Summary The proposed Cloud and AI Development Act (CADA) and the Digital Operational Resilience Act (DORA) address distinct but overlapping risks for financial institutions. DORA focuses on the cybersecurity and operational resilience of critical ICT third-party providers; CADA, as proposed, would introduce a sovereignty framework to mitigate third-country control and data-access risks. As proposed, banks would likely need to satisfy both: ensuring their cloud providers are operationally resilient under DORA and, where applicable, recognised at the appropriate Union assurance level under CADA.

Detail

To understand the interplay, distinguish each instrument's primary objective and the obligations it imposes.

DORA: operational resilience and critical third-party providers

DORA (Regulation (EU) 2022/2554) is already in force and harmonises ICT risk management in the financial sector. A key feature is the designation of "critical ICT third-party providers" (CTPPs) — providers whose failure would significantly disrupt the sector — which are subject to direct oversight by the European Supervisory Authorities (ESAs). DORA requires robust ICT risk-management frameworks, resilience testing (including threat-led penetration testing), incident reporting, and business continuity. Its focus is technical cybersecurity and operational continuity. DORA does not assess the geopolitical origin of a provider, the jurisdiction governing its data, or the potential for extraterritorial data access by third-country authorities.

CADA: the sovereignty framework and Union assurance levels

The proposed CADA addresses a different dimension: technological sovereignty and operational autonomy. As CADA's explanatory memorandum notes, existing EU cybersecurity frameworks were not designed to boost the uptake of sovereign services or to address sovereignty considerations that go beyond technical elements.

CADA would introduce a Union cloud computing sovereignty framework of four Union assurance levels:

  • Article 16 establishes the framework "comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."
  • Article 16(2) empowers the Commission to amend the levels (Annex II) and the audit evidence (Annex III) by delegated act.
  • Article 16(3) requires the Commission to review Annexes II and III at least every 18 months.

Unlike DORA, which treats a cloud provider mainly as a technical utility, CADA would treat its governance and jurisdictional ties as a sovereignty question.

The overlap: how banks would face both regimes

Financial institutions using cloud for critical functions could face dual obligations:

  1. Operational compliance (DORA). The bank must ensure its cloud provider is operationally resilient. If the provider is a designated CTPP, DORA's oversight and the bank's third-party risk-management duties apply.
  2. Sovereignty compliance (CADA). If the bank is a public sector body (e.g. a state-owned bank), or its activities are identified as contributing to the preservation of public order, CADA's procurement rules would apply.
    • Article 29 requires Member States and Union entities to carry out risk assessments that identify public-sector activities contributing to public order and determine which Union assurance level (2, 3 or 4) is appropriate.
    • Article 30(3) provides that contracting authorities whose activities have been identified as contributing to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive, or in national security, internal security, external border management, defence, justice or law enforcement — "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."
    • For the private sector, Article 31 allows entities listed in Annex I of the NIS2 Directive that are not public bodies (which can include certain financial-sector entities) to carry out assessments similar to those under Article 29. The Commission may issue guidance and, where duly justified, adopt delegated acts requiring such impact assessments and risk-mitigation measures.

So a bank cannot select a provider on DORA compliance alone. Where CADA applies, it must also confirm the provider meets the required Union assurance level. A provider may be fully DORA-compliant yet fail, say, Union assurance level 3 because it is subject to third-country control.

Key differences in scope and enforcement

Feature DORA (in force) CADA (proposed)
Primary focus Technical cybersecurity, operational resilience, business continuity. Sovereignty, freedom from third-country control, operational autonomy.
Target entities Financial entities and critical ICT third-party providers (CTPPs). Cloud providers seeking recognition; public sector buyers; certain critical private entities.
Assessment method ICT risk management, resilience testing, incident reporting. Union assurance levels 1–4 (Annex II): location, control, citizenship, supply chain.
Enforcement Direct ESA oversight of CTPPs; penalties. Recognition by national competent authorities; procurement restrictions; penalties (Article 24).
Third-country access Not directly addressed. Addressed: higher levels require measures against, or absence of, third-country control (Annex II).

What this means for you

For in-house counsel and compliance officers in the financial sector, the convergence of DORA and CADA would call for a holistic cloud-governance strategy.

  1. Conduct dual risk assessments. Do not rely solely on DORA's ICT risk assessment. Where CADA applies, prepare the sovereignty risk assessment under Article 29, identifying which activities contribute to public order.
  2. Audit providers for sovereignty. Review contracts and provider documentation against the Union assurance levels. For levels 2–4, recognition rests on an independent third-party audit (Article 20); for level 1, a self-assessment and EU statement of conformity (Article 19).
  3. Monitor procurement rules. Article 30 would impose minimum assurance levels for procurement. A contracting authority may be barred from procuring a service that does not meet the required level, regardless of DORA compliance.
  4. Prepare for control and localisation checks. Annex II is stringent — data (including metadata and telemetry) within the Union, personnel who are Union citizens at higher levels, and, for levels 3 and 4, no third-country control. Ensure providers can supply the audit evidence required under Article 21 and Annex III.
  5. Engage with national competent authorities. CADA would designate national competent authorities (Article 25) to enforce the sovereignty framework. Engage early to understand how "public order" will be interpreted for financial services.

Common misconceptions

  • "DORA compliance is enough for cloud security." DORA addresses resilience and cyber risk; it does not address a foreign government legally compelling a provider to hand over data or disrupt service. CADA's sovereignty framework targets that gap.
  • "CADA only applies to public-sector banks." Article 30 mandates assurance levels for public-sector procurement, but Article 31 allows private NIS2 Annex I entities (which can include finance) to perform impact assessments, and the Commission may, where duly justified, require them.
  • "Sovereignty and cybersecurity are the same." Per CADA's explanatory memorandum, cybersecurity certification was not designed to address sovereignty concerns beyond technical elements. A provider can be highly secure yet fail a higher Union assurance level due to third-country control.
  • "Existing contracts will automatically comply." Most current cloud contracts do not reflect Annex II's detailed criteria (e.g. personnel citizenship at higher levels, software supply-chain measures). Renegotiation — or a change of provider — may be needed to reach higher levels.

Related

This is general information about a draft EU regulation, not legal advice.