing personal data, including the risk to the rights and freedoms of data subjects.
  • The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

Furthermore, Article 29(9) requires authorities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement planning. This ensures that risk mitigation includes architectural resilience, not just provider selection.

What this means for you

For public-sector procurement officers, IT strategists, and legal counsel, the CADA risk assessment deadlines impose a strict project management timeline. The "one-year" rule means that the clock starts ticking immediately upon the Regulation's entry into force, not its application date.

Immediate Actions Required:

  1. Inventory Cloud Usage: Begin mapping all current and planned cloud computing services immediately. Identify which services support activities related to national security, defence, justice, or critical infrastructure (NIS2 sectors).
  2. Monitor Methodology Guidelines: The Commission will issue implementing acts under Article 29(3) specifying the methodology, templates, and elements for the risk assessment. These will be the blueprint for your compliance. Monitor for their publication closely.
  3. Plan for Biennial Reviews: Integrate a two-year review cycle into your strategic planning. Ensure that your procurement cycles align with these assessments so that tender documents reflect the correct Union assurance levels at the time of procurement.
  4. Build Reporting Capacity: Establish an internal process to compile and submit results to the national competent authority (which will forward them to the Commission) within the three-month window. Delays in reporting could trigger Commission intervention under Article 29(5).

Migration Planning: If a risk assessment determines that a current cloud service does not meet the required assurance level, Article 29(6) provides a migration window. Member States or Union entities must migrate to a compliant service within a "reasonable transition period that shall not exceed 12 months." This means your risk assessment must also trigger a migration plan if gaps are identified.

Common misconceptions

Misconception 1: The risk assessment is only for high-security agencies. While Article 29(1) highlights sectors like defence and justice, the obligation applies to all Member States and Union entities. Even if an activity is not deemed "critical," it still requires an assessment to determine if it falls under Union assurance level 1 (the minimum for all public procurement under Article 30). You cannot skip the assessment; you must formally classify the activity.

Misconception 2: The assessment is a one-off compliance checkbox. CADA explicitly requires a repeat every two years. Assuming that a classification made in year one remains valid indefinitely is a compliance risk. The "whenever necessary" clause further underscores that dynamic changes in your IT environment may trigger an immediate need for reassessment.

Misconception 3: The Commission conducts the assessment for you. No. Article 29(1) places the obligation squarely on Member States and Union entities. The Commission's role is to provide the methodology (Article 29(3)), receive the results (Article 29(4)), and intervene only if the Member State's assessment is deemed inappropriate (Article 29(5)). You are responsible for the analysis and the conclusion.

Misconception 4: Private companies must follow these exact deadlines. Article 29 applies strictly to public sector bodies. Private sector entities in critical sectors (listed in Annex I of NIS2) are addressed under Article 31, which allows them to carry out "similar assessments." However, Article 31 does not impose the same mandatory biennial deadline or reporting obligation to the Commission as Article 29 does for the public sector. Private entities may be required to conduct impact assessments if the Commission adopts delegated acts under Article 31(3), but this is a separate legal track with different timelines.

Related

This is general information about a draft EU regulation, not legal advice.