Why does CADA encourage multi-cloud architectures?

Summary As proposed, the Cloud and AI Development Act (CADA) encourages multi-cloud and multi-vendor architectures to mitigate strategic risks associated with dependence on a single cloud computing service provider. Recital 65 explicitly states that to "enhance resilience and limit dependency on a single cloud computing service provider," Union entities and Member States should consider whether a multi-vendor or multi-cloud strategy is appropriate. This is not a blanket mandate for all use cases, but a requirement embedded in the Article 29 risk assessment process. Public bodies must evaluate context-specific operational, regulatory, and resilience-related circumstances to determine if diversification is necessary to safeguard public order, prevent vendor lock-in, and ensure continuity of critical services against technical failures or geopolitical pressures.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA) addresses a critical vulnerability in the EU's digital infrastructure: the heavy reliance on a limited number of non-European cloud providers. The proposal notes that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries," exposing the Union to "critical strategic dependencies and concentration risks." These risks include vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality, and resilience of cloud computing services, and reduced control over data and infrastructure.

CADA seeks to rebalance this dynamic not by banning specific providers, but by structuring procurement and risk management frameworks that inherently favor diversification and resilience. The legislative intent is clear: reducing the concentration of power in the hands of a few non-EU incumbents is essential for the Union's strategic autonomy.

The Strategic Rationale: Limiting Single-Provider Dependency

The core driver behind CADA's encouragement of multi-cloud architectures is the need to limit dependency on any single cloud computing service provider. The proposal identifies that reliance on a single provider creates a "single point of failure" that could be exploited through technical outages, commercial decisions, or geopolitical coercion.

Recital 65 of the CADA proposal explicitly states: "To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate."

This recital establishes the legislative intent: diversification is a key tool for enhancing resilience. By distributing workloads across multiple providers, public authorities can reduce the impact of any single point of failure. The recital further clarifies that the decision to adopt such a strategy "should be based on a context-specific risk assessment." This assessment must identify "any relevant operational, regulatory or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy."

Article 29: Risk Assessments as the Mechanism for Change

While Recital 65 sets the policy direction, Article 29 provides the operational mechanism. This article mandates that Member States and Union entities conduct risk assessments to determine the appropriate level of conformity against the Union assurance levels (2, 3, or 4) for different public sector activities.

Article 29(9) specifically requires that: "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision integrates multi-cloud considerations directly into the risk assessment process. It does not mandate a multi-cloud architecture for every use case; rather, it requires a context-specific evaluation. The risk assessment must identify any relevant operational, regulatory, or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy. This ensures that the decision to adopt a multi-cloud approach is driven by a rigorous analysis of the specific risks faced by the public sector body, rather than a blanket requirement.

The risk assessment under Article 29 is designed to identify public sector activities that contribute to the preservation of public order. These include sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement. For these critical activities, the assessment determines the appropriate Union assurance level. If the assessment identifies significant risks associated with single-provider dependency, such as potential service disruption or unauthorized data access, a multi-cloud strategy may be recommended as a mitigation measure.

Operational, Regulatory, and Resilience Circumstances

The decision to adopt a multi-cloud architecture under CADA is not arbitrary. It is grounded in a comprehensive assessment of various factors, as outlined in the proposal's recitals and Article 29:

1. Operational Resilience and Continuity: Multi-cloud strategies can provide redundancy and failover capabilities. If one provider experiences a significant outage, workloads can be shifted to another provider, ensuring continuity of service. This is particularly important for critical public services that require high availability. The proposal highlights that dependence on non-EU providers exposes the EU to risks related to "operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision." A multi-cloud approach mitigates this by ensuring that no single provider holds a monopoly on critical infrastructure.

2. Regulatory Compliance and Sovereignty: Different cloud providers may have varying levels of compliance with the Union assurance levels. A multi-cloud strategy allows public authorities to allocate sensitive workloads to providers with higher assurance levels (e.g., Union assurance level 3 or 4) while using other providers for less critical tasks. This enables a nuanced approach to compliance that balances security requirements with cost and performance considerations. Furthermore, it helps address the risk of "unlawful access under Union law to such data by a third country or a legal entity established in a third country," as identified in Article 29(2)(b).

3. Geopolitical and Legal Risks: As highlighted in the proposal, dependence on non-EU providers exposes the EU to risks related to extraterritorial data access laws, such as the US CLOUD Act. By diversifying across multiple providers, including EU-based ones, public authorities can mitigate the risk of unilateral actions by third-country actors that could disrupt service provision or compromise data sovereignty. The proposal notes that "large market incumbents are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks."

The Role of Risk Assessments in Procurement

The risk assessments mandated by Article 29 are central to this framework. These assessments must identify public sector activities that contribute to the preservation of public order. For these critical activities, the risk assessment determines the appropriate Union assurance level. If the assessment identifies significant risks associated with single-provider dependency, such as potential service disruption or unauthorized data access, a multi-cloud strategy may be recommended as a mitigation measure.

This ensures that the procurement of cloud computing services is aligned with the specific security and resilience needs of the public sector body. The assessment is not a one-time exercise; Article 29(1) requires that these assessments be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." This ensures that the multi-cloud strategy remains relevant and responsive to evolving threats and market conditions.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the emphasis on multi-cloud architectures presents both challenges and opportunities.

For CTOs and Architects

• Design for Portability: Your cloud architectures must be designed with portability in mind. Avoid deep integration with proprietary services that lock you into a single provider. Use open standards, containerization, and abstraction layers to facilitate migration between providers. This aligns with the proposal's goal of "reducing dependencies on critical technologies."
• Risk-Based Approach: Work closely with your legal and compliance teams to conduct thorough risk assessments. Understand which workloads are critical to public order and require higher assurance levels. Design your multi-cloud strategy to address the specific risks identified in these assessments, particularly those related to "service disruption" and "unlawful access."
• Operational Complexity: Multi-cloud environments are inherently more complex to manage. Invest in tools and skills for multi-cloud management, monitoring, and security. Ensure that your team has the expertise to handle the operational challenges of managing multiple providers, as the proposal notes that "operational, regulatory or resilience-related circumstances" must be considered.

For SMEs and Cloud Providers

• Competitive Opportunity: CADA's push for diversification creates opportunities for EU-based cloud providers and smaller players. Public authorities are increasingly looking for alternative providers to reduce their dependence on hyperscalers. SMEs that can offer compliant, secure, and innovative cloud services may find new markets in the public sector.
• Compliance is Key: To compete in this landscape, you must demonstrate compliance with the Union assurance levels. Invest in the necessary certifications and audits to meet the requirements of Annex II. Be prepared to provide the evidence required by auditing organizations to prove your compliance, as this is a prerequisite for being considered in a multi-cloud strategy.
• Interoperability: Ensure that your services are interoperable with other cloud providers. This will make it easier for public authorities to adopt multi-cloud strategies and integrate your services into their existing environments, supporting the proposal's aim to "enhance the functioning of the single market."

Practical Steps

1. Conduct a Dependency Audit: Identify your current dependencies on single providers. Assess the risks associated with these dependencies, including technical, operational, and geopolitical risks, as required by Article 29(2).
2. Develop a Multi-Cloud Strategy: Based on your risk assessment, develop a strategy for diversifying your cloud providers. This may involve migrating certain workloads to alternative providers, adopting a multi-cloud architecture for new projects, or negotiating contracts that include portability and exit clauses.
3. Invest in Skills and Tools: Ensure that your team has the skills and tools necessary to manage a multi-cloud environment. This may involve training, hiring, or investing in new technologies to handle the "operational, regulatory or resilience-related circumstances" identified in the risk assessment.
4. Engage with Public Authorities: If you are a cloud provider, engage with public authorities to understand their specific needs and risk profiles. Demonstrate how your services can help them meet their compliance and resilience requirements, particularly in the context of "limiting dependency on a single cloud computing service provider."

Common misconceptions

• "CADA mandates multi-cloud for all public sector bodies." This is incorrect. CADA requires public sector bodies to consider a multi-cloud strategy as part of their risk assessments under Article 29(9). The decision to adopt a multi-cloud architecture is based on the specific risks and circumstances of each public sector activity, as determined by the risk assessment.
• "Multi-cloud is only about cost savings." While cost savings can be a benefit, the primary driver for multi-cloud under CADA is resilience and security. The focus is on reducing dependency on single providers and mitigating risks related to "service disruption" and "data sovereignty," as highlighted in Recital 65.
• "Only large enterprises can implement multi-cloud." While multi-cloud architectures can be complex, advancements in cloud management tools and services are making it more accessible to SMEs. Additionally, public authorities may provide support and guidance to help smaller providers comply with the requirements, fostering a "competitive single market for cloud computing services."
• "Multi-cloud eliminates all risks." Multi-cloud strategies can mitigate certain risks, but they also introduce new challenges, such as increased complexity and potential interoperability issues. A well-designed multi-cloud strategy should address these challenges and ensure that the benefits outweigh the costs, in line with the "context-specific risk assessment" requirement.

Related

• Must a CADA risk assessment consider a multi-vendor or multi-cloud strategy?
• CADA risk assessment: How to handle multi-cloud procurement decisions
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Why does CADA treat dependence on non-EU providers as a strategic risk?
• Who sets the methodology for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.