Which sectors trigger Level 2, 3 or 4 cloud procurement under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies must procure cloud computing services at Union assurance levels 2, 3, or 4 if their activities contribute to the preservation of public order. This obligation specifically targets sectors listed in Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), alongside activities in national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences). A formal risk assessment under Article 29 determines the precise assurance level required for each activity, while Article 30(3) mandates that contracting authorities in these domains "shall only procure" services recognised at the determined level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a tiered sovereignty framework designed to protect the Union's public order. While the regulation sets a baseline for all public procurement, it imposes stricter, mandatory requirements on specific high-risk sectors. Understanding which sectors trigger these elevated requirements is critical for compliance.

The Baseline: Union Assurance Level 1

As proposed, Article 30(2) establishes a universal minimum standard. Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure cloud computing services recognised as offering Union assurance level 1. This level serves as the default for general administrative functions, non-critical digital services, and activities where the risk of third-country interference or service disruption is deemed low.

The Trigger: Article 30(3) and Public Order

The obligation to procure services at Union assurance levels 2, 3, or 4 is triggered when a contracting authority's activities are identified as contributing to the preservation of public order. Article 30(3) explicitly defines the scope of these activities. If a public body operates in any of the following domains, it is prohibited from procuring only Level 1 services and must instead procure services recognised at Level 2, 3, or 4:

1. Sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2 Directive): This encompasses the critical infrastructure sectors defined in the NIS2 framework. These include, but are not limited to, energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, space, and public administration.
2. National Security: Activities directly related to the protection of the state and its core interests against external and internal threats.
3. Internal Security: Measures taken to maintain public order and safety within the state, including the protection of critical infrastructure from sabotage or terrorism.
4. External Border Management: Operations related to the control, surveillance, and management of the EU's external borders.
5. Defence: Military activities, defence procurement, and operations related to national defence capabilities.
6. Justice: Judicial processes, the administration of justice, and the functioning of courts and tribunals.
7. Law Enforcement: This category is defined broadly in the proposal to include the prevention, investigation, detection, and prosecution of criminal offences. This extends beyond traditional police forces to include agencies with investigative mandates, such as customs authorities, financial intelligence units, and anti-corruption bodies, depending on national legal definitions.

The Determination Mechanism: Article 29 Risk Assessments

While Article 30(3) identifies which sectors trigger the need for higher assurance, it does not automatically assign a specific level (2, 3, or 4) to every activity within those sectors. The specific level is determined through a risk assessment conducted by Member States and Union entities under Article 29.

Under Article 29(1), these bodies must carry out risk assessments to:

• Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.
• Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

The assessment must consider several factors, including:

• The sensitivity, criticality, and magnitude of the personal and non-personal data processed.
• The potential impact on public order.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption.

For instance, a local police department (law enforcement) might determine via its risk assessment that its public-facing website for reporting minor crimes requires Union assurance level 2, while its database for active criminal investigations, witness protection, and sensitive evidence requires Union assurance level 4. The risk assessment provides the proportional justification for these distinctions, ensuring that the regulatory burden matches the actual risk.

Procurement Obligations and Enforcement

Once the risk assessment under Article 29 identifies an activity as requiring a higher assurance level, Article 30(3) imposes a strict procurement mandate: contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a binding barrier to entry. If a cloud provider has not undergone the independent third-party audit and recognition process for the specific level required by the risk assessment, they cannot legally supply that public sector body for that specific use case. Article 29(6) further mandates that if migration to a compliant service is required, it must occur within a reasonable transition period not exceeding 12 months, taking into account technical feasibility, continuity of service, and data portability.

What this means for you

For public-sector procurement officers, legal advisors, and IT directors, the implementation of CADA requires a rigorous, two-step compliance process for all new and existing cloud computing contracts.

1. Map Your Activities to Article 30(3)

First, conduct a comprehensive review of your organisation's core functions.

• Check NIS2 Status: If your body falls within the sectors listed in Annex I or II of the NIS2 Directive (e.g., a regional hospital, a water utility, a transport authority, a digital infrastructure provider), you are automatically subject to the higher assurance requirements. You cannot default to Union assurance level 1 for these core activities.
• Check Functional Mandates: Even if you are not a NIS2 entity, if your mandate involves national security, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences), you fall under the Article 30(3) trigger.

2. Conduct or Review Your Article 29 Risk Assessment

You must ensure that a valid, documented risk assessment is in place for every cloud-dependent activity. This assessment is not a one-time exercise; it must be updated every two years or whenever necessary (Article 29(1)).

• Specificity is Key: The assessment must explicitly state which assurance level (2, 3, or 4) is required for each specific activity. A generic "we need high security" statement is insufficient.
• Data Classification: Clearly classify the data processed in your cloud environments. Higher sensitivity (e.g., classified information, sensitive personal data) and criticality (e.g., life-critical systems) will likely push your requirement toward levels 3 or 4.
• Documentation: Keep detailed records of the methodology used. Under Article 29(5), the Commission may review these assessments and, if it concludes that the identified level does not adequately address public order concerns, it may adopt implementing acts specifying the required level.

3. Adjust Procurement Specifications

Update your tender documents to mandate the specific Union assurance level determined by your risk assessment.

• Verification: Only accept bids from providers who hold a valid recognition for the required level. You can verify this status in the central repository of recognised services maintained by the Commission under Article 22.
• Transition Planning: If your current cloud provider does not meet the required level, you must initiate a migration plan immediately. Article 29(6) provides a maximum transition period of 12 months. Failure to migrate within this timeframe could result in non-compliance with the procurement mandate.

Common misconceptions

Misconception 1: All NIS2 sectors automatically require Level 4. Reality: The sector triggers the need for a higher level (2, 3, or 4), but the specific level is determined by the risk assessment. A hospital's patient portal handling sensitive health data may require Level 4, while its general staff scheduling system might only require Level 2. The risk assessment ensures proportionality, preventing unnecessary regulatory burden on lower-risk activities within critical sectors.

Misconception 2: Law enforcement only applies to police forces. Reality: Article 30(3) defines law enforcement broadly to include the "prevention, investigation, detection and prosecution of criminal offences." This can encompass customs authorities, financial intelligence units, tax authorities with investigative powers, and other agencies with law enforcement mandates, depending on national legal definitions.

Misconception 3: Union assurance levels replace cybersecurity certifications. Reality: While levels 2–4 require a European cybersecurity certificate of at least "substantial" assurance (Level 2/3) or "high" assurance (Level 4) under the Cybersecurity Act, the CADA assurance levels include additional sovereignty criteria. These include data localisation, personnel citizenship (conditional at Level 2, mandatory at Levels 3/4), and freedom from third-country control. A service can be cyber-secure but fail the sovereignty criteria for Level 3 or 4.

Misconception 4: Private companies in NIS2 sectors must comply. Reality: Article 30 applies specifically to contracting authorities (public sector bodies). Private entities operating in NIS2 sectors are not directly mandated to procure Level 2–4 services under CADA. However, Article 31 allows them to conduct similar impact assessments, and they may face significant market pressure to comply if their public-sector partners require it.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sectors count as preserving public order for CADA procurement?
• What is CADA's Union assurance level 1 minimum procurement rule?
• CADA Procurement: Level 1 vs Level 2-4 Obligations Explained
• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• Will small public bodies be able to afford CADA procurement fees?

This is general information about a draft EU regulation, not legal advice.