Why does CADA treat cloud computing as a public-order issue?

Summary As proposed, the Cloud and AI Development Act (CADA) treats cloud computing as a matter of public order because reliance on third-country providers exposes the EU to strategic dependencies — including unauthorised data access, service disruption and political or economic coercion. Under Article 30, public-sector bodies would procure cloud services meeting specific "Union assurance levels," and activities relevant to public order would have to use the higher levels (2, 3 or 4) to safeguard critical state functions. CADA is a proposal and not yet in force.

Detail

The proposed CADA marks a shift in how the EU would regulate cloud computing. Unlike laws focused primarily on data privacy or consumer protection, CADA explicitly frames cloud sovereignty as a security and public-order matter. The proposal aims to reduce the Union's dependence on a limited number of non-European cloud providers, whose operations may be subject to extraterritorial laws that conflict with EU values and security interests.

The public-order mandate

The public-order focus appears in the proposal's objectives and procurement rules. Article 1(1)(c) lists one of the regulation's measures as "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." The explanatory memorandum reinforces this, listing as a key objective to "help protect public order by making the supply of cloud computing services more resilient, in particular in the public sector."

Recital 50 explains why such protection is considered necessary, identifying risks the framework targets. These fall into three broad areas:

1. Misuse: manipulation, remote access and control, sabotage, and the weaponisation of infrastructure.
2. Access to information: unauthorised access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, and espionage.
3. Dependency vulnerabilities: political and/or economic coercion, such as vendor or technology lock-ins, embargoes, sanctions, or monopoly pricing affecting the financial interests of the Union and Member States.

By naming these, CADA would move beyond technical cybersecurity to address non-technical risks such as geopolitical leverage and operational continuity.

The Union assurance framework

To mitigate these risks, CADA would introduce a "Union cloud computing sovereignty framework" of four Union assurance levels (Article 16), defining the criteria a service must meet to be considered trusted for public-sector use.

• Union assurance level 1: the baseline for general public-sector use, requiring the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union unless the public body explicitly requires otherwise.
• Union assurance levels 2, 3 and 4: higher assurance for more sensitive activities, requiring independent third-party audits, stricter personnel requirements (Union citizenship at levels 3 and 4) and, at level 4, that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country.

Procurement obligations for public authorities

The framework's practical effect is set out in Article 30, which would impose binding procurement requirements:

1. Minimum standard (level 1): Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order would, as a minimum, use services recognised at Union assurance level 1 (Article 30(2)).
2. Public-order activities (levels 2-4): contracting authorities whose activities have been identified as contributing to the preservation of public order would only procure services recognised at levels 2, 3 or 4 (Article 30(3)).

Article 29 would require Member States and Union entities to run risk assessments to determine which activities fall into the public-order category. Those assessments would consider sectors falling under Annex I or II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice and law enforcement.

The proposal allows derogations only in exceptional, duly justified circumstances — for example, where no adequate recognised alternative exists, where a similar procurement in the previous year drew no suitable tenders, or where compliance would impose disproportionate cost (Article 30(4)). The default, however, is clear: public-order relevance would dictate the level of sovereignty required.

What this means for you

For public-sector procurement officers and IT directors, CADA as proposed would add a layer of due diligence beyond technical specifications. You would evaluate providers not only on price and performance, but on their sovereignty profile.

1. Conduct risk assessments. You would carry out risk assessments (Article 29) to determine whether your cloud use cases contribute to the preservation of public order, weighing data sensitivity and service criticality.
2. Verify assurance levels. You would procure only from providers listed in the central repository of recognised services (Article 22), ensuring the recognised level matches your requirement. General administrative tasks may need only level 1; critical functions would require level 2, 3 or 4.
3. Monitor changes. Providers must report material changes that could affect their recognition (Article 23). A change in a provider's status could oblige you to migrate to stay compliant.
4. Plan for migration. Where a risk assessment requires migration, it would have to occur within a reasonable transition period not exceeding 12 months (Article 29(6)). Plan transitions early to preserve continuity.

Common misconceptions

"CADA bans all non-EU cloud providers." It would not impose a blanket ban. It would create a tiered system. Non-EU providers could serve at level 1 if they meet the criteria. At level 2, a provider under third-country control could still qualify if it demonstrates robust safeguards against access and disruption (Annex II, 2.1(g)); at level 3, only where the Commission has designated the third country as an associated third country (Article 18). Level 4 permits no third-country control.

"This is just about data privacy." While data protection matters, CADA addresses broader public-order risks. Even where data is encrypted, the risk of service disruption (a "kill switch") or political coercion remains. CADA targets operational autonomy and resilience, not only confidentiality.

"Only national security agencies are affected." The duty to assess public-order relevance applies to contracting authorities generally. While defence and justice are named, other sectors — such as healthcare, energy and transport — may be deemed to contribute to public order depending on the risk assessment, so local authorities and smaller public bodies must review their contracts too.

Related

• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why most public services don't need the highest CADA sovereignty tier
• What Is Operational Sovereignty in Cloud Computing? CADA Guide
• What Is Jurisdictional Risk in Cloud Computing? CADA Explained
• What is foreign ownership risk in cloud computing under CADA?

This is general information about a draft EU regulation, not legal advice.