Summary The proposed Cloud and AI Development Act (CADA) and the NIS2 Directive address cloud computing from different angles. NIS2, already in force, focuses on technical cybersecurity risk management. CADA, a Commission proposal, would add a "Union cloud computing sovereignty framework" and public-procurement mandates aimed at reducing dependence on non-EU providers. NIS2 does not require public authorities to choose sovereign providers or address third-country legal risk; CADA, as proposed, would oblige Member States and Union entities to run risk assessments and procure services meeting specific "Union assurance levels" to safeguard public order. For in-house counsel, this points to two parallel tracks: technical security under NIS2 and sovereignty assurance under CADA.
Detail
NIS2 (Directive (EU) 2022/2555) and CADA solve different problems. NIS2 sets minimum cybersecurity risk-management measures for entities in essential and important sectors. CADA, COM(2026) 502 final, aims to strengthen Europe's cloud and AI ecosystem by addressing capacity gaps and strategic dependencies on third-country providers. CADA is a proposal and is not yet in force.
NIS2: cybersecurity risk management, not sovereignty
NIS2 improves the cybersecurity risk management of cloud computing service providers and data centres in the EU. It requires designated entities to implement appropriate technical and organisational measures — covering incident handling, business continuity, supply-chain security and cryptography — to manage risks to network and information systems.
As the CADA explanatory memorandum notes, NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." It does not distinguish providers by their geopolitical alignment or legal jurisdiction. A third-country provider can fully comply with NIS2 if it meets the technical standards, regardless of whether its home-country laws permit extraterritorial data access. NIS2 therefore does not address the risks of dependence on non-European providers, such as service disruption from sanctions or data access by foreign authorities.
CADA: sovereignty, assurance levels and public procurement
CADA would complement NIS2 by introducing a Union cloud computing sovereignty framework. Where NIS2 ensures a service is secure, CADA seeks to ensure a service is sovereign — under the effective control of the Union and shielded from the extraterritorial reach of third-country laws.
The Union cloud computing sovereignty framework
As proposed, Article 16(1) establishes "a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies." Article 16(2) would empower the Commission to adopt delegated acts to amend the assurance levels in Annex II and the evidence in Annex III, and Article 16(3) would require the Commission to review Annex II and Annex III at least every 18 months.
The criteria in Annex II escalate in strictness. Union assurance level 1, for example, requires that the provider is established in the Union and that infrastructure, assets and customer data remain in the Union unless the public sector body explicitly requires otherwise. Higher levels add audited requirements on personnel, screening and the absence of third-country control. For Union assurance level 4, the audited provider and its subcontractors must not be subject to the control of a third country. This directly targets the extraterritorial effect of laws such as the US CLOUD Act — a risk NIS2 does not mitigate.
Risk assessments and procurement obligations
Under Article 29, as proposed, Member States and Union entities would carry out risk assessments — by one year after entry into force and every two years thereafter — to identify public sector activities that contribute to the preservation of public order (in sectors under Annex I or II of NIS2, and in national security, internal security, border management, defence, justice or law enforcement) and to determine which Union assurance level (2, 3 or 4) is appropriate.
Based on those assessments, Article 30 would set procurement obligations:
- Union entities and public sector bodies whose activities are not identified as contributing to public order must use services recognised at Union assurance level 1 (Article 30(2)).
- Contracting authorities whose activities are so identified must only procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)).
This is a significant departure from NIS2, under which a public authority can choose any compliant provider.
Private-sector impact
CADA's mandatory procurement rules target the public sector, but the framework reaches further. Article 31 allows entities listed in Annex I of NIS2 that are not public sector bodies to carry out impact assessments similar to those in Article 29, and the Commission may issue guidance or, where duly justified, adopt delegated acts requiring such assessments and mitigation measures for entities in sectors of high criticality. In practice this would create market pressure for providers to obtain sovereignty recognition.
Key differences at a glance
| Feature | NIS2 Directive | CADA proposal |
|---|---|---|
| Primary focus | Technical cybersecurity risk management | Technological sovereignty and resilience |
| Scope | Essential and important entities across sectors | Cloud providers, data centres, public procurement |
| Provider criteria | Security measures, incident reporting, supply-chain security | Location of data/personnel, absence of third-country control, EU establishment |
| Third-country risk | Not addressed | Addressed via assurance levels and exclusion criteria |
| Procurement impact | None | Mandatory procurement of specific assurance levels for public bodies |
| Legal status | In force (transposition required) | Proposal (subject to legislative procedure) |
What this means for you
For in-house counsel and compliance officers, NIS2 and the proposed CADA point to a dual-compliance landscape that goes beyond traditional IT security.
1. Map your cloud stack against the sovereignty criteria. NIS2 compliance is likely already on your roadmap. Begin mapping providers against Annex II of the CADA proposal — EU establishment, data location, personnel arrangements and any third-country control. The criteria are specific even though CADA is not yet law.
2. Prepare for public-sector procurement restrictions. If you supply public authorities, NIS2 compliance alone may not suffice. As proposed, authorities would run risk assessments under Article 29; services used for public-order activities would need recognition at Union assurance level 2, 3 or 4, requiring independent third-party audits (Article 20) and potentially relocating data or personnel.
3. Watch the "associated third countries" mechanism. As proposed, Article 18 lets the Commission identify third countries whose providers may be audited against Union assurance level 3, provided the country meets cumulative criteria (including a GDPR adequacy decision and no measures compelling data access or service disruption). Designations would shape the eligibility of global hyperscalers.
4. Consider private-sector impact assessments. If you operate in a NIS2 Annex I sector (energy, transport, health, finance and others), Article 31 would let — and in some cases require — you to conduct impact assessments. Assessing cloud dependencies now positions you ahead of customer and regulator expectations.
5. Budget for audit and recognition costs. Unlike NIS2's reliance on self-assessment and supervision, CADA proposes a formal recognition mechanism: self-assessment for level 1, independent third-party audits for levels 2–4 (Articles 19 and 20). Start building the documentation those audits would require.
Common misconceptions
"NIS2 compliance is enough for cloud sovereignty." Incorrect. NIS2 ensures good security hygiene. It does not ensure that a provider is shielded from foreign data-access laws or that infrastructure sits in the EU. A provider can be NIS2-compliant yet fail CADA's assurance levels due to its ownership structure or data routing.
"CADA only applies to the public sector." The mandatory procurement rules (Article 30) apply to public authorities, but the framework affects the wider market: NIS2 Annex I entities can run impact assessments (Article 31), and providers seeking public-sector business would need recognition.
"CADA bans non-EU cloud providers." It does not impose a blanket ban. It creates a tiered system. Non-EU providers can still operate, but may be eligible for higher levels only where their home country is an "associated third country" under Article 18, and at Union assurance level 4 the provider and subcontractors must not be subject to third-country control.
"The rules are final." CADA is a proposal. It must be adopted by the European Parliament and the Council, and the assurance levels and deadlines may change. The direction of travel toward sovereignty requirements is, however, clear.
Official sources
Related
- CADA sovereignty risk assessment vs a NIS2 risk assessment
- CADA harmonised EU sovereignty criteria vs divergent national cloud rules: why harmonisation?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA self-assessment vs NCA recognition: how the two paths differ
- GDPR data localisation vs CADA sovereignty levels: are they the same?
This is general information about a draft EU regulation, not legal advice.