Summary The proposed Cloud and AI Development Act (CADA) does not mandate a single, fixed assurance level for all patient and medical records. Instead, it establishes a risk-based framework where Member States and Union entities must conduct assessments under Article 29 to determine if specific healthcare activities contribute to the preservation of public order. If an activity is deemed critical to public order, procurement must meet Union Assurance Levels 2, 3, or 4 as defined in Article 16 and Annex II. For non-critical healthcare activities, the baseline requirement remains Union Assurance Level 1. Recital 63 explicitly confirms that the "sensitivity, criticality and magnitude" of personal data are the primary factors in this mapping, meaning the level depends on the specific risk profile of the data processing activity, not merely the sector.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a nuanced, risk-based framework for cloud sovereignty rather than a flat, sector-wide mandate. For CTOs, architects, and compliance officers evaluating the impact on patient data systems, understanding the interplay between Article 16 (the sovereignty framework), Article 29 (risk assessments), and Annex II (specific criteria) is critical. The regulation treats healthcare not as a monolith, but as a spectrum of activities ranging from routine administrative processing to critical national health infrastructure.

The Four Union Assurance Levels

Under Article 16, CADA establishes a Union cloud computing sovereignty framework comprising four "Union assurance levels." These levels dictate the strictness of the requirements a cloud computing service provider must meet to be recognized as offering a specific level of trust. The criteria for these levels are detailed in Annex II of the proposal.

  1. Union Assurance Level 1: This is the baseline for public sector procurement. Providers must be established in the Union, with infrastructure and assets located in the Union (unless the public sector body explicitly requires otherwise). Customer data, including metadata and telemetry, must remain exclusively within the Union. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency around subcontractors. This level relies on a conformity self-assessment by the provider.
  2. Union Assurance Level 2: This level introduces stricter controls and requires independent third-party auditing. It mandates that the audited provider and its subcontractors be established in the Union, with infrastructure, assets, and personnel located in the Union. Crucially, it requires that data generated by using the audited service are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country, and are not transferred outside the Union in any case. It also requires a European cybersecurity certificate of at least assurance level 'substantial' (once established under the Cybersecurity Act) or equivalent national schemes.
  3. Union Assurance Level 3: This level adds significant personnel restrictions. It requires that the personnel involved in the provision of the service, including those of subcontractors, are Union citizens. It also requires that technical and operational support be initiated and performed exclusively within the Union by personnel who are Union residents. Like Level 2, it prohibits the use of data for training third-country AI systems.
  4. Union Assurance Level 4: This is the highest level of assurance, designed for the most critical scenarios. It retains the requirements of Levels 2 and 3 but adds a strict prohibition on third-country control: the audited provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third-country. It requires a European cybersecurity certificate of at least assurance level 'high'.

The Role of Article 29: Risk Assessments

The specific assurance level applicable to patient and medical records is not automatically assigned by the text of CADA. Instead, Article 29 places the onus on Member States and Union entities to determine the appropriate level through mandatory risk assessments.

Article 29(1) requires Member States and Union entities to carry out risk assessments to:

  • Identify public sector activities that use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas such as national security, internal security, external border management, defence, justice, or law enforcement.
  • Determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

Article 29(2) specifies that these risk assessments must consider at least the following aspects:

  • The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order.
  • The nature, scope, context, and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
  • The risk of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
  • The risk of possible service disruption.

For healthcare, this means a national epidemiological surveillance system or a critical care registry might be assessed as contributing to public order, triggering the requirement for Levels 2–4. Conversely, a local clinic's appointment scheduling system might not meet this threshold, remaining at Level 1.

Mapping Data Sensitivity to Assurance Levels: Recital 63

While Article 29 provides the mechanism, Recital 63 provides the guiding principle for how data sensitivity should influence the choice of assurance level. It states:

"In their risk assessments, Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment. Such processing may include ordinary business information, commercially sensitive information, operationally critical data, personal data within the meaning of Regulation (EU) 2016/679, and data that is subject to sector-specific obligations under Union law..."

Recital 63 further clarifies that the Commission will provide centrally coordinated guidance on the mapping between Union assurance levels and categories of information, taking into account the sensitivity, criticality, and magnitude of the data. This means that while patient records are inherently sensitive under the GDPR, their classification under CADA's sovereignty framework depends on whether their compromise would threaten public order or critical infrastructure resilience. The regulation acknowledges that not all personal data carries the same risk to public order; the assessment must weigh the "magnitude" of the data against the potential impact.

Procurement Obligations Under Article 30

The outcome of the Article 29 risk assessment directly dictates procurement rules under Article 30:

  • Article 30(2): Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union Assurance Level 1.
  • Article 30(3): Contracting authorities whose activities have been identified as contributing to the preservation of public order (which may include certain critical healthcare infrastructure or national health registries) must only procure cloud computing services recognized as having Union Assurance Levels 2, 3, or 4.

This creates a bifurcated market for healthcare providers: those serving critical national functions must meet the highest sovereignty standards, while those serving routine administrative needs face a lower baseline.

What this means for you

For CTOs, architects, and SMEs operating in the healthcare sector, the practical implications are significant but require careful navigation of national risk assessments.

  1. Do Not Assume a Single Level: You cannot assume that all patient data automatically falls under Level 3 or 4. However, you should prepare for the possibility that national health registries, critical care systems, or health data used for national security purposes (e.g., pandemic response coordination) may be classified as critical. The distinction lies in the "public order" impact defined in Article 29.
  2. Focus on Level 2 Baseline for Sensitive Data: Given the sensitivity of medical records and the explicit prohibition in Annex II (Levels 2–4) against using customer data to train third-country AI models, any provider aiming to serve the public healthcare sector in the EU should likely target at least Union Assurance Level 2. This ensures compliance with the strict data residency and AI training restrictions that will be expected for sensitive personal data.
  3. Monitor National Risk Assessments: Since Article 29 requires Member States to conduct these assessments, you must monitor the outcomes in each country where you operate. A hospital system in one Member State might be deemed non-critical (Level 1), while a national health insurance database in another might be deemed critical (Level 3). The regulation allows for national discretion within the EU framework.
  4. Audit Readiness: If you aim for Levels 2–4, you must be prepared for independent third-party audits (Article 20). This includes demonstrating that your software supply chain is transparent, that you have a complete Software Bill of Materials (SBOM), and that you have controls to prevent remote tampering or disruption by third countries.
  5. AI Training Restrictions: A key differentiator for Levels 2–4 is the ban on using customer data to train AI models operated by third-country entities. If your cloud service uses customer data for model improvement, you must ensure this training happens exclusively within the Union and does not involve third-country operators. This is a hard constraint in Annex II for Levels 2, 3, and 4.

Common misconceptions

"All patient data requires Level 4." No. Level 4 is reserved for the most critical activities, likely those involving national security or high-level state functions where third-country control is strictly prohibited. Most routine healthcare data processing will likely fall under Level 1 or 2, depending on the national risk assessment. Level 4 requires that the provider is not subject to third-country control, a very high bar that excludes many global providers even if they have EU subsidiaries.

"CADA replaces GDPR for medical records." No. CADA complements, not replaces, the GDPR. Recital 63 explicitly references the GDPR's definition of personal data. You must still comply with GDPR's strict rules on health data (special category data) while also meeting CADA's sovereignty and operational autonomy requirements. CADA addresses the "where" and "who controls" aspects, while GDPR addresses the "how" and "why" of data processing.

"Assurance levels are fixed for the healthcare sector." No. The levels are determined by activity and risk, not just sector. A university hospital's research data might have a different risk profile than a national epidemiological surveillance system. The risk assessment under Article 29 is the deciding factor. The regulation explicitly states that the assessment must consider the "sensitivity, criticality and magnitude" of the data, allowing for a tailored approach.

"Self-certification is enough for all levels." No. Only Union Assurance Level 1 allows for conformity self-assessment (Article 19). Levels 2, 3, and 4 require independent third-party audits by accredited auditing organizations (Article 20). This ensures that higher assurance levels are backed by objective verification of the provider's claims regarding sovereignty and security.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.