CADA vs DORA for financial-sector cloud

Summary The Cloud and AI Development Act (CADA) and the Digital Operational Resilience Act (DORA) address different, though overlapping, dimensions of cloud computing for the financial sector. DORA is a sector-specific regulation focused on operational resilience, ICT risk management, and incident reporting for financial entities and their critical third-party providers. CADA, as proposed, is a horizontal instrument establishing a Union-wide cloud sovereignty framework, data centre deployment rules, and public procurement standards to reduce strategic dependencies on non-European providers. For financial-sector cloud providers and their clients, both can apply simultaneously: DORA governs the operational resilience of the service, while CADA's proposed Union assurance levels and procurement rules would dictate which cloud services are permissible for specific public-sector or critical use cases.

Detail

The distinct legal bases and objectives

To understand the interplay between CADA and DORA, you must first distinguish their legislative intents and scopes.

DORA (Regulation (EU) 2022/2554) is a directly applicable EU regulation that entered into force in January 2023 and applies from January 2025. Its objective is to ensure the digital operational resilience of the EU's financial sector. It imposes obligations on financial entities (banks, insurers, investment firms) regarding ICT risk management, incident reporting, digital operational resilience testing, and the management of ICT third-party risk. Crucially, DORA directly regulates "critical" ICT third-party service providers (including major cloud providers) through an oversight framework led by the European Supervisory Authorities (ESAs). DORA is operational in nature, focused on the continuity, security, and resilience of services.

CADA (COM(2026) 502 final) is a proposed Regulation aimed at strengthening Europe's cloud and AI ecosystem by addressing strategic dependencies and boosting domestic capacity. As proposed, CADA pursues two general objectives: ensuring the competitiveness and innovation capacity of the Union's cloud and AI ecosystem, and improving the functioning of the single market through a uniform legal framework that increases the Union's resilience and strategic autonomy in cloud and AI technologies (Article 1(2) and (3)). Unlike DORA, CADA would not be limited to the financial sector; it would apply horizontally, with particular emphasis on public-sector procurement, data centre deployment, and cloud sovereignty.

How CADA and DORA would intersect for financial services

The intersection arises where financial entities procure cloud services, and where cloud providers serve financial clients. The CADA proposal's explanatory memorandum explicitly states that the proposal "supports the objectives of the Digital Operational Resilience Act (DORA)." It notes that DORA "shapes compliance obligations for cloud computing service providers" and "indirectly covers cloud computing service providers if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience." DORA, it observes, "has a sectoral scope and is specific to the financial sector."

CADA would complement this by introducing a Union cloud computing sovereignty framework (Title IV, Chapter I). That framework comprises four Union assurance levels (Article 16), setting harmonised criteria for trusted cloud services. Where DORA asks whether a cloud provider is operationally resilient, CADA's proposed framework would assess whether the provider is sovereignly secure — that is, free from undue third-country control that could compromise data confidentiality or operational autonomy.

1. For financial entities (cloud consumers)

Under DORA, financial entities must manage ICT third-party risk, including due diligence on cloud providers. CADA would introduce additional scrutiny, particularly for public-sector bodies.

• Public-sector financial entities: If a financial entity is a public body (for example, a central bank or a public pension fund), CADA Article 30 would require it, where its activities are not identified as contributing to the preservation of public order, to procure cloud services recognised at Union assurance level 1. Where a risk assessment under Article 29 identifies the entity's activities as contributing to the preservation of public order — in the sectors of Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) or in national security, internal security, external border management, defence, justice or law enforcement — it would have to procure services recognised at Union assurance level 2, 3, or 4.
• Private financial entities: CADA Article 31 provides that entities listed in Annex I of the NIS2 Directive (which captures many financial institutions) who are not public-sector bodies may carry out assessments similar to those public bodies conduct under Article 29. These are not mandatory under the proposal as drafted. However, Article 31(3) would empower the Commission to adopt delegated acts requiring such impact assessments and risk-mitigation measures for entities operating in sectors of high criticality. That creates a potential future obligation for private financial firms to align their cloud procurement with CADA's sovereignty criteria.

2. For cloud providers (cloud suppliers)

Cloud providers serving the financial sector would face a dual compliance burden:

• DORA obligations: If designated as a critical ICT third-party provider, they are subject to oversight led by the ESAs, including resilience testing, incident reporting, and prescribed contractual terms with financial entities.
• CADA obligations: To serve public-sector clients (and potentially critical private clients in future), providers would need recognition under CADA's sovereignty framework.
  • Level 1: Recognition rests on a conformity self-assessment and an EU statement of conformity (Article 19). Providers must, among other things, be established in the Union, keep infrastructure and data (including metadata and telemetry) in the Union, and — where subject to third-country control — demonstrate that no third-country law requires them to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited (Annex II, Section 1.1).
  • Levels 2, 3, and 4: Recognition requires an independent third-party audit (Article 20), with progressively stricter criteria. For example, Level 3 (Annex II, Section 3) requires that personnel involved in service provision are Union citizens, and that the provider and its subcontractors are not subject to the control of a third country or of a legal entity established in a third country — unless, by way of derogation, the Commission has identified that third country as "associated" by implementing act under Article 18. Level 4 (Annex II, Section 4) adds a European cybersecurity certificate of at least "high" assurance and stricter software-supply-chain controls, including demonstrating that no third country holds or exercises effective control over the design, development, maintenance, and evolution of software components.

Penalties and enforcement

The enforcement mechanisms differ between the two instruments.

• DORA penalties: Member States must lay down rules on administrative penalties for infringements, which must be effective, proportionate, and dissuasive. For critical ICT third-party providers, the oversight framework allows the lead overseer to impose periodic penalty payments and require corrective measures.
• CADA penalties: Under CADA Article 24, Member States would lay down rules on penalties for infringements of the cloud sovereignty chapter (Title IV, Chapter I) by cloud computing service providers within their competence; penalties must be effective, proportionate, and dissuasive. The non-exhaustive criteria for imposing them include the nature, gravity, scale, and duration of the infringement and the infringing party's annual Union turnover in the preceding financial year. Notably, recipients of cloud services would have the right to seek compensation from providers, in accordance with Union and national law, for any damage or loss suffered due to a provider's infringement of its obligations under that Chapter (Article 24(3)). This would create a private-law liability risk for providers that fail to maintain their assurance-level status or misrepresent their sovereignty credentials.

What this means for you

For in-house counsel and compliance officers in the financial sector, the coexistence of DORA and CADA would require a bifurcated compliance strategy:

1. Map your cloud stack to DORA. Ensure your ICT risk-management framework satisfies DORA's third-party requirements, including contractual exit strategies, incident-reporting timelines, and resilience-testing results.
2. Assess sovereignty needs under CADA (as proposed).
   • Public financial entities: Plan for the Article 29 risk assessment to determine whether your activities contribute to the preservation of public order. If so, you would procure only Level 2, 3, or 4 services, and should verify recognition via the central repository of recognised services (Article 22).
   • Private financial entities: Monitor any Commission delegated acts under Article 31(3). Be ready to conduct impact assessments akin to those of public bodies if the Commission concludes that high-criticality sectors require them.
3. Audit providers' sovereignty claims. Do not treat DORA compliance as proof of sovereignty. A provider can be DORA-compliant (operationally resilient) yet fail CADA's Level 3 criteria if it is subject to third-country control. Review audit reports and statements of conformity under Articles 19 and 20.
4. Add contractual safeguards. Update cloud contracts with representations and warranties on CADA recognition status and, in light of Article 24(3), preserve clear rights to claim compensation if a provider's failure to maintain its assurance level causes disruption or data exposure.

Common misconceptions

• "DORA compliance is enough for sovereignty." DORA focuses on operational resilience and ICT risk management. It does not assess whether a provider is subject to foreign laws that could enable third-country access to data or service disruption. CADA's proposed assurance-level framework targets exactly those sovereignty and strategic-autonomy risks.
• "CADA would only apply to the public sector." While CADA's mandatory procurement rules (Article 30) target public-sector bodies and Union entities, the sovereignty framework (Title IV, Chapter I) would apply to any provider seeking recognition. Article 31 also contemplates extending impact-assessment obligations to private high-criticality entities, which can include finance.
• "CADA would replace DORA for financial services." It would complement it. The proposal states that CADA "supports the objectives of" DORA. Financial entities would still need both: DORA for operational resilience and ICT risk, and CADA for sovereignty assurance and procurement eligibility.
• "Level 1 would be sufficient for all financial data." Level 1 is the baseline for general public-sector procurement. Risk assessments under Article 29 may require Level 2, 3, or 4 for activities contributing to the preservation of public order.

Related

• CADA self-assessment vs independent audit: which applies to my tier?
• CADA vs the EU-US Data Privacy Framework: which one matters for sovereignty?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• Sovereign cloud vs private cloud under CADA: which gives more control?
• CADA public-sector risk assessment vs private-sector impact assessment

This is general information about a draft EU regulation, not legal advice.