Summary Under the proposed Cloud and AI Development Act (CADA), impact assessments are currently voluntary for private entities listed in Annex I of the NIS2 Directive. However, Article 31(3) grants the European Commission the power to adopt delegated acts (pursuant to Article 45) making these assessments mandatory for non-public-sector entities operating in "sectors of high criticality." This power can only be exercised in specific, duly justified circumstances, following consultation with Member States, and may include prescribed risk mitigation measures.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a tiered approach to cloud sovereignty. While public sector bodies are subject to immediate, binding risk assessment obligations under Article 29, the private sector is initially granted flexibility. The regulatory framework for private entities is defined in Article 31, which balances voluntary adoption with a "safety valve" mechanism allowing the Commission to impose mandatory requirements if systemic risks emerge.

The Baseline: Voluntary Assessments Under Article 31(1)

As proposed, Article 31(1) establishes the default position for the private sector. It states that "Entities referred to in Annex I of Directive (EU) 2022/2555 [the NIS2 Directive] who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision is explicitly permissive. It targets "essential" and "important" entities—such as those in energy, transport, banking, health, and digital infrastructure—allowing them to voluntarily assess their dependencies on cloud computing services. The intent is to foster a culture of sovereignty risk management without imposing immediate, blanket regulatory burdens on the private sector. These voluntary assessments would mirror the methodology used by public bodies to determine the appropriate Union assurance level for their cloud services, focusing on data sensitivity, criticality, and the risk of third-country access or service disruption.

The Trigger: Mandatory Assessments Under Article 31(3)

The regulatory landscape shifts significantly under Article 31(3). This paragraph provides the Commission with a targeted enforcement mechanism to address gaps in voluntary compliance or emerging systemic threats.

Article 31(3) states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This mechanism is not automatic. It requires a high threshold of justification. The Commission must determine that:

  1. Specific circumstances exist (e.g., a sudden geopolitical shift, a critical shortage of sovereign capacity, or evidence that voluntary measures are failing to mitigate existential risks).
  2. The situation is duly justified (supported by evidence).
  3. The Commission has acted in consultation with the Member States.

Only if these conditions are met can the Commission adopt a delegated act under Article 45. This act would legally transform the voluntary assessment into a mandatory obligation for the specified entities.

The Scope: "Sectors of High Criticality"

The mandate applies exclusively to entities operating in "sectors of high criticality." While Article 31 does not provide an exhaustive list of these sectors within the article itself, it implicitly references the critical nature of the sectors covered by Annex I of the NIS2 Directive.

The term "high criticality" suggests a subset of NIS2 entities where the consequences of cloud service disruption or third-country data access would be catastrophic for public order, national security, or the functioning of the single market. Compliance officers in sectors such as critical financial market infrastructures, energy grids, or health data management should assume they are primary candidates for future mandatory assessments. The Commission's delegated act would specify exactly which entities and sectors are covered, ensuring the measure is proportionate and targeted.

The Process: Consultation and Delegated Acts

The power to make these assessments mandatory is exercised via delegated acts under Article 45. This legislative procedure is designed to ensure democratic oversight and technical rigor.

  • Consultation with Member States: Article 31(3) explicitly requires the Commission to act "in consultation with the Member States" before concluding that mandatory assessments are necessary. This ensures that national authorities, who possess the best insight into local market conditions and risks, have a direct say in the trigger for mandatory obligations.
  • Expert Consultation: Before adopting any delegated act, the Commission must consult experts designated by each Member State, in line with the principles of the Interinstitutional Agreement on Better Law-Making (referenced in Article 45).
  • Scrutiny by Parliament and Council: Once a delegated act is adopted, it enters into force only if neither the European Parliament nor the Council objects within a two-month period (extendable by three months). This provides a final check on the Commission's exercise of this power.

This multi-layered process implies that any shift to a mandatory regime will be preceded by significant political and technical dialogue, providing industry with lead time to prepare.

Risk Mitigation Measures

Crucially, the delegated acts under Article 31(3) do not stop at requiring an assessment. They can also specify the "risk mitigation measures" that entities must take.

This transforms the impact assessment from a purely diagnostic tool into a precursor for binding remedial obligations. The Commission could prescribe specific technical or organizational actions, such as:

  • Migrating critical workloads to cloud services recognized at Union assurance level 2, 3, or 4.
  • Implementing mandatory multi-cloud strategies to reduce dependency on single providers.
  • Adopting specific data localization protocols or encryption standards.
  • Establishing specific incident response or service continuity plans.

By linking the assessment to prescribed mitigation measures, Article 31(3) ensures that the identification of a risk leads directly to a mandated solution, closing the loop on sovereignty risks in the private sector.

What this means for you

For in-house counsel, compliance officers, and CTOs at large enterprises, particularly those in essential sectors under the NIS2 Directive, the horizon is shifting from voluntary best practices to potential regulatory mandates.

  1. Prepare for the "Duly Justified" Threshold: Monitor Commission communications, impact assessments, and public consultations regarding cloud dependencies. If the Commission identifies a systemic risk in your sector (e.g., financial services relying on non-sovereign cloud for core trading data), it may invoke Article 31(3). You should begin documenting your current cloud sovereignty posture now to demonstrate proactive risk management.
  2. Align Internal Processes with Article 29: Although Article 31 assessments are voluntary for now, they are modeled on the mandatory risk assessments in Article 29 for public bodies. Adopting the methodology, templates, and rigor of Article 29 risk assessments internally will position your firm to comply seamlessly if delegated acts are adopted. This includes assessing data sensitivity, criticality, and the risk of third-country access.
  3. Watch for Delegated Acts: Track the adoption of delegated acts under Article 45. These acts will define the specific circumstances, the scope of "high criticality" sectors, and the required mitigation measures. Compliance teams should establish a monitoring protocol for the Official Journal of the European Union to receive immediate notice of any such acts affecting their sector.
  4. Engage in Consultations: Since the Commission must consult Member States before triggering mandatory assessments, engage with national regulators and industry associations to voice the operational impact of potential mandates. Early input can shape the definition of "specific circumstances" and the nature of required mitigation measures.
  5. Budget for Remediation: If an impact assessment reveals a dependency risk, the subsequent delegated act may require costly migrations to higher assurance levels. Budgeting for these potential capital expenditures should be part of long-term IT strategy, especially for firms relying on third-country hyperscalers for critical infrastructure.

Common misconceptions

Misconception 1: All private firms must conduct impact assessments. Correction: No. Article 31(1) makes assessments voluntary for entities listed in Annex I of the NIS2 Directive. Article 31(3) only allows the Commission to make them mandatory for entities in "sectors of high criticality" under "specific, duly justified circumstances." SMEs and entities outside high-criticality sectors are not currently subject to this mandate.

Misconception 2: The Commission can impose mandatory assessments unilaterally and immediately. Correction: The process is constrained. The Commission must act "in consultation with the Member States" and must find "specific circumstances" that are "duly justified." Furthermore, the actual requirements are set via delegated acts under Article 45, which are subject to scrutiny by the European Parliament and the Council. This is not an emergency power that bypasses democratic oversight.

Misconception 3: Impact assessments under Article 31 are identical to GDPR Data Protection Impact Assessments (DPIAs). Correction: While they may overlap, CADA impact assessments focus on sovereignty and operational autonomy risks (e.g., dependency on third-country providers, risk of service disruption, data access by foreign governments) rather than just personal data protection. They are aligned with the risk assessments in Article 29, which consider public order and security, not just privacy.

Misconception 4: Mandatory assessments will apply to all cloud services. Correction: The mandate would target entities in high-criticality sectors. Furthermore, the mitigation measures prescribed by the Commission would likely focus on the most critical workloads or those involving sensitive data, rather than every minor SaaS application used by the organization. The scope is defined by the specific delegated act.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.