When must public buyers procure level 2, 3 or 4 cloud under CADA?

Summary As proposed, Article 30(3) of the Cloud and AI Development Act (CADA) would require public buyers to procure cloud computing services recognised at Union assurance level 2, 3 or 4 — and only those — when their activities have been identified as contributing to the preservation of public order. That trigger is set by the Article 29(1) risk assessment, and it bites for activities in NIS2 sectors (Annex I or II of Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement. Activities not so identified fall under the level-1 baseline in Article 30(2). The risk assessment also fixes which of levels 2, 3 or 4 is appropriate.

Detail

CADA would replace fragmented national approaches with a single "Union assurance level" system (Article 16, criteria in Annex II). For public procurement, the rule has a baseline and a heightened tier.

The baseline: level 1

As a default, Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure services recognised at level 1 (Article 30(2)). This covers general administration and other non-critical activities.

The trigger for levels 2, 3 or 4 (Article 30(3))

The higher obligation is not automatic for all public bodies — it is tied to the risk assessment. Article 30(3) provides that contracting authorities (including entities acting on their behalf) whose activities have been identified under Article 29(1) as contributing to the preservation of public order shall only procure services recognised at level 2, 3 or 4.

Which sectors and activities

Article 30(3) (mirroring Article 29(1)(a)) names two groups:

• sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2); and
• the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

If a buyer's cloud use supports activities in these domains and the risk assessment identifies them as contributing to public order, level 1 is insufficient and the buyer must look to its risk assessment to determine whether level 2, 3 or 4 applies.

How the risk assessment fixes the level (Article 29)

Under Article 29(1), Member States and Union entities must, by entry into force plus one year and every two years thereafter (or whenever necessary): (a) identify the public-order activities; and (b) determine which of levels 2, 3 or 4 set out in Annex II is appropriate. In doing so, Article 29(2) requires them to consider at least:

• the sensitivity, criticality and magnitude of the non-personal data processed, including the potential impact on public order, and the nature, scope, context and purpose of any personal-data processing and the risk to data subjects' rights;
• the risk and impact on public order of unlawful access (under Union law) to that data by a third country or an entity established in one; and
• the risk and impact on public order of possible service disruption.

The Commission specifies the methodology and templates by implementing act, and that methodology must specify how Member States use the highest level of assurance for the most critical activities, "including, but not limited to, defence" (Article 29(3)). If the Commission concludes a Member State's chosen level is inappropriate, it may specify the required level by implementing act (Article 29(5)).

Transition and migration

Where a risk assessment requires migrating to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that "shall not exceed 12 months," taking account of technical feasibility, continuity of service and data portability (Article 29(6)).

Derogations (Article 30(4))

On an exceptional, duly justified basis, an authority may depart from the level requirement where: the subject matter cannot be supplied by recognised services in the central repository and no adequate alternative exists (and that gap is not from artificial narrowing of the tender); a similar procurement in the previous year drew no suitable tenders or participants; or compliance would mean disproportionate cost.

What this means for you

For public-sector procurement teams handling sensitive activities, this is the part of CADA most likely to reshape supplier shortlists.

1. Check your risk-assessment status first. Before tendering, confirm whether your activity has been identified under Article 29 as contributing to public order. If you handle defence, justice, border, law-enforcement or NIS2-sector data, you are a strong candidate for the level 2/3/4 rule.
2. Procure recognised services, not labels. You must buy services recognised under Article 17 and listed in the central repository (Article 22). A vendor's "EU-only" claim is not the same as a recognised assurance level.
3. Match the level to the assessment. You cannot pick an arbitrary level — the appropriate level (2, 3 or 4) is the one the risk assessment determines for that activity; the methodology pushes the highest level for the most critical activities.
4. Plan migration on the 12-month clock. If your current provider does not meet the required level, Article 29(6) caps the transition period at 12 months. Begin feasibility and portability planning early.
5. Re-assess at least every two years, or sooner if your processing activities change materially.

Common misconceptions

"All public-sector cloud must be level 3 or 4." No. Only activities identified as contributing to public order require levels 2, 3 or 4; ordinary activities require level 1.

"Sovereign just means EU-hosted." EU hosting features in level 1, but the higher levels add stricter conditions, including on third-country control of the provider and the audited service. A service can be EU-hosted yet fail a higher level.

"I can freely pick level 4 for anything (or level 2 for a critical defence system)." No. The level must match the risk profile the Article 29 assessment assigns; the most critical activities, including defence, attract the highest level.

Related

• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• What records must a public buyer keep for CADA innovation procurement?
• CADA Article 39: What must a central purchasing authority pass down to buyers?
• What is the minimum cloud assurance level for an ordinary public body under CADA?
• CADA Matchmaking: Connecting Public Buyers with EU SMEs and Start-ups

This is general information about a draft EU regulation, not legal advice.