Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission, not individual Member States, sets the specific methodology for public sector risk assessments. As proposed in Article 29(3), the Commission is empowered to adopt implementing acts to define the precise methodology, standardized templates, and mandatory elements that Member States and Union entities must use. These acts are adopted via the committee procedure in Article 46(2), ensuring a harmonized approach across the EU. Crucially, the methodology must explicitly specify how the highest Union assurance levels are applied to the most critical public sector activities, including defence, to safeguard public order.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive sovereignty framework to mitigate risks associated with dependence on third-country cloud providers. A pivotal mechanism within this framework is the obligation for Member States and Union entities to conduct risk assessments to determine the appropriate "Union assurance level" required for their cloud computing services. While the obligation to assess lies with national authorities, the methodology governing these assessments is centrally defined to prevent fragmentation of the single market.

The Central Role of Article 29(3)

Although Article 29(1) mandates that Member States and Union entities carry out risk assessments to identify public sector activities contributing to the preservation of public order, it does not leave the how to national discretion. To ensure consistency, legal certainty, and the integrity of the digital single market, Article 29(3) explicitly delegates the power to define the technical and procedural framework to the European Commission.

The text of Article 29(3) states:

"The Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used and the elements to be taken into account by the Member States and Union entities for the purpose of carrying out the risk assessments referred to in paragraph 1."

This provision creates a binding hierarchy:

  1. The Obligation: Member States must assess risks (Article 29(1)).
  2. The Framework: The Commission defines the methodology, templates, and elements (Article 29(3)).
  3. The Procedure: The Commission adopts these specifications via implementing acts under the committee procedure (Article 46(2)).

The methodology will not be a suggestion but a mandatory standard. It will detail the step-by-step process for evaluating risks related to data sensitivity, criticality, and magnitude. Furthermore, it will provide standardized templates to ensure that risk assessment results are comparable across all Member States, facilitating cross-border cooperation and enforcement.

The Procedural Gatekeeper: Article 46(2)

The reference to Article 46(2) is procedurally critical. Article 46 establishes the committee procedure for the adoption of implementing acts. Specifically, Article 46(2) states that where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. This refers to the "examination procedure."

Under this procedure:

  • The Commission drafts the implementing acts specifying the risk assessment methodology.
  • A committee composed of representatives from all Member States reviews the draft.
  • The committee votes on the draft. If the committee delivers a positive opinion, the Commission adopts the act. If the committee delivers a negative opinion, the Commission cannot adopt the act. If no opinion is delivered, the Commission may generally adopt the act but must notify the European Parliament and Council.

This mechanism ensures that the methodology is not unilaterally imposed by the Commission but is subject to scrutiny and approval by Member State representatives. It balances the need for EU-wide harmonization with the practical realities of national administrative systems.

Mandating the Highest Assurance for Critical Sectors

The most significant aspect of the Commission's mandated methodology is its treatment of critical sectors. Article 29(3) explicitly requires that the methodology specify "how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

This clause serves two purposes:

  1. Clarity for Critical Infrastructure: It removes ambiguity for sectors like defence, law enforcement, and national security. The Commission's implementing acts will likely include a mapping or guidance that automatically triggers the highest Union assurance levels (Levels 3 or 4, as defined in Annex II) for activities deemed vital to public order.
  2. Proportionality: While the framework is risk-based, the methodology ensures that the highest risks receive the highest protection. For example, activities involving the processing of classified information or those essential for national security will be required to procure services recognized at Union assurance levels 3 or 4, which mandate strict criteria such as Union-only personnel, no third-country control, and exclusive data localization.

The Lifecycle of the Risk Assessment

The proposal outlines a rigorous timeline and feedback loop for these assessments:

  • Frequency: Member States and Union entities must conduct risk assessments by the date of entry into force plus one year, and thereafter every two years, or whenever necessary (Article 29(1)).
  • Reporting: Within three months of carrying out the assessments, Member States must provide the results to the Commission, indicating where they depart from the implementing acts (Article 29(4)).
  • Commission Intervention: If the Commission concludes that a Member State's identified assurance level is inappropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the correct level (Article 29(5)).
  • Migration: If a risk assessment requires migration to a higher assurance level, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months (Article 29(6)).

What this means for you

For in-house counsel, compliance officers, and public sector procurement teams, the centralization of methodology-setting under Article 29(3) has profound practical implications:

  1. Do Not Prematurely Finalize Protocols: You cannot finalize your internal risk assessment protocols yet. While the obligation exists in the proposal, the specific templates, scoring mechanisms, and methodological steps are "to be defined in secondary legislation." Designing a framework now without alignment to the eventual Commission template risks non-compliance or costly rework once the implementing acts are published.
  2. Prepare for Strict Defence Requirements: If your organization operates in defence, law enforcement, or critical infrastructure, anticipate that the Commission's methodology will mandate the highest assurance levels. Begin auditing your current cloud providers against the stringent criteria for Union Assurance Levels 3 and 4 (e.g., no third-country control, Union-only personnel, exclusive data localization) to identify gaps early.
  3. Engage in the Article 46(2) Process: As the Commission drafts the implementing acts under Article 46(2), there will be opportunities for stakeholder feedback through the committee procedure. Engaging during this phase is crucial to ensure the methodology is practical for your specific operational context while meeting the Commission's harmonization goals.
  4. Document Departures Rigorously: If your Member State's risk assessment departs from the Commission's implementing acts, you must be prepared to justify this to the Commission (Article 29(4)). Ensure your compliance team maintains robust documentation for any such deviations, as the Commission has the power to override national decisions if they are deemed inappropriate (Article 29(5)).
  5. Plan for Rapid Migration: If a risk assessment determines that you must migrate to a higher assurance level, you have a maximum of 12 months to complete the migration (Article 29(6)). Start planning vendor transitions and data portability strategies now to avoid service disruption, as the transition window is tight.

Common misconceptions

Misconception 1: Member States can design their own risk assessment methodologies. Reality: While Member States conduct the assessments, they cannot invent their own methodology. Article 29(3) requires them to use the methodology, templates, and elements specified by the Commission's implementing acts. National discretion is limited to the application of the method to specific national contexts, not the design of the method itself.

Misconception 2: The methodology is already fixed in the CADA text. Reality: The CADA proposal sets the obligation to assess, but the how is delegated. The specific steps, templates, and criteria are not in the main text of the Regulation but will be introduced later via implementing acts. Compliance officers must monitor for these secondary measures, which are the actual operational rules.

Misconception 3: All public sector activities require the highest assurance levels. Reality: The framework is proportionate. Only activities identified as contributing to the preservation of public order in critical sectors (like defence) are mandated to use the highest levels. Most public services will likely require Union Assurance Level 1 or 2, depending on the risk assessment outcome. However, the Commission's methodology will explicitly guide the use of the highest levels for the most critical activities, ensuring no ambiguity for sensitive sectors.

Related

This is general information about a draft EU regulation, not legal advice.