Summary Under the proposed Cloud and AI Development Act (CADA), private-sector entities classified as essential or important under Annex I of the NIS2 Directive are explicitly permitted to conduct voluntary impact assessments that mirror the mandatory risk assessments required for public bodies. Article 31(1) grants these non-public entities the right to carry out assessments similar to those in Article 29 to determine appropriate Union assurance levels for their cloud services. While currently voluntary, the proposal anticipates a "spillover" effect where private regulated industries align with public procurement standards. The Commission is empowered to issue guidance on methodology (Article 31(2)) and, in specific high-criticality cases, to mandate such assessments via delegated acts (Article 31(3)).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework primarily designed to safeguard public order through public procurement rules. However, the proposal recognizes that the digital supply chain is deeply interconnected, and risks to public order often originate in or pass through critical private infrastructure. To address this, Article 31 creates a specific legal pathway for private-sector entities to engage with the sovereignty framework voluntarily, with the potential for future mandatory requirements.

The Legal Mechanism: Article 31

Article 31, titled "Impact assessments," is the dedicated provision governing the interaction between CADA and the private sector. It specifically targets entities falling within the scope of the NIS2 Directive but which are not public sector bodies.

Article 31(1) states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision creates a parallel, voluntary track. While Article 29 imposes a binding obligation on Member States and Union entities to conduct risk assessments to determine which Union assurance level (1 through 4) is appropriate for their activitiesβ€”specifically those contributing to the preservation of public orderβ€”Article 31 extends this capability to the private sector. The assessment allows these entities to evaluate the sensitivity, criticality, and magnitude of data processed in cloud environments and to identify risks related to third-country access or service disruption.

Commission Guidance and the Power to Mandate

Although the baseline under Article 31(1) is voluntary ("may carry out"), the proposal includes mechanisms to ensure consistency and to address gaps where voluntary action might be insufficient.

Article 31(2) empowers the Commission to provide support:

"The Commission may issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality."

This guidance is intended to harmonize how private entities approach the assessment, ensuring that the "spillover" effect mentioned in the recitals is coherent across the Union.

More significantly, Article 31(3) establishes a trigger for mandatory intervention. It provides that:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This clause ensures that while the initial framework is permissive, the Commission retains the authority to convert the voluntary assessment into a mandatory obligation for specific high-criticality sectors if the Commission determines that voluntary measures are inadequate to protect the Union's strategic autonomy or public order.

The "Spillover" Effect and Market Dynamics

The rationale for including Article 31 is explicitly detailed in Recital 66 of the explanatory memorandum. The Commission acknowledges that public procurement acts as a primary market signal:

"Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

The recital highlights that private entities operating in regulated industries (such as those in Annex I of NIS2) are likely to face pressure from their own customers, partners, or internal risk management frameworks to adopt the same assurance levels as the public sector. By enabling these entities to conduct Article 29-style assessments, CADA facilitates a harmonized approach to sovereignty risks across the entire ecosystem, rather than creating a fragmented landscape where public and private sectors operate under different sovereignty standards.

Distinction from Public Sector Obligations

It is crucial to distinguish the nature of the obligation under Article 31 from Article 29:

  • Article 29 (Public Sector): Mandatory. Member States and Union entities must conduct risk assessments within one year of the regulation's entry into force and update them every two years. They must map activities to specific Union assurance levels (2, 3, or 4 for public order-relevant activities) and procure accordingly.
  • Article 31 (Private Sector): Voluntary (unless triggered by delegated acts). Entities "may" carry out assessments. There is no fixed deadline for adoption unless the Commission exercises its power under Article 31(3) to mandate it for specific high-criticality cases.

The private sector assessment is "similar" to the public one but is not automatically binding. However, the criteria used (Union assurance levels defined in Annex II) remain the same, ensuring that if a private entity chooses to assess, it uses the same sovereignty metrics as the public sector.

What this means for you

For cloud service providers, data centre operators, and private-sector entities in critical sectors (energy, transport, banking, health, digital infrastructure, etc.), Article 31 represents a strategic inflection point.

1. Strategic Voluntary Alignment

Even without a mandatory deadline, private entities in NIS2 Annex I sectors are likely to face market pressure to conduct these assessments. If your clients (e.g., a bank or a hospital) decide to perform an Article 31 assessment, they will need to determine which Union assurance level is appropriate for their cloud services. To meet their requirements, you as a provider must be able to demonstrate compliance with the criteria for Union assurance levels 2, 3, or 4. This includes:

  • Establishment and Location: Proof of EU establishment and infrastructure location (Annex II, 2.1(a)-(b)).
  • Data Localisation: Guarantees that customer data remains exclusively within the Union (Annex II, 2.1(c)).
  • Personnel: Readiness to provide Union citizens for personnel if required by the client (Annex II, 2.1(d)).
  • Cybersecurity: Holding a European cybersecurity certificate of at least "substantial" assurance level (Annex II, 2.1(e)).
  • Supply Chain: Providing a Software Bill of Materials (SBOM) and demonstrating controls against third-country remote tampering (Annex II, 2.1(i)).

2. Preparing for Potential Mandates

While Article 31(1) is currently voluntary, the Commission's power under Article 31(3) to adopt delegated acts means the regulatory landscape could shift rapidly. Entities in high-criticality sectors should:

  • Monitor Delegated Acts: Watch for Commission consultations or drafts regarding the "specific circumstances" that would trigger mandatory assessments.
  • Adopt the Methodology Early: If the Commission issues guidance under Article 31(2), adopting it early can future-proof your compliance posture and reduce the cost of transition if a mandate is later issued.

3. Audit Readiness and Evidence

If a private entity conducts an Article 31 assessment and determines that a higher assurance level (2, 3, or 4) is necessary, they will require evidence. This evidence is not a self-declaration (which is only sufficient for Level 1 under Article 19). Instead, it requires an independent third-party audit under Article 20.

  • Providers serving these clients must be prepared to undergo audits by an independent auditing organisation.
  • The audit report must include a "positive" audit opinion confirming compliance with the cumulative criteria in Annex II.
  • Without this audit, a provider cannot be recognised as offering Union assurance levels 2, 3, or 4, effectively locking them out of contracts with private entities that have conducted a rigorous Article 31 assessment.

4. Differentiating from NIS2 Compliance

It is vital to understand that an Article 31 assessment is distinct from NIS2 compliance.

  • NIS2 focuses on technical cybersecurity risk management, incident reporting, and operational resilience.
  • CADA (Article 31) focuses on sovereignty: operational autonomy, data confidentiality against third-country access, and protection against extraterritorial legal reach. An entity must comply with both. A cloud provider might be NIS2-compliant (technically secure) but fail CADA's sovereignty criteria (e.g., if it is subject to third-country control or if its data can be accessed by a foreign government). Article 31 allows private entities to identify and mitigate these specific sovereignty risks.

Common misconceptions

Misconception 1: Article 31 makes impact assessments mandatory for all NIS2 entities immediately. Correction: No. Article 31(1) explicitly states that entities "may" carry out similar assessments. It is a voluntary right. Mandatory requirements can only be introduced later through delegated acts under Article 31(3), and only for specific high-criticality cases where the Commission concludes voluntary measures are insufficient.

Misconception 2: Private entities must use the exact same Union assurance levels as the public sector. Correction: While Article 31 allows entities to carry out "similar" assessments, it does not automatically force them to adopt the specific Union assurance levels (1-4) unless they choose to align or are mandated by a delegated act. However, Recital 66 predicts a "spillover" effect where market dynamics will likely drive convergence, as private clients will demand the same assurance levels as public bodies to ensure supply chain resilience.

Misconception 3: This replaces or duplicates NIS2 cybersecurity obligations. Correction: CADA and NIS2 are complementary, not overlapping. NIS2 addresses technical cybersecurity risks. CADA addresses sovereignty risks (third-country control, data access, operational autonomy). An Article 31 assessment addresses the latter. Entities must comply with both frameworks to ensure full resilience.

Misconception 4: Only public sector bodies can trigger the need for audited cloud services. Correction: While public procurement drives the initial demand for audited services (Levels 2-4), private entities conducting Article 31 assessments will also require evidence of compliance. This creates a private-sector demand for the same audit reports and conformity statements required by public bodies, expanding the market for certified sovereign cloud services beyond the public sector.

Misconception 5: The Commission can mandate assessments for any private company. Correction: The Commission's power under Article 31(3) is limited. It can only mandate assessments for entities "operating in sectors of high criticality" and only "where duly justified and in consultation with the Member States." It is not a blanket power over all private companies.

Related

This is general information about a draft EU regulation, not legal advice.