Summary Yes, as proposed, the Cloud and AI Development Act (CADA) would empower the European Commission to adopt delegated acts requiring private-sector entities operating in sectors of "high criticality" to conduct impact assessments and implement specific risk-mitigation measures. This power is explicitly granted under Article 31(3) and confirmed in Recital 85. The mechanism targets entities listed in Annex I of the NIS2 Directive that are not public sector bodies. Crucially, this obligation is not automatic; it is conditional, triggered only when the Commission, after consultation with Member States, concludes that "specific circumstances" justify extending the sovereignty framework beyond the public sector to protect the EU's strategic autonomy and public order.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a robust sovereignty framework primarily designed to govern public procurement and the resilience of Union entities. However, the proposal acknowledges that systemic risks arising from dependence on non-European cloud providers are not confined to the public sector. To address this, the legislation includes a targeted mechanism to extend sovereignty safeguards to critical private infrastructure through the use of delegated acts.

The Legal Mechanism: Article 31 and Delegated Acts

The core of this authority lies in Article 31, titled "Impact assessments." This article creates a two-tiered approach for private entities:

  1. Voluntary Assessment (Article 31(1)): Currently, private entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) that are not public sector bodies may carry out assessments similar to those required of public bodies under Article 29. This is a voluntary option for private companies to evaluate their cloud sovereignty risks.
  2. Mandatory Assessment via Delegated Act (Article 31(3)): The proposal grants the Commission the power to convert this voluntary option into a mandatory obligation for specific high-risk scenarios. Article 31(3) states:

    "Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This provision creates a conditional trigger. The Commission cannot simply issue a blanket requirement for all private companies. It must first identify "specific circumstances" and "duly justify" the need, while consulting Member States. Only then can it adopt a delegated act under Article 45 to specify exactly which entities must assess their risks and what mitigation measures they must implement.

The Role of Recital 85

Recital 85 of the explanatory memorandum explicitly outlines the scope of the Commission's delegated powers, reinforcing the text of Article 31(3). It confirms that the Commission is empowered to adopt delegated acts for:

"...requiring an impact assessment and risk mitigation measures for private companies operating in sectors of high criticality."

This recital serves as a legislative confirmation that the extension of the sovereignty framework to the private sector is a deliberate policy choice, intended to be flexible and responsive to evolving geopolitical and technological threats. It ensures that the obligation remains proportionate, applying only where the risk to the Union's strategic autonomy is deemed significant enough to warrant regulatory intervention.

Link to High-Risk Dependency Rules

The requirement for private sector impact assessments is intrinsically linked to the broader Title IV (Autonomy) framework of CADA, specifically the Union cloud computing sovereignty framework established in Article 16.

For the public sector, Article 29 mandates risk assessments to determine the appropriate "Union assurance level" (Levels 1–4) required for cloud services. These assessments evaluate:

  • The sensitivity and criticality of data processed.
  • The risk of unlawful access by third countries.
  • The risk of service disruption or degradation.

For the private sector, the logic under Article 31(3) mirrors this but applies selectively. The "high criticality" designation likely refers to sectors where a disruption in cloud services would have severe cascading effects on the EU economy, public order, or safety. These align closely with the essential and important entities defined in NIS2 Annex I.

If a delegated act is adopted, the private entity would be required to:

  1. Identify Dependencies: Map their reliance on cloud providers, particularly those subject to third-country control.
  2. Evaluate Sovereignty Risks: Assess the risk of extraterritorial data access (e.g., under laws like the US CLOUD Act) and the potential for service disruption due to third-country sanctions or political interference.
  3. Implement Mitigation: Adopt measures such as migrating to providers recognized at higher Union assurance levels (e.g., Level 2, 3, or 4), adopting multi-cloud strategies, or implementing specific technical controls to prevent data leakage or service degradation.

This mechanism effectively bridges the gap between public sovereignty requirements and private sector resilience, ensuring that critical private infrastructure does not become a weak link in the Union's strategic autonomy.

Who Could Be Affected?

The scope of potential impact is significant but targeted. The baseline for affected entities is Annex I of the NIS2 Directive. If the Commission adopts a delegated act under Article 31(3), the following private entities could be required to conduct impact assessments:

  • Energy: Electricity, gas, hydrogen, and oil transmission and distribution system operators.
  • Transport: Air, rail, water, and road transport operators and logistics providers.
  • Banking and Financial Market Infrastructure: Credit institutions, payment service providers, and trading venues.
  • Digital Infrastructure: Online marketplaces, search engines, cloud computing service providers, data centres, DNS providers, and top-level domain name registries.
  • Health: Hospitals, clinics, and research organizations involved in critical health data.
  • Water and Waste: Drinking water supply and wastewater management operators.
  • Space: Operators of space infrastructure.
  • Public Administration: (Note: Public bodies are already covered under Article 29; this applies to private entities within these sectors).

The Commission would likely focus on specific sub-sectors or entities where the concentration of non-EU providers is high, or where the nature of the data processed poses a unique threat to public order. For example, a private data centre operator hosting critical government data or a private energy grid operator relying on a single non-EU cloud provider for control systems could be prime candidates for such a mandate.

What this means for you

For cloud service providers, data centre operators, and private companies in critical sectors, the potential for delegated acts under Article 31(3) signals a significant shift in the regulatory landscape.

1. Preparation for Mandatory Sovereignty Audits

Even before a delegated act is adopted, private entities in high-criticality sectors should anticipate the possibility of mandatory impact assessments. This means preparing to demonstrate compliance with the Union assurance levels (Article 16) and the associated criteria in Annex II. If you are a cloud provider serving these sectors, you must be ready to undergo the rigorous independent audits required for Levels 2, 3, and 4 (Article 20), which include checks on personnel citizenship, data localization, and third-country control.

2. Voluntary Self-Assessment as a Strategic Advantage

Under Article 31(1), private entities may already carry out impact assessments. Conducting these voluntarily is a strategic move. It allows companies to:

  • Identify vulnerabilities in their cloud supply chain before regulators intervene.
  • Demonstrate due diligence to stakeholders and potential customers.
  • Position themselves to comply quickly if a delegated act is adopted, minimizing operational disruption.

3. Supply Chain Transparency and Documentation

The impact assessments will likely scrutinize the entire supply chain. Private entities must ensure they have:

  • A complete and up-to-date Software Bill of Materials (SBOM).
  • Clear documentation of data flows and localization policies.
  • Evidence of personnel screening and citizenship verification (where required).
  • Contracts with subcontractors that enforce sovereignty requirements.

As per Annex II and Annex III, higher assurance levels require strict controls over third-country influence. Private companies should audit their own subcontractors to ensure they can meet these standards if mandated.

4. Engagement in the Delegated Act Process

Since the adoption of delegated acts under Article 45 requires consultation with Member State experts and allows for scrutiny by the European Parliament and Council, industry stakeholders have an opportunity to influence the outcome. Engaging in these consultations allows companies to:

  • Provide evidence on the feasibility and cost of impact assessments.
  • Argue for proportionate and technically sound requirements.
  • Highlight potential unintended consequences of overly broad mandates.

Common misconceptions

Misconception 1: All private companies must do impact assessments. Correction: No. Article 31(1) makes impact assessments voluntary for private entities in NIS2 sectors. Only those in "sectors of high criticality" specifically identified by the Commission through a delegated act under Article 31(3) would be required to do so. The Commission must justify this based on "specific circumstances."

Misconception 2: This is a new regulatory burden separate from NIS2. Correction: The CADA proposal builds on the existing NIS2 framework. It uses the NIS2 Annex I list as the baseline for private sector obligations. The impact assessment under CADA focuses specifically on cloud sovereignty and dependency risks, complementing the cybersecurity risk management already required by NIS2. It does not replace NIS2 but adds a layer of sovereignty-specific due diligence.

Misconception 3: The Commission can directly fine private companies for non-compliance with impact assessments. Correction: Article 31 does not specify penalties for private entities failing to conduct impact assessments. Penalties under CADA (Article 24) primarily target cloud computing service providers for infringements of the sovereignty framework (e.g., providing false information for assurance levels). Compliance by private entities would likely be enforced through national authorities or sectoral regulators, potentially leveraging existing NIS2 enforcement mechanisms or national laws transposing CADA.

Misconception 4: Delegated acts are already in force. Correction: CADA is a proposal. The delegated act power under Article 31(3) is not yet active. The Commission must first adopt the delegated act following the procedure in Article 45, which includes consultation with Member States and the right of the European Parliament and Council to object. Until such an act is adopted, the obligation remains voluntary.

Related

This is general information about a draft EU regulation, not legal advice.