Are private-sector CADA impact assessments confidential under Article 31?

Summary Under the proposed Cloud and AI Development Act (CADA), impact assessments conducted by private-sector entities under Article 31 are voluntary and not subject to mandatory public disclosure. The regulation does not explicitly label these assessments as "confidential," but it imposes no obligation to publish them or submit them to a central EU repository. Consequently, the findings remain internal to the entity unless voluntarily shared or required by national supervisory authorities in specific contexts. However, the Commission retains the power to issue guidance on methodology and, via delegated acts, could mandate assessments for specific high-criticality sectors, potentially altering the voluntary nature of the process.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework for cloud sovereignty. While the core of this framework relies on mandatory risk assessments for public sector bodies under Article 29, the proposal extends a parallel, albeit distinct, mechanism to the private sector through Article 31. This article specifically targets entities listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) that are not public sector bodies.

The Voluntary Nature of Article 31 Assessments

The fundamental distinction between public and private obligations under CADA lies in the mandatory versus voluntary nature of the assessment. Article 31(1) explicitly states that relevant private entities "may carry out similar assessments as those set out in Article 29." The use of the modal verb "may" confirms that, as proposed, these assessments are not a blanket legal requirement for all NIS2 Annex I entities.

Unlike public authorities, which must conduct risk assessments to determine the appropriate Union assurance level (levels 2, 3, or 4) for their cloud procurement, private entities under Article 31 are not legally compelled to perform this exercise. The assessment serves as a voluntary governance tool, allowing critical infrastructure operators in sectors such as energy, transport, finance, and health to evaluate their exposure to third-country control, data sovereignty risks, and service continuity threats using the same rigorous methodology applied to the public sector.

Commission Guidance and the Potential for Mandatory Obligations

While the initial trigger is voluntary, the proposal grants the European Commission significant oversight powers to shape how these assessments are conducted and to escalate requirements if necessary.

Article 31(2) empowers the Commission to "issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality." This guidance is intended to ensure that when private entities do choose to assess their sovereignty posture, they do so consistently, addressing key risks such as unauthorized access by third countries, service disruption, and technology leakage.

More significantly, Article 31(3) introduces a mechanism to convert voluntary assessments into mandatory obligations. The Commission may adopt delegated acts to supplement the regulation if it concludes, "where, because of specific circumstances, and where duly justified and in consultation with the Member States," that entities in sectors of high criticality require an impact assessment. If such a delegated act is adopted, the voluntary "may" in Article 31(1) effectively becomes a "must" for the specified entities, and they would be required to implement the risk mitigation measures outlined in the act.

Confidentiality, Disclosure, and Handling Considerations

A primary concern for private providers is whether these assessments must be made public. The CADA proposal contains no provision requiring private entities to publish their Article 31 impact assessments or to submit them to the central repository established under Article 22 for recognized sovereign cloud services.

In contrast, Article 29 mandates that Member States and Union entities communicate the results of their public sector risk assessments to the Commission. For private entities under Article 31, the assessment remains an internal document. There is no "public registry" for private sovereignty assessments.

However, "confidential" in this context does not mean "immune from scrutiny." Several factors influence the handling and potential disclosure of these assessments:

1. Supervisory Interactions: If a private entity is subject to investigation by a national competent authority under NIS2 or other sectoral laws, the assessment might be requested as evidence of due diligence. While CADA does not mandate public release, national laws on business secrecy and data protection would apply to any such disclosure.
2. Commission Guidance and Delegated Acts: If the Commission issues guidance under Article 31(2) or adopts a delegated act under Article 31(3), the methodology and required mitigation measures become standardized. While the specific assessment report remains internal, the entity's compliance with the mandated measures could be subject to verification by authorities.
3. Procurement Context: If a private entity participates in joint procurement or seeks to demonstrate its sovereignty posture to public sector customers, it might voluntarily share parts of the assessment. In such cases, the entity controls the disclosure, but the information could become part of a commercial contract or tender documentation.

The proposal does not create a specific "privilege" for Article 31 assessments. Therefore, while they are not public by default, they are not legally shielded from lawful requests by competent authorities under existing EU and national frameworks.

What this means for you

For cloud service providers, data centre operators, and other critical entities listed in NIS2 Annex I, Article 31 presents a strategic opportunity to proactively manage sovereignty risks without immediate regulatory exposure.

1. Strategic Voluntary Adoption: You can use the Article 31 framework to audit your supply chain and cloud dependencies. This allows you to identify vulnerabilities related to third-country control and data localization before they become regulatory issues or market barriers.
2. Internal Governance, Not Public Compliance: Your assessment results do not need to be registered in the EU's central cloud repository. Your sovereignty posture remains a competitive differentiator rather than a public compliance badge, unless you choose to market it to public sector clients.
3. Monitor for Mandatory Shifts: Closely watch for Commission guidance under Article 31(2). If the Commission identifies your sector as "high criticality," it may adopt delegated acts under Article 31(3) making assessments mandatory. Early adoption of the methodology now prepares you for potential future obligations.
4. Data Protection and Secrecy: Treat the assessment as sensitive internal documentation. While CADA does not mandate disclosure, sharing it with auditors or regulators may be necessary to prove compliance with NIS2 or other sectoral laws. Ensure your internal policies protect this data from unauthorized public release, relying on general business secrecy protections rather than specific CADA confidentiality clauses.

Common misconceptions

Misconception 1: Private entities must publish their sovereignty assessments. Reality: Only public sector bodies are required to report their risk assessments to the Commission under Article 29. Private sector assessments under Article 31 are internal and voluntary, with no public disclosure requirement in the CADA text.

Misconception 2: Article 31 assessments are legally binding for all NIS2 entities immediately. Reality: Article 31(1) uses the word "may," indicating voluntariness. Mandatory obligations only arise if the Commission adopts specific delegated acts under Article 31(3) targeting specific high-criticality sectors after consultation with Member States.

Misconception 3: The assessment replaces NIS2 compliance. Reality: Article 31 assessments are complementary. They focus specifically on cloud sovereignty, third-country dependencies, and operational autonomy. NIS2 focuses on broader cybersecurity risk management. Both frameworks may apply simultaneously to the same entity, and an Article 31 assessment could serve as evidence of due diligence under NIS2.

Misconception 4: Article 31 assessments are automatically confidential under EU law. Reality: CADA does not explicitly grant a confidentiality privilege to these assessments. They are not public by default because there is no requirement to publish them, but they are not legally shielded from lawful requests by competent authorities under existing national or EU laws.

Related

• CADA Article 31: Commission Guidance on Private Sector Impact Assessments
• Article 31 CADA: Voluntary impact assessments for private critical entities
• CADA Article 31: Voluntary Impact Assessments for Private Critical Sectors
• CADA Article 31: Can impact assessments become mandatory for private firms?
• Sectors of high criticality under CADA: Article 31 impact assessments explained

This is general information about a draft EU regulation, not legal advice.