Which activities need Union assurance level 2, 3 or 4 under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the default baseline for public sector cloud procurement is Union assurance level 1. However, a distinct, mandatory tier applies to activities identified as contributing to the preservation of public order. These activities—spanning sectors listed in the NIS2 Directive and critical sovereign functions like defence, justice, and law enforcement—must procure cloud services recognised at Union assurance level 2, 3, or 4. The specific tier required is not arbitrary; it is determined by a mandatory risk assessment conducted by Member States and Union entities under Article 29(1), which then triggers the procurement obligations in Article 30(3).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" designed to mitigate risks arising from third-country dependencies. While the framework includes four assurance levels, the regulatory burden is tiered based on the sensitivity of the public sector activity. The pivotal mechanism separating general public sector use from critical public-order functions is the risk assessment process.

The Trigger: Risk Assessments under Article 29(1)

The determination of whether an activity requires the heightened scrutiny of levels 2, 3, or 4 is governed by Article 29(1) of the proposal. This article imposes a proactive duty on Member States and Union entities to carry out risk assessments. These assessments must be conducted within one year of the Regulation's entry into force and repeated every two years, or whenever necessary.

The scope of these assessments is explicitly defined. Member States and Union entities must identify public sector activities that:

1. Use or will make use of cloud computing services; and
2. Contribute to the preservation of public order.

The proposal defines "public order" activities through two specific lenses:

• Sectors under the NIS2 Directive: Activities falling within sectors listed in Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive). This includes essential and important entities in energy, transport, banking, health, digital infrastructure, and public administration.
• Core Sovereign Functions: Activities in the areas of national security, internal security, external border management, defence, justice, or law enforcement. This explicitly covers the prevention, investigation, detection, and prosecution of criminal offences.

Once an activity is identified within these categories, the risk assessment must determine which specific Union assurance level (2, 3, or 4) is appropriate. The assessment must consider the sensitivity, criticality, and magnitude of the data processed, the risk of unlawful access by a third country, and the potential impact on public order should service continuity be disrupted.

The Consequence: Procurement Obligations under Article 30(3)

The outcome of the Article 29 risk assessment directly dictates the procurement rules under Article 30. The proposal creates a binary distinction in procurement obligations based on the risk assessment findings:

• The Baseline (Article 30(2)): For Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order, the requirement is to use cloud computing services recognised as having Union assurance level 1.
• The Public Order Mandate (Article 30(3)): For contracting authorities whose activities have been identified as contributing to the preservation of public order under Article 29(1), the rule is strict: they shall only procure cloud computing services that have been recognised as having Union assurance level 2, 3, or 4.

This creates a "lock-in" effect for critical activities. A public body cannot simply procure a Level 1 service for a law enforcement database or a defence logistics system, even if that service is commercially available and GDPR-compliant. The procurement specification must explicitly demand a service recognised at Level 2, 3, or 4.

The proposal does provide for derogations on an exceptional basis (Article 30(4)), such as when no recognised service exists in the central repository, when previous similar procurements failed to yield suitable tenders, or where compliance would impose disproportionate costs. However, these exceptions are narrowly construed and require rigorous justification.

Specific Activities Requiring Higher Tiers

The intersection of Article 29(1) and Article 30(3) means that a wide array of public sector functions will be subject to the higher assurance tiers. These can be categorised as follows:

1. NIS2 Directive Sectors

Any public sector activity within the sectors defined in Annex I or II of the NIS2 Directive that contributes to public order will trigger the higher tier requirement. Key sectors include:

• Energy: Electricity, hydrogen, gas, and oil supply and distribution.
• Transport: Air, rail, water, and road transport management and infrastructure.
• Banking and Financial Market Infrastructure: Critical payment systems and market infrastructures.
• Health: Hospitals, clinics, research institutes, and manufacturers of critical medical devices.
• Drinking Water and Waste Water: Supply and distribution networks.
• Digital Infrastructure: Internet Exchange Points (IXPs), DNS service providers, cloud computing service providers, data centres, and top-level domain registrars.
• Public Administration: Central and regional government services.
• Space: Satellite operations and space-based services.
• Postal and Courier Services: Essential delivery networks.

2. Core Sovereign Functions

Beyond the sectoral list, CADA explicitly identifies functional areas where public order is inherently at stake. Activities in these domains will almost invariably require assurance levels 2, 3, or 4, with the specific level depending on the sensitivity of the data and the criticality of the function:

• National Security: Intelligence gathering, strategic planning, and the protection of state secrets.
• Internal Security: Police operations, counter-terrorism, and crisis management coordination.
• External Border Management: Asylum processing systems, visa databases, and border control technologies.
• Defence: Military operations, defence research and development, and defence procurement.
• Justice: Court case management systems, prison management, and legal databases.
• Law Enforcement: Criminal investigation, prosecution support, and crime prevention activities.

Distinguishing Between Levels 2, 3, and 4

While Article 30(3) mandates that public-order activities must use levels 2, 3, or 4, the specific tier is determined by the depth of the risk assessment and the criteria set out in Annex II. The requirements escalate significantly with each level:

• Union Assurance Level 2: This is the entry tier for public-order activities. It requires the provider and subcontractors to be established in the Union, with infrastructure, assets, and personnel located within the Union. Data must remain exclusively within the Union. Crucially, it requires a European cybersecurity certificate of at least assurance level 'substantial'. It also imposes strict controls to prevent third-country control from restricting service delivery or accessing data.
• Union Assurance Level 3: This tier adds a critical personnel requirement: personnel involved in the provision of the service must be Union citizens, and where appropriate, hold necessary national security clearances. It also introduces a specific derogation mechanism under Article 18: a provider subject to third-country control may still qualify for Level 3 if the Commission has adopted an implementing act identifying that third country as providing sufficient safeguards (e.g., via an adequacy decision and specific legal guarantees).
• Union Assurance Level 4: This is the highest tier, reserved for the most sensitive activities, such as those handling classified information. It requires that the provider and subcontractors are not subject to the control of a third country (with no derogation for third-country control). It mandates a European cybersecurity certificate of at least assurance level 'high'. It also requires strict separation from any third-country subsidiaries and ensures that technical support is performed exclusively within the Union by Union residents.

What this means for you

For public sector procurement officers, IT directors, and legal counsel, CADA represents a fundamental shift from a "compliance-by-contract" approach to a "sovereignty-by-design" approach. You can no longer rely solely on standard data processing agreements or general cybersecurity certifications to manage third-country risks for critical services.

Actionable Steps for Public Sector Bodies:

1. Map Your Activities: Conduct an immediate inventory of all current and planned cloud computing engagements. Cross-reference these against the sectors in the NIS2 Directive and the functional areas listed in Article 29(1) (defence, justice, law enforcement, etc.).
2. Prepare for Risk Assessments: The mandatory risk assessment under Article 29 is not optional. Begin documenting the sensitivity, criticality, and magnitude of the data processed in each activity. Assess the specific risks of third-country access and service disruption.
3. Update Procurement Specifications: Revise your tender documents and procurement strategies. For any activity identified as contributing to public order, explicitly require cloud services that hold recognition for Union assurance level 2, 3, or 4. Do not accept Level 1 services for these critical use cases.
4. Verify via the Central Repository: Once the framework is operational, use the central repository of recognised services (established under Article 22) to verify that potential providers hold the necessary assurance levels before awarding contracts.
5. Plan for Migration: If your current critical services do not meet the required assurance levels, initiate migration planning immediately. Article 29(6) stipulates that where migration is required, it must occur within a reasonable transition period not exceeding 12 months, taking into account technical feasibility and data portability.

Common misconceptions

Misconception 1: All public sector cloud use requires Level 2, 3, or 4. This is incorrect. CADA establishes a tiered approach. General administrative tasks, internal HR systems, or non-critical public information portals that do not contribute to the preservation of public order only require Union assurance level 1. The higher levels are reserved strictly for activities with a direct impact on national security, critical infrastructure, or justice.

Misconception 2: GDPR compliance is sufficient for public-order activities. While the GDPR protects personal data, it does not address operational autonomy, service continuity, or the extraterritorial reach of third-country laws that could compel data access or disrupt services. CADA's sovereignty framework addresses these broader security risks. A service may be fully GDPR-compliant but fail to meet the infrastructure location, personnel citizenship, or third-country control requirements of Union assurance level 2, 3, or 4.

Misconception 3: Private companies are excluded from these rules. The mandatory procurement rules in Article 30 apply specifically to contracting authorities and public sector bodies. However, Article 31 encourages private sector entities operating in sectors of high criticality (as defined in NIS2) to conduct similar impact assessments. Furthermore, the market signal created by public procurement will likely drive private sector adoption of higher assurance levels, especially for suppliers seeking to work with the public sector.

Misconception 4: Assurance levels are static. Assurance levels are dynamic. The Commission is empowered to review and update the criteria in Annex II every 18 months (Article 16(3)), and risk assessments must be repeated every two years (Article 29(1)). An activity that requires Level 2 today might require Level 3 in the future if the threat landscape evolves or if the sensitivity of the data increases.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does a CADA risk assessment determine the required Union assurance level?
• Does the CADA methodology require the highest assurance level for defence?
• Can a contracting authority skip the assurance level required by a CADA risk assessment?
• Can a CADA risk assessment require a higher assurance level over time?
• Can a CADA risk assessment lower the assurance level for an activity?

This is general information about a draft EU regulation, not legal advice.