Summary Under the proposed Cloud and AI Development Act (CADA), banks cannot automatically substitute private-sector impact assessments for the mandatory public-sector risk assessments required of Member States and Union entities. However, Article 31 explicitly enables entities listed in Annex I of the NIS2 Directiveβ€”which includes credit institutions and payment institutionsβ€”to carry out assessments "similar" to those mandated under Article 29. This mechanism allows banks to voluntarily evaluate cloud sovereignty risks, determine appropriate Union assurance levels for their critical operations, and align their resilience strategies with public-order safeguards, though the legal obligation to conduct such an assessment remains voluntary unless the Commission adopts specific delegated acts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework primarily designed to safeguard public order through mandatory risk assessments by public bodies. However, the proposal recognizes that critical private-sector entities, particularly in the financial sector, face analogous risks regarding data sovereignty, third-country control, and operational continuity. To address this, Article 31 creates a specific pathway for private entities to adopt the public-sector methodology.

The Legal Basis: Article 31 and NIS2 Scope

The core provision for private-sector engagement is Article 31(1), which states: "Entities referred to in Annex I of Directive (EU) 2022/2555 [the NIS2 Directive] who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision is critical for the banking sector for three reasons:

  1. Inclusion of Credit Institutions: Banks, specifically credit institutions and payment institutions, are explicitly listed in Annex I of the NIS2 Directive under the "Financial market infrastructures" and "Banking" sectors. Consequently, they fall squarely within the scope of entities eligible to conduct these assessments under CADA.
  2. Voluntary but Standardized: The use of the modal verb "may" in Article 31(1) indicates that, under the current proposal, conducting these impact assessments is voluntary for private entities. Unlike public bodies, which are obliged to assess and procure at specific assurance levels, banks are permitted to do so. However, the provision establishes a standardized methodology, ensuring that if a bank chooses to assess, it uses the same rigorous criteria as the public sector.
  3. Mirroring Public Standards: By authorizing assessments that are "similar" to Article 29, CADA ensures that private entities can evaluate cloud providers against the same sovereignty benchmarks. This includes assessing the sensitivity of data, the criticality of operations, and the specific risks associated with third-country control or extraterritorial data access.

The Methodology: Aligning with Article 29

To understand the substance of an assessment a bank might conduct under Article 31, one must examine the mandatory framework for public bodies in Article 29.

Article 29(1) requires Member States and Union entities to carry out risk assessments to:

  • Identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (which covers banking and financial market infrastructures).
  • Determine which Union assurance level (levels 2, 3, or 4) is appropriate for those activities.

Article 29(2) mandates that these assessments consider:

  • The sensitivity, criticality, and magnitude of non-personal data processed.
  • The nature, scope, context, and purpose of personal data processing.
  • The risk of unlawful access by a third country or a legal entity established in a third country.
  • The risk of service disruption.

When a bank invokes Article 31, it applies these exact criteria to its own operations. For instance, a bank processing critical financial data would assess whether its current cloud provider meets the criteria for Union assurance level 2, 3, or 4. This involves verifying data localization, personnel citizenship (conditional or mandatory depending on the level), and the absence of third-country control, as detailed in Annex II.

Commission Guidance and the Path to Mandatory Requirements

While Article 31(1) currently frames the assessment as voluntary, the proposal includes mechanisms to elevate this to a mandatory requirement if risks escalate.

Article 31(2) empowers the Commission to issue guidance on the methodology for carrying out these impact assessments and possible mitigation measures for private sector entities operating in sectors of high criticality. This guidance is expected to provide templates and methodologies that align with the public-sector risk assessments in Article 29, ensuring consistency across the Union.

More significantly, Article 31(3) provides a "trigger" for mandatory compliance. It states that where the Commission concludes, after consultation with Member States, that entities in sectors of high criticality require an impact assessment due to specific circumstances, it "may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This means that while banks currently may conduct these assessments, the Commission retains the power to make them mandatory for the financial sector if it determines that the risks to critical infrastructure necessitate a harmonized, compulsory approach to cloud sovereignty.

Interaction with DORA and Existing Frameworks

For banks, the CADA framework intersects with the Digital Operational Resilience Act (DORA). DORA already imposes strict ICT risk management and third-party risk management obligations on financial entities, including requirements for critical third-party providers.

CADA's Article 31 does not replace DORA but adds a distinct layer of sovereignty-specific assessment. While DORA focuses on operational resilience, cybersecurity, and the management of ICT risks, CADA focuses specifically on data sovereignty, freedom from third-country control, and the integrity of the supply chain. Banks will likely need to integrate these assessments to avoid duplication. The CADA framework can inform the deeper due diligence required by DORA on critical third-party providers, particularly regarding the "sovereignty" aspect of the provider's control structure and data location, which DORA addresses less explicitly.

What this means for you

For in-house counsel and compliance officers in the banking sector, Article 31 signals a strategic shift from purely technical cybersecurity compliance to broader sovereignty and supply chain risk management.

  1. Proactive Assessment: Even though Article 31 assessments are currently voluntary, banks should begin mapping their cloud dependencies against the Union assurance levels defined in CADA's Annex II. This prepares the organization for potential future mandates under Article 31(3).
  2. Methodology Alignment: Await and closely monitor the Commission's guidance under Article 31(2). This guidance will likely provide templates and methodologies that align with the public-sector risk assessments in Article 29. Early adoption of these methods can streamline future compliance and demonstrate due diligence.
  3. Vendor Due Diligence: When evaluating cloud providers, banks should request evidence of their alignment with Union assurance levels. If a bank conducts an Article 31 assessment and determines it requires a Union assurance level 3 or 4 for certain critical systems, it must ensure its providers can meet the stringent criteria for those levels, including data localization, personnel citizenship requirements (where applicable), and the absence of third-country control.
  4. Documentation and Reporting: Ensure that any impact assessments conducted are well-documented. If the Commission adopts delegated acts making these assessments mandatory, banks will need to demonstrate that they have systematically evaluated their cloud risks and implemented appropriate mitigation measures.

Common misconceptions

Misconception 1: Article 31 makes impact assessments mandatory for all banks immediately. Correction: Article 31(1) uses the term "may," indicating that the assessments are currently voluntary for private entities under the base text of the proposal. However, Article 31(3) provides a clear pathway for the Commission to make them mandatory through delegated acts if deemed necessary for sectors of high criticality.

Misconception 2: CADA impact assessments replace DORA compliance. Correction: CADA and DORA serve different purposes. DORA focuses on operational resilience and cybersecurity, while CADA focuses on sovereignty, data protection, and freedom from third-country control. Banks must comply with both, and the assessments may overlap in practice but are legally distinct obligations. CADA adds a sovereignty dimension that DORA does not fully cover.

Misconception 3: Only public sector bodies need to worry about Union assurance levels. Correction: While public sector bodies are mandated to use specific assurance levels based on risk assessments (Article 29 and Article 30), private entities like banks can and should use the same framework to manage their own sovereignty risks. The criteria for Union assurance levels apply to the cloud services themselves, regardless of who is procuring them. A bank procuring a Level 3 service must ensure the provider meets the Level 3 criteria, just as a public body would.

Misconception 4: Banks can use CADA assessments to bypass public procurement rules. Correction: CADA does not alter public procurement rules. If a bank is acting as a public body (e.g., a central bank performing public functions), it must follow Article 30 procurement rules. Article 31 applies to private-sector entities (commercial banks) conducting their own internal risk assessments.

Related

This is general information about a draft EU regulation, not legal advice.