Summary As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket obligation on all private companies to conduct sovereignty risk assessments. However, Article 31 explicitly permits entities listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) that are not public sector bodies to voluntarily carry out "similar assessments" to those required of public authorities. These assessments allow critical private operators to evaluate their cloud dependencies against the same Union assurance levels used in the public sector. While currently voluntary, Article 31(2) empowers the Commission to issue methodology guidance, and Article 31(3) provides a mechanism for the Commission to adopt delegated acts making such assessments mandatory for specific high-criticality sectors if systemic risks are identified.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a robust framework for cloud sovereignty, primarily designed to safeguard the public order of the Union and its Member States. While the core obligations for mandatory risk assessments and subsequent procurement restrictions (under Article 29 and Article 30) apply strictly to Member States and Union entities, the proposal acknowledges that critical private-sector infrastructure faces analogous sovereignty risks. To address this, Article 31 creates a specific legal pathway for the private sector to engage with the sovereignty framework.

Voluntary Assessments for Critical Private Entities

Article 31(1) of the proposal, titled "Impact assessments," is the primary provision governing private-sector engagement. It states that entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) who are not public sector bodies "may carry out similar assessments as those set out in Article 29."

This provision is significant because it extends the logic of the public sector's sovereignty risk assessment to the private domain for specific high-risk sectors. Article 29 mandates that public authorities identify activities contributing to the preservation of public order and determine the appropriate Union assurance level (levels 2, 3, or 4) required for their cloud services. By allowing NIS2 Annex I entities to conduct "similar assessments," CADA enables critical private operatorsβ€”such as those in energy, transport, banking, health, and digital infrastructureβ€”to evaluate their cloud dependencies using the same rigorous criteria.

These private entities can thus determine whether their current cloud providers meet the necessary assurance levels to mitigate risks related to third-country control, data access, or service disruption. This voluntary mechanism allows critical private infrastructure to align its risk management strategies with the Union's broader sovereignty objectives without being subject to the same mandatory procurement rules as public bodies.

Commission Guidance and Methodology

To ensure that these voluntary assessments are conducted consistently and effectively, Article 31(2) empowers the Commission to issue guidance. This guidance would cover the methodology for carrying out the impact assessments and outline possible mitigation measures that private sector entities operating in sectors of high criticality should adopt.

The existence of this guidance is crucial for market harmonization. Without it, private entities might apply disparate standards, leading to fragmentation and confusion regarding what constitutes a "sovereign" service in the private sector. The Commission's guidance would likely align private assessment methodologies with the criteria set out in Annex II of CADA, ensuring that a private entity's determination of a provider's assurance level is compatible with the official recognition process managed by national competent authorities.

Potential for Mandatory Requirements in High-Criticality Sectors

While the default position under Article 31 is voluntary, the proposal includes a conditional mechanism to escalate these requirements if necessary. Article 31(3) states that where, due to specific circumstances, and where duly justified and in consultation with Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts.

These delegated acts would supplement the Regulation by specifying the need for such an assessment and the risk mitigation measures that those entities must take. This provision acts as a safety valve, allowing the EU to respond to emerging systemic risks in the private sector. If the Commission identifies that dependencies in a specific high-criticality sector pose a threat to the Union's strategic autonomy or operational continuity, it can move from a voluntary to a mandatory regime for that sector via delegated legislation.

Context: Why Private Sector Assessments Matter

The rationale for including Article 31 is explicitly detailed in Recital 66 of the explanatory memorandum. The recital notes that public procurement frequently serves as a primary signal of market direction. It observes that "requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

Recital 66 underscores the importance of enabling private-sector entities in NIS2 Annex I sectors to carry out these assessments to facilitate this market realignment. By providing a legal basis for these assessments, CADA aims to accelerate the shift toward sovereign cloud services across the entire economy, not just the public sector. It recognizes that critical private infrastructure is often as vital to the Union's security and resilience as public services, and thus, these entities should have the tools to assess and mitigate their own sovereignty risks.

What this means for you

If you are a cloud service provider, data centre operator, or a critical private-sector entity (e.g., in energy, transport, finance, or health), the provisions of Article 31 have immediate strategic implications.

  • For Cloud Providers Serving Critical Sectors: You should anticipate that your clients in NIS2 Annex I sectors may begin conducting formal impact assessments under Article 31. These clients will likely request evidence that your services meet specific Union assurance levels (2, 3, or 4). Ensure your documentation, audit reports, and transparency measures are ready to support these assessments. Providers with recognized assurance levels will have a distinct competitive advantage.
  • For Critical Private Entities (NIS2 Annex I): You have the legal right to conduct sovereignty risk assessments similar to those of public authorities. This allows you to proactively manage your supply chain risks. You should review your current cloud dependencies and consider whether a voluntary assessment under Article 31 is necessary to ensure operational continuity and compliance with your own risk management frameworks.
  • Monitor Commission Guidance: Keep a close watch on the guidance the Commission may issue under Article 31(2). This guidance will define the methodology for these assessments. Aligning your internal processes with this guidance early will streamline the assessment process for your clients or for your own internal risk management.
  • Prepare for Potential Mandates: Although currently voluntary, Article 31(3) creates a pathway for mandatory assessments in high-criticality sectors. If your sector is deemed critical to national security or the Union's strategic autonomy, be prepared for the possibility that the Commission could adopt delegated acts requiring you to conduct these assessments and implement specific mitigation measures.

Common misconceptions

Misconception 1: All private companies must conduct CADA risk assessments. Incorrect. Article 31 is limited to entities referred to in Annex I of the NIS2 Directive that are not public sector bodies. There is no blanket requirement for small and medium-sized enterprises (SMEs) or private companies outside these critical sectors to perform sovereignty risk assessments under CADA. The mandatory risk assessments under Article 29 apply strictly to Member States and Union entities.

Misconception 2: Private sector assessments under Article 31 trigger the same procurement obligations as public assessments. Incorrect. While public authorities are legally bound by Article 30 to procure only from services meeting the assurance levels determined by their risk assessments, private entities conducting assessments under Article 31 are doing so voluntarily (unless future delegated acts under Article 31(3) change this). Their procurement decisions remain their own commercial choices, though they may be influenced by the assessment outcomes and market pressures.

Misconception 3: The private sector assessment is identical to the public sector's. Not exactly. Article 31 states that private entities may carry out "similar" assessments. While the methodology and the criteria (Union assurance levels) are aligned with the public sector framework, the legal context and consequences differ. Public sector assessments directly trigger binding procurement obligations under Article 30; private sector assessments are primarily for internal risk management, dependency mitigation, and market signaling, unless the Commission intervenes under Article 31(3).

Misconception 4: Article 31 replaces NIS2 cybersecurity requirements. Incorrect. Article 31 complements NIS2 by addressing sovereignty risks (third-country control, operational autonomy) rather than just technical cybersecurity. NIS2 focuses on the security of network and information systems, while CADA's Article 31 focuses on the strategic autonomy and resilience of the supply chain. Entities must comply with both frameworks.

Related

This is general information about a draft EU regulation, not legal advice.