Who must carry out risk assessments under Article 29 of CADA?

Summary Under Article 29(1) of the proposed Cloud and AI Development Act (CADA), Member States and Union entities (institutions, bodies, offices, and agencies) are legally mandated to carry out risk assessments for their public sector activities. These assessments are the critical gateway to determining the appropriate "Union assurance level" (Levels 2, 3, or 4) required to safeguard the Union's public order. The proposal explicitly acknowledges that where responsibilities for a public sector activity are shared between a Member State and a Union entity, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly to ensure coherence and avoid duplication.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a paradigm shift in how the EU manages its digital infrastructure. Moving beyond technical cybersecurity standards, CADA introduces a sovereignty framework designed to mitigate risks arising from third-country control, extraterritorial access, and service disruption. At the heart of this framework lies the risk assessment mechanism established in Article 29. This is not a voluntary best practice; it is a binding legal obligation for specific public actors to determine the sovereignty requirements of their cloud procurement.

The Obligated Actors: Member States and Union Entities

Article 29(1) clearly delineates the scope of entities required to perform these assessments. The obligation falls on two distinct categories of public actors:

1. Member States: This encompasses the national governments of the 27 EU Member States and their constituent public sector bodies. This includes central ministries, regional authorities, and local administrations that procure or use cloud computing services.
2. Union Entities: Defined in Article 2(7) of the proposal, this category includes the Union institutions, bodies, offices, and agencies established by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU), or the Treaty establishing the European Atomic Energy Community. This covers the European Commission, the European Parliament, the Council, and decentralized agencies such as Europol, Frontex, or the European Medicines Agency.

The timeline for compliance is strict. Article 29(1) mandates that these entities must carry out their first risk assessments by the date one year after the Regulation enters into force. Following this initial assessment, the obligation recurs every two years, or whenever necessary to reflect changes in the threat landscape or operational context.

The Dual Purpose of the Assessment

The risk assessment under CADA serves two specific, interlinked legal functions as outlined in Article 29(1)(a) and (b):

1. Identification of Public Order Activities: The entity must identify which of its public sector activities "contribute to the preservation of public order." The proposal provides a non-exhaustive but highly specific list of sectors and areas where this presumption is strong. These include sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as activities in the areas of:

   • National security
   • Internal security
   • External border management
   • Defence
   • Justice
   • Law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences)

2. Determination of Assurance Levels: Once an activity is identified as contributing to public order, the entity must determine which Union assurance level (Level 2, 3, or 4) is appropriate. It is crucial to note that Article 30(2) establishes Union assurance level 1 as the baseline for all public sector activities not identified as contributing to public order. Therefore, the Article 29 assessment is the trigger that elevates procurement requirements from the baseline (Level 1) to the higher, more restrictive tiers (Levels 2–4).

Joint Assessments for Shared Responsibilities

A significant innovation in Article 29(1) is the provision for collaborative governance. The proposal recognizes that modern public services often involve complex cooperation between national authorities and EU-level bodies. To prevent fragmented or contradictory assessments, the text states:

"Where Union entities and Member States share responsibilities in relation to the public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly."

This clause imposes a duty to consider joint action. If a specific activity—such as cross-border law enforcement data analysis or joint defence procurement—is managed jointly by a national ministry and a Union agency, they are expected to align their risk methodologies. A joint assessment ensures that the resulting assurance level is consistent across the entire operation, preventing a scenario where one partner procures a Level 2 service while the other procures a Level 3 service for the same shared infrastructure.

Methodology and Commission Oversight

While the obligation lies with the Member States and Union entities, the proposal ensures harmonization through Commission guidance. Article 29(3) empowers the Commission to adopt implementing acts that specify the methodology to be applied, the templates to be used, and the elements to be taken into account. Crucially, this methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.

The assessment must consider at least the following aspects, as listed in Article 29(2):

• The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order.
• The nature, scope, context, and purpose of processing of personal data, and the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

Transparency and oversight are built into the process. Article 29(4) requires Member States to provide the results of their risk assessments to the Commission within three months of carrying them out, indicating where they depart from the Commission's implementing acts. Furthermore, Article 29(5) grants the Commission the power to intervene: if it concludes that a Member State's identified assurance level is inappropriate or fails to address public order concerns, the Commission may adopt implementing acts to specify the Union assurance levels needed for that specific activity.

What this means for you

For public sector procurement officers, IT directors, and legal counsel within Member States and Union entities, Article 29 represents a fundamental change in the procurement lifecycle.

1. The "Public Order" Test is Mandatory You can no longer assume that a standard cloud contract is sufficient. You must first conduct a formal risk assessment to determine if your activity contributes to public order. If it does, you are legally barred from procuring a Level 1 service. You must procure a service recognized at Level 2, 3, or 4, depending on your assessment.

2. Joint Projects Require Joint Governance If your organization collaborates with an EU agency or another Member State, do not conduct your risk assessment in a silo. Article 29(1) explicitly encourages joint assessments. Failing to align with your partner's assessment could lead to a situation where your shared infrastructure is non-compliant because the assurance levels do not match the highest risk profile of the joint activity.

3. Documentation and Reporting are Non-Negotiable The assessment is not an internal memo. You must document your findings using the Commission's templates (once adopted) and submit the results to the Commission within three months. Be prepared for the Commission to review your assessment and potentially override your chosen assurance level if they deem it insufficient for public order protection.

4. Migration Deadlines are Tight If your risk assessment determines that your current cloud provider does not meet the required assurance level, Article 29(6) imposes a strict migration timeline. You must migrate to a compliant service within a reasonable transition period that shall not exceed 12 months. This period must account for technical feasibility, continuity of service, and data portability, but the 12-month cap is a hard constraint.

5. Private Sector Impact While Article 29 applies to the public sector, the ripple effects are significant. Private cloud providers seeking to serve the public sector must now align their offerings with these specific assurance levels. Furthermore, Article 31 allows private entities in high-criticality sectors to conduct similar impact assessments, creating a de facto market standard that may eventually influence private procurement beyond the public sector.

Common misconceptions

Misconception 1: "Only national governments need to worry about this." Correction: Article 29(1) explicitly includes Union entities. This means the European Commission, the European Parliament, and all EU agencies (e.g., Europol, EMA, EASA) are directly obligated to perform these assessments. The definition of "Union entities" in Article 2(7) is broad and covers the entire EU institutional architecture.

Misconception 2: "This is just another cybersecurity audit." Correction: While cybersecurity is a component, the CADA risk assessment is fundamentally about sovereignty and public order. It evaluates the risk of third-country access, extraterritorial legal interference, and service disruption. It determines the level of sovereignty required, which then dictates procurement rules under Article 30. A service can be technically secure (cybersecurity) but fail the sovereignty test (e.g., if controlled by a third country).

Misconception 3: "Private companies must do this assessment." Correction: The mandatory, standardized risk assessment under Article 29 is a public-sector obligation. Private companies are not required to perform this specific assessment. However, Article 31 allows private entities in sectors of high criticality (listed in Annex I of the NIS2 Directive) to carry out similar impact assessments, and the Commission may mandate them for specific high-criticality cases via delegated acts.

Misconception 4: "If I use a major global provider, I am safe." Correction: "Trust" in a brand name is irrelevant under CADA. The regulation replaces subjective trust with objective, audited Union assurance levels. Even if you believe a major provider is safe, you must formally assess whether their recognized assurance level matches the risk profile of your specific public order activity. If the provider is not recognized at the required level (e.g., Level 3 for a law enforcement activity), you are non-compliant regardless of the provider's reputation.

Related

• Can private-sector entities carry out CADA-style risk assessments?
• Can Member States and Union entities carry out joint CADA risk assessments?
• Who sets the methodology for CADA risk assessments?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessments: What Cloud Providers Must Know

This is general information about a draft EU regulation, not legal advice.