Why is the CADA risk assessment described as a risk-based and context-specific approach?

Summary The proposed Cloud and AI Development Act (CADA) rejects a "one-size-fits-all" mandate for cloud sovereignty. Instead, Article 29 requires Member States and Union entities to conduct risk assessments that are both risk-based and context-specific. As explained in Recital 62, this ensures a "coherent and risk-based approach to the autonomy of the Union," where the required Union Assurance Level is determined by the specific sensitivity of data and the criticality of the activity to public order. Recital 65 further clarifies that decisions on architectural strategies, such as multi-vendor or multi-cloud deployments, must also be context-specific, driven by the risk assessment rather than imposed as a blanket rule. This framework ensures proportionality, reserving the highest assurance levels (3 and 4) only for activities where the protection of public order strictly demands it.

Detail

The CADA proposal establishes a Union cloud computing sovereignty framework to address the EU's strategic dependencies on third-country cloud providers. However, the Commission recognises that applying the strictest sovereignty criteria to every public-sector activity would be disproportionate and inefficient. Consequently, the legislation mandates a nuanced, evidence-based methodology for determining cloud procurement requirements.

The Coherent Risk-Based Approach

The foundation of this methodology is the requirement for a risk-based approach, explicitly articulated in Recital 62. The recital states that to ensure a "coherent and risk-based approach to the autonomy of the Union," Member States and Union entities must carry out one or more risk assessments. The primary objective of these assessments is to identify which public-sector activities "concern public order."

Once an activity is identified as relevant to public order, the risk assessment must determine the appropriate Union Assurance Level (1, 2, 3, or 4) required to mitigate specific risks. This determination is not arbitrary; it is tied to specific sectors and domains. Article 29(1) mandates that assessments cover activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."

This risk-based structure is designed to respect the principles of proportionality and subsidiarity. As noted in Recital 52, "most public services would not require the highest levels of assurance." The risk assessment acts as a filter, distinguishing between routine administrative tasks—which may only require the baseline Union Assurance Level 1—and highly critical operations that necessitate Levels 2, 3, or 4. By focusing the highest sovereignty requirements on cases where the risk of "unauthorised access to Union data, technology leakage, sabotage and espionage" is most severe, the framework ensures that the burden of compliance is aligned with the actual threat to public order.

Context-Specific Evaluation Criteria

The "context-specific" nature of the CADA risk assessment is defined by the granular criteria authorities must evaluate under Article 29(2). Authorities cannot simply assign a level based on the sector alone; they must analyse the specific data and operational context of the activity. The assessment must consider at least the following aspects:

1. Data Sensitivity, Criticality, and Magnitude: Authorities must assess the nature of the data processed, including both personal and non-personal data. This includes evaluating the "sensitivity, criticality, and magnitude" of the data, the potential impact on public order, and the risk to the rights and freedoms of data subjects.
2. Risk of Unlawful Access: The assessment must evaluate the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."
3. Risk of Service Disruption: Authorities must also account for the "risk and consequent impact on public order of possible service disruption."

This detailed evaluation ensures that the classification of a cloud service's required assurance level is directly tied to the specific operational reality of the public-sector body. For example, a law enforcement agency processing sensitive criminal investigation data would face a different risk profile than a ministry managing public transport schedules, even if both fall under the broader "public order" umbrella. The risk assessment allows for this differentiation, ensuring that the sovereignty framework is applied with precision.

Multi-Cloud Strategies and Context-Specific Decisions

A critical component of the context-specific approach is the treatment of architectural strategies, particularly multi-vendor or multi-cloud deployments. Recital 65 explicitly states that "Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate."

However, the decision to adopt such a strategy is not a blanket mandate. Recital 65 clarifies that "The decision to adopt and implement a multi-cloud architecture should be based on a context-specific risk assessment." The assessment must identify "any relevant operational, regulatory or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy."

This nuance is codified in Article 29(9), which requires that "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services." This provision ensures that technical architecture is a direct output of the risk analysis. For instance, a high-risk activity involving critical national infrastructure might justify a multi-cloud strategy to distribute risk and prevent single points of failure. Conversely, a low-risk activity might not justify the complexity and cost of a multi-cloud setup, and the risk assessment would reflect this context-specific conclusion.

Proportionality Across Activities

The overarching goal of this risk-based and context-specific framework is to ensure proportionality. Recital 52 emphasises that the Union Assurance Levels provide a "proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies."

By mandating risk assessments, CADA prevents the over-regulation of low-risk activities. It ensures that the stringent requirements of Union Assurance Levels 3 and 4—which include strict personnel citizenship rules and prohibitions on third-country control—are reserved for the specific cases where "the protection of public order requires the highest level of assurance." This tiered approach allows for the scaling of cloud adoption across the public sector, enabling general services to operate efficiently at Union Assurance Level 1 (as per Article 30(2)) while reserving the most rigorous standards for critical infrastructure and sensitive data processing.

What this means for you

For public-sector bodies, Union entities, and procurement officers, the CADA proposal requires a fundamental shift from generic procurement to a structured, evidence-based decision-making process.

1. Conduct Formal Risk Assessments: You must carry out risk assessments for your organization's cloud activities. Under Article 29(1), these must be completed within one year of the Regulation's entry into force and repeated every two years, or whenever necessary.
2. Evaluate Data and Context: Do not apply a blanket assurance level to all services. Instead, analyse the specific data types (personal, non-personal, sensitive) and the criticality of the service to public order. Determine if the activity falls under high-risk sectors like defence, justice, or critical infrastructure.
3. Determine the Assurance Level: Based on your assessment, determine whether Union Assurance Level 1 is sufficient, or if Levels 2, 3, or 4 are required for activities contributing to the preservation of public order.
4. Consider Architecture: Evaluate if a multi-cloud or multi-vendor strategy is justified by your specific risk profile to enhance resilience. Document this decision as part of your assessment, ensuring it is driven by operational and regulatory circumstances rather than a generic rule.
5. Report and Align: Submit the results of your risk assessments to the Commission within three months of completion. Ensure your national strategy aligns with these assessments to demonstrate compliance with the principles of proportionality and subsidiarity.

Common misconceptions

• "All public cloud services must meet the highest sovereignty standards." This is incorrect. CADA uses a tiered approach. Only activities identified as contributing to the preservation of public order through the risk assessment require Union Assurance Levels 2, 3, or 4. General public services can often operate at Union Assurance Level 1.

• "The risk assessment is a one-time compliance checkbox." The assessment is dynamic. Article 29 requires updates every two years or whenever necessary, such as when data profiles change or new threats emerge. It is an ongoing governance tool, not a static document.

• "Multi-cloud is mandatory for all high-risk services." While encouraged for resilience, multi-cloud strategies must be justified by the specific risk assessment. Recital 65 and Article 29(9) make it clear that this is a context-specific option to be evaluated based on operational and regulatory circumstances, not a blanket requirement.

Related

• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?
• What penalties apply if a public body ignores its CADA risk assessment obligations?

This is general information about a draft EU regulation, not legal advice.