When is the first CADA risk assessment due?

Summary Under the proposed Cloud and AI Development Act (CADA), the first mandatory risk assessment for Member States and Union entities is due one year after the Regulation enters into force. Following this initial deadline, these assessments must be repeated every two years, or sooner if circumstances require it, to determine the appropriate Union assurance level for cloud computing services that safeguard public order.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework to ensure that public sector cloud procurement aligns with the Union's strategic autonomy and public order requirements. Central to this framework is the obligation for public authorities to assess the risks associated with their cloud computing services. This mechanism is not a static compliance checkbox but a dynamic process designed to adapt to evolving geopolitical threats, technological shifts, and the sensitivity of data processed.

The Initial Deadline: Entry into Force Plus One Year

The timing of the first risk assessment is strictly defined in Article 29(1) of the proposal. The text mandates that Member States and Union entities shall carry out risk assessments "By [date of entry into force plus 1 year]".

This phrasing is critical for legal planning. Unlike regulations that set fixed calendar dates (e.g., "by 1 January 2027"), CADA ties the deadline to the legislative lifecycle of the act itself. According to Article 48, the Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.

Consequently, the clock for the first risk assessment begins ticking on that 20th day. For example, if the Regulation were published in June 2026, it would enter into force in late June 2026, making the first risk assessment deadline late June 2027. This variable timeline requires public authorities to monitor the Official Journal closely and prepare their assessment frameworks well in advance of the actual entry into force date.

The Biennial Cadence and "Whenever Necessary" Clause

The obligation to assess risk is continuous, not a one-off event. Article 29(1) explicitly states that after the initial assessment, authorities must conduct these reviews "thereafter every two years, or whenever necessary".

This biennial cadence ensures that the classification of public sector activities remains current. The geopolitical landscape, the threat of third-country interference, and the criticality of specific data sets can change rapidly. A static assessment would quickly become obsolete.

The "whenever necessary" clause introduces a crucial layer of flexibility and urgency. It empowers (and obliges) authorities to trigger an immediate reassessment outside the two-year cycle if specific triggers occur, such as:

• The emergence of a new, significant threat to public order or national security.
• A material change in the nature, sensitivity, or criticality of the data being processed.
• A shift in the status of a cloud service provider, such as a change in ownership by a third-country entity or the imposition of new extraterritorial laws in a provider's home country.
• A change in the operational context of the public sector activity itself.

What the Risk Assessment Must Determine

The core purpose of these assessments, as detailed in Article 29(1)(a) and (b), is to bridge the gap between public sector activities and the required level of cloud sovereignty. The assessment must achieve two specific outcomes:

1. Identify Public Order Activities: Authorities must pinpoint which public sector activities use or will use cloud computing services and contribute to the "preservation of public order." The proposal explicitly lists sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and specific areas including national security, internal security, external border management, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
2. Determine the Appropriate Union Assurance Level: Once activities are identified, the authority must determine which Union assurance level (Level 2, 3, or 4) is appropriate for those activities. This determination dictates the minimum sovereignty requirements the cloud provider must meet.

It is vital to distinguish this from the baseline requirement. Article 30(2) stipulates that public sector bodies whose activities are not identified as contributing to the preservation of public order must still procure cloud services recognised at Union assurance level 1. However, the formal, detailed risk assessment mandated by Article 29 is specifically the mechanism used to justify the move to the higher assurance tiers (2, 3, or 4) required for critical functions.

Methodology, Reporting, and Commission Oversight

To prevent fragmentation and ensure a consistent Union-wide approach, Article 29(3) empowers the Commission to adopt implementing acts that specify the methodology, templates, and elements to be taken into account. This guidance will be essential for authorities, particularly in defining how to apply the highest levels of assurance to the most critical activities, such as those in the defence sector.

The proposal also establishes a robust reporting loop. Under Article 29(4), Member States must provide the Commission with the results of their risk assessments within three months of carrying them out. In this submission, they must indicate any departures from the Commission's implementing acts.

This reporting mechanism allows the Commission to exercise oversight. If the Commission concludes that a Member State's identified assurance level is inappropriate or fails to adequately address public order concerns, Article 29(5) grants the Commission the power to adopt implementing acts to specify the Union assurance levels needed for that specific public sector activity, effectively overriding the national assessment if necessary.

What this means for you

For public-sector procurement officers, IT strategists, and legal counsel, the "entry into force plus one year" deadline represents a critical project milestone that requires immediate preparation.

1. Monitor the Official Journal: Do not wait for a fixed calendar date. The deadline is dynamic. As soon as the Regulation is published, the one-year countdown begins.
2. Inventory and Map Services: Begin mapping your current and planned cloud computing services against the definitions in CADA. Identify which services support activities related to national security, justice, defence, or critical infrastructure (NIS2 sectors). This mapping is the prerequisite for the Article 29 assessment.
3. Prepare for the Methodology: The Commission will issue detailed guidance on the risk assessment methodology. Your teams should be ready to apply this methodology immediately upon its publication to ensure you can meet the one-year deadline from entry into force.
4. Plan for Migration: If your risk assessment determines that a current service does not meet the required Union assurance level (2, 3, or 4), Article 29(6) provides a safety net. It allows for a reasonable transition period for migration, which shall not exceed 12 months. This means you have a total window of up to two years from the initial assessment to fully migrate critical workloads to compliant providers.
5. Establish Triggers for "Whenever Necessary": Do not rely solely on the two-year cycle. Establish internal governance processes to trigger immediate reassessments if a geopolitical event occurs, a provider changes ownership, or your data sensitivity profile changes.

Common misconceptions

• "The deadline is a fixed calendar date like January 1st." Incorrect. The deadline is dynamically calculated as one year from the Regulation's entry into force. While the Regulation will likely apply one year after entry into force (per Article 48), the specific risk assessment deadline is tied to the entry into force date itself.
• "Only high-risk AI systems need this assessment." Incorrect. While CADA overlaps with the AI Act, the risk assessment in Article 29 applies to cloud computing services used in public order-relevant activities, regardless of whether an AI system is involved. It is a sovereignty and security assessment for cloud infrastructure and services.
• "If we aren't in defence, we don't need to assess." Incorrect. The scope includes national security, internal security, external border management, justice, law enforcement, and sectors under the NIS2 Directive. Many public sector bodies fall into these categories even if they are not strictly "defence."
• "We can outsource the assessment entirely to the cloud provider." Incorrect. Article 29(1) places the obligation squarely on Member States and Union entities. While providers must demonstrate compliance with assurance levels, the public authority is responsible for determining which level is appropriate for its specific activities based on the sensitivity and criticality of its data and functions.
• "The assessment is a one-time event." Incorrect. The requirement is ongoing. Article 29(1) mandates a biennial review (every two years) and an immediate review "whenever necessary."

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• How does a CADA risk assessment determine when to migrate cloud services?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.