Can energy operators run CADA impact assessments?

Summary Under the proposed Cloud and AI Development Act (CADA), energy operators are not yet subject to a blanket mandatory obligation to conduct impact assessments, but they are expressly empowered to do so. As entities listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555), energy operators fall squarely within the scope of Article 31 of CADA. This article grants such private-sector entities the right to carry out "similar assessments" to the mandatory risk assessments required of public authorities under Article 29. By leveraging Article 31, energy operators can proactively evaluate their cloud dependencies, determine the appropriate Union assurance levels (1–4) for their services, and align their procurement with the sovereignty framework. While currently voluntary, the Commission retains the power to adopt delegated acts to make these assessments mandatory for sectors of high criticality.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dual-track framework for cloud sovereignty. One track imposes mandatory obligations on public authorities and Union entities; the other creates a voluntary but strategically vital pathway for critical private-sector entities. For the energy sector, Article 31 is the pivotal provision that bridges the gap between existing cybersecurity mandates and the new sovereignty requirements.

Article 31: The Private-Sector Voluntary Mechanism

Article 31 of the CADA proposal is titled "Impact assessments" and specifically targets private-sector entities. The text states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision is legally significant because it explicitly references the NIS2 Directive (Directive (EU) 2022/2555) and its Annex I, which enumerates the sectors of high criticality. By referencing this specific annex, the proposal ensures that entities already subject to stringent cybersecurity risk management under NIS2 are the same entities invited to assess their cloud sovereignty risks under CADA.

The "similar assessments" referred to in Article 31 are modeled directly on the risk assessments mandated for Member States and Union entities under Article 29. Under Article 29, public bodies must:

1. Identify public sector activities that contribute to the preservation of public order (e.g., in national security, defence, or law enforcement).
2. Determine which Union assurance level (1, 2, 3, or 4) is appropriate for those activities based on the sensitivity of data and the risk of third-country interference.

Article 31 allows private energy operators to adopt this same methodology. While the public sector must procure cloud services at the level determined by their risk assessment (per Article 30), private entities under Article 31 are currently permitted to conduct the assessment to inform their own procurement and risk management strategies.

Energy Operators as NIS2 Annex I Entities

The applicability of Article 31 to the energy sector is not hypothetical; it is grounded in the explicit classification of energy within the NIS2 framework. Annex I of Directive (EU) 2022/2555 lists the following sectors:

• Energy (including electricity, district heating, gas, hydrogen, and oil)
• Transport
• Banking and financial market infrastructures
• Health
• Drinking water and wastewater
• Digital infrastructure
• ICT service management
• Public administration
• Space

Consequently, energy operators—including transmission system operators (TSOs), distribution system operators (DSOs), electricity suppliers, gas distributors, and hydrogen network operators—are legally defined as "entities referred to in Annex I" of NIS2. As long as they are not public sector bodies (a distinction that applies to many commercial energy operators), they qualify as the beneficiaries of Article 31.

This classification is critical because it aligns CADA's sovereignty framework with the existing cybersecurity baseline. Energy operators are already required under NIS2 to manage risks related to the continuity of essential services. Article 31 extends this duty to include sovereignty risks, such as the risk of third-country access to data, service disruption due to extraterritorial laws, or operational autonomy being compromised by foreign control.

Mirroring Public-Sector Risk Assessments (Article 29)

The impact assessments permitted under Article 31 are designed to mirror the rigorous process outlined in Article 29. This means energy operators can, and should, evaluate their cloud infrastructure against the same criteria used by public authorities:

1. Sensitivity and Criticality: Operators must assess the sensitivity, criticality, and magnitude of the non-personal and personal data processed. For energy operators, this includes operational technology (OT) data, grid control signals, and customer consumption data.
2. Third-Country Risks: The assessment must consider the risk of unlawful access by a third country or a legal entity established in a third country. This includes evaluating the risk of service disruption or degradation caused by foreign laws (e.g., the US CLOUD Act) or political coercion.
3. Determination of Assurance Levels: Based on the risk profile, the operator can determine which Union assurance level is appropriate.
   • Level 1: Basic Union establishment and data localization.
   • Level 2: Substantial cybersecurity certification and no third-country control.
   • Level 3: High cybersecurity certification, Union citizenship for personnel (conditional), and no third-country control (unless a derogation under Article 18 applies).
   • Level 4: High cybersecurity certification, mandatory Union citizenship, and strict prohibitions on third-country control.

For instance, an energy operator managing critical grid infrastructure might conclude that their current cloud provider, while NIS2-compliant, is subject to third-country control. Through an Article 31 assessment, they could determine that Union assurance level 3 or 4 is necessary to mitigate the risk of service disruption. This determination would then guide their procurement strategy, potentially requiring them to migrate to a provider recognized at that higher level.

The Pathway to Mandatory Requirements

While Article 31 currently uses permissive language ("may carry out"), it contains a mechanism for escalation. Article 31(3) states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This clause indicates that the voluntary nature of Article 31 is not permanent. If the Commission determines that the geopolitical situation or specific risks in the energy sector warrant it, they can issue delegated acts to make these assessments mandatory for all NIS2 Annex I entities. This creates a "comply or explain" dynamic where early adoption of Article 31 assessments is a strategic hedge against future regulatory compulsion.

Furthermore, the Commission is empowered to issue guidance on the methodology for these assessments. This guidance will likely standardize the templates and risk matrices used by public authorities under Article 29, ensuring that private-sector assessments are consistent and comparable across the Union.

What this means for you

For in-house counsel, compliance officers, and CTOs in the energy sector, Article 31 offers a structured framework to future-proof cloud strategies.

1. Initiate Voluntary Assessments Now: Do not wait for a delegated act to make assessments mandatory. Use the authority granted by Article 31 to conduct a "mirror" assessment of your cloud portfolio today. Map your critical workloads against the Union assurance levels defined in Annex II.
2. Integrate with NIS2 Risk Management: Your existing NIS2 risk management processes already cover technical cybersecurity. Layer the CADA sovereignty assessment on top of this. Where NIS2 asks "Is the system secure?", CADA asks "Is the provider sovereign?" and "Can a third country disrupt this service?"
3. Vendor Due Diligence Upgrade: Update your vendor questionnaires to include CADA-specific criteria. Ask providers: "Are you recognized at Union assurance level 2, 3, or 4?" "Do you have a European cybersecurity certificate of at least 'substantial' assurance?" "Can you guarantee no third-country control?"
4. Prepare for Migration: If your assessment reveals that your current provider does not meet the necessary assurance level for your critical infrastructure, begin developing a migration plan. CADA emphasizes reducing dependencies on non-European providers; having a roadmap to a sovereign alternative demonstrates proactive compliance.
5. Monitor Delegated Acts: Stay alert for Commission guidance and any delegated acts under Article 31(3). The transition from voluntary to mandatory could happen quickly if geopolitical tensions rise. Early adoption positions your organization as a leader in digital resilience.

Common misconceptions

"CADA mandates impact assessments for all energy operators immediately." Reality: No. Under the current proposal, Article 31 is permissive ("may carry out"). However, the Commission has the explicit power to make them mandatory via delegated acts if specific circumstances arise.

"NIS2 cybersecurity compliance is sufficient for CADA sovereignty requirements." Reality: NIS2 focuses on technical cybersecurity (e.g., incident response, access control). CADA focuses on sovereignty, operational autonomy, and third-country control. A provider can be fully NIS2-compliant but fail CADA Level 3 or 4 criteria due to foreign ownership or extraterritorial legal exposure.

"Only public sector bodies need to worry about Union assurance levels." Reality: While public bodies are mandated to procure at specific levels (Article 30), private entities in critical sectors like energy are empowered to assess their own needs under Article 31. Market pressures, supply chain requirements, and potential future delegated acts will likely drive widespread private adoption.

"Energy operators are exempt because they are private." Reality: Energy operators are explicitly included via their classification in Annex I of the NIS2 Directive. Article 31 was drafted specifically to cover these critical private infrastructure entities.

Related

• Can telecom providers run CADA impact assessments?
• Can private clinics run CADA impact assessments like hospitals?
• Can a bank use CADA impact assessments instead of public-sector risk assessments?
• CADA for Water & Waste Utilities: Article 31 Impact Assessments Explained
• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments

This is general information about a draft EU regulation, not legal advice.