CADA vs the Cybersecurity Act review (CSA2)

Summary As proposed, the Cloud and AI Development Act (CADA) and the review of the Cybersecurity Act (CSA2) are meant to be read together to cover both security and sovereignty. CSA2 focuses on technical cybersecurity and the trustworthiness of the ICT supply chain; CADA addresses sovereignty risks such as operational autonomy, data confidentiality and exposure to third-country extraterritorial laws. CADA fills the non-technical gaps CSA2 does not, so that public-sector procurement can require services that are both technically secure and sovereign.

Detail

CADA, COM(2026) 502 final, positions itself as a complement to the ongoing review of the Cybersecurity Act (CSA2). Its explanatory memorandum states that "together, the proposal and the CSA2 fill long-standing gaps in sovereignty and non-technical risks." It also notes that certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."

Distinct but complementary roles

The two instruments address different layers of risk:

1. CSA2 (technical cybersecurity): The review of the Cybersecurity Act reinforces the trustworthiness of the hardware and software ICT supply chain. It concerns technical resilience, vulnerability handling and certification of ICT products and services. Certification can address technical cybersecurity criteria but does not assess whether a provider is subject to third-country laws that could compel data access or service disruption.
2. CADA (sovereignty and operational autonomy): CADA would establish a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). This assesses data sovereignty, operational continuity and the extraterritorial effect of third-country laws, so that cloud services used by the public sector are resilient against legal or political coercion from non-EU jurisdictions.

How they would work together

• Layered assurance. CADA's higher assurance levels build on cybersecurity certification. Under Annex II, to be recognised at Union assurance level 2 or 3 the audited service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established pursuant to Regulation (EU) 2019/881, once such a scheme is available; Union assurance level 4 requires a certificate of at least assurance level 'high'. Until such a scheme exists, national schemes or the highest applicable cybersecurity standards apply.
• Filling the gap. CADA provides a harmonised mechanism to mitigate non-technical risks — such as sabotage or remote interference, unauthorised access or espionage, and dependency-driven political or economic coercion — that CSA2 certification does not regulate.
• Public-procurement integration. CADA would oblige Member States and Union entities to conduct risk assessments (Article 29) to determine which public-sector activities require Union assurance level 2, 3 or 4, and contracting authorities would then have to procure accordingly (Article 30). Technical certification under CSA2 would thus be accepted for those activities only where the provider also meets CADA's sovereignty criteria.

Key provisions in CADA

• Article 16: establishes the Union cloud computing sovereignty framework of four assurance levels, with the criteria in Annex II.
• Article 29: requires Member States and Union entities to carry out risk assessments — by one year after entry into force and every two years thereafter — to identify public-sector activities contributing to the preservation of public order and the appropriate assurance level (2, 3 or 4).
• Article 30: requires Union entities and public bodies whose activities are not identified as contributing to public order to use services recognised at Union assurance level 1 (Article 30(2)); contracting authorities whose activities are so identified must only procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)).

What this means for you

For in-house counsel and compliance officers, the pairing of CADA and CSA2 means technical cybersecurity compliance would no longer be sufficient for many public-sector contracts. Prepare for a dual regime:

1. Audit readiness for sovereignty. Beyond technical certification under CSA2, providers seeking Union assurance levels 2–4 would face independent third-party audits under CADA (Article 20), including evidence that no third-country laws compel data access or service disruption (Annex II).
2. Risk-assessment participation. Public-sector entities would conduct risk assessments every two years (Article 29) to classify their activities; those contributing to public order would have to procure only services at Union assurance levels 2–4. NIS2 Annex I entities that are not public bodies may run similar impact assessments (Article 31).
3. Supply-chain scrutiny. Higher assurance levels in Annex II require demonstrable separation from third-country control and full transparency over subcontractors, infrastructure and data flows, backed by detailed documentation of ownership and control.
4. Penalties and enforcement. As proposed, Member States would lay down penalties for infringements of CADA's sovereignty chapter (Article 24); these must be effective, proportionate and dissuasive, taking into account the nature, gravity and duration of the infringement.

Common misconceptions

• "CSA2 certification is enough for public contracts." Incorrect. CSA2 addresses technical security; CADA adds sovereignty assurance. A provider can be technically secure yet fail CADA's tests if it is subject to third-country extraterritorial laws.
• "CADA replaces CSA2." Incorrect. They are complementary, and CADA's higher assurance levels rely on CSA2-type cybersecurity certificates as a prerequisite.
• "Sovereignty means data localisation only." Incorrect. Data localisation is part of Union assurance level 1 (Annex II, level 1 criteria), but sovereignty also covers operational autonomy, protection against service disruption and freedom from third-country control over personnel and infrastructure (Annex II, levels 2–4).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs the Chips Act review: how do they connect?
• CADA vs the US CLOUD Act: how do they differ?
• CADA vs the Data Governance Act (DGA): how do they compare?
• CADA vs the Cybersecurity Act: what does each cover?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?

This is general information about a draft EU regulation, not legal advice.