Can the same regulator enforce CADA and NIS2? EU Cloud Act vs Cybersecurity

Summary The proposed Cloud and AI Development Act (CADA) does not mandate that the same national authority enforces both CADA and the NIS2 Directive. While Member States are permitted to designate an existing authority to serve as the CADA National Competent Authority (NCA), the regulation explicitly allows for the creation of new or separate bodies. CADA establishes a distinct enforcement framework focused on cloud sovereignty and Union assurance levels, operating alongside NIS2's cybersecurity regime. Crucially, CADA's cross-border cooperation mechanism under Article 28 applies specifically to its own NCAs, creating a parallel but separate coordination track from NIS2. In-house counsel must anticipate that cybersecurity oversight and sovereignty enforcement may fall to different entities within the same Member State.

Detail

The regulatory landscape for cloud computing in the EU is evolving from a singular focus on cybersecurity (NIS2) to a dual-layered approach that adds a sovereignty dimension (CADA). A central question for legal and compliance teams is whether these two regimes will converge under a single enforcement body or remain distinct. As proposed in COM(2026) 502 final, CADA creates a separate legal architecture for cloud sovereignty, with its own designated authorities, powers, and cooperation mechanisms.

Designation of CADA National Competent Authorities

The cornerstone of CADA's enforcement structure is the designation of National Competent Authorities (NCAs). Article 25(1) of the proposal requires Member States to designate one or more national competent authorities responsible for enforcing Title IV (Autonomy) of the Regulation. This designation must occur by the date of entry into force plus one year.

Crucially, Article 25(1) provides flexibility: "Member States may designate an existing authority or existing authorities ('competent authorities')." This phrasing is permissive, not mandatory. It allows Member States to leverage existing structures—such as the authorities already responsible for NIS2, the GDPR, or the Digital Services Act—but it does not compel them to do so. A Member State could equally choose to designate a new agency, a specific ministry, or a data protection authority that is entirely separate from the NIS2 supervisory body.

The proposal further clarifies the territorial scope of enforcement in Article 25(4). It states that the Member State where the cloud computing service provider has its "main establishment" (defined as the head office or registered office where principal financial functions and operational control are exercised) shall have "exclusive competence for enforcing this Chapter." This establishes a "single point of contact" model for CADA enforcement within a Member State. However, this "single point" is specific to CADA obligations and does not automatically align with the NIS2 supervisory authority, which may have a different designation logic or jurisdictional scope.

Distinct Enforcement Powers and Penalty Regimes

The enforcement powers granted to CADA NCAs are tailored to the specific objectives of cloud sovereignty, differing significantly from the cybersecurity focus of NIS2. Article 26 outlines the investigative and enforcement powers of CADA NCAs. These include the power to require information from providers and subcontractors, the power to inspect premises (or request judicial authorities to do so), and the power to order the cessation of infringements.

Furthermore, Article 26(2)(b) grants the power to "impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation." This creates a distinct penalty regime. Article 24 mandates that Member States lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

The criteria for imposing these penalties, listed in Article 24(2), include the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained or losses avoided. These criteria are specific to CADA's sovereignty objectives (e.g., failure to maintain data within the Union, failure to meet Union assurance levels). This stands in contrast to NIS2, where penalties are calculated based on cybersecurity risk management failures, incident reporting delays, or non-compliance with security measures. Consequently, a provider could face two separate sets of fines from two different authorities for distinct failures: one for a cybersecurity breach under NIS2 and another for a sovereignty breach under CADA.

Cross-Border Cooperation Under Article 28

While enforcement authorities may differ from those under NIS2, CADA establishes a robust, self-contained mechanism for cross-border cooperation among its own NCAs. Article 28 sets out the principles of cross-border cooperation between Member States' national competent authorities.

The mechanism is triggered when a "competent authority of destination" (the Member State where the service is used) has reason to suspect that a cloud computing service provider no longer fulfills the requirements under Annex II (the Union assurance levels). In such cases, the destination authority may request the "competent authority of establishment" (the authority in the Member State of the provider's main establishment) to assess the matter and take necessary investigatory and enforcement measures.

Article 28(4) imposes a strict procedural deadline: the competent authority of establishment must communicate its assessment and any measures taken or envisaged "as soon as possible and in any event not later than two months after receipt of the request." This ensures that CADA enforcement is coordinated across the EU, preventing regulatory arbitrage and ensuring consistent application of sovereignty standards.

However, this mechanism operates strictly within the CADA ecosystem. It does not automatically integrate NIS2 authorities into this specific cross-border workflow. Unless a Member State has explicitly designated its NIS2 authority as its CADA NCA, the NIS2 body would have no standing under Article 28 to request or receive information regarding CADA assurance levels. The two regimes maintain separate communication channels.

Relationship with NIS2: Complementary but Separate

The CADA explanatory memorandum explicitly addresses the relationship with the NIS2 Directive. It acknowledges that NIS2 improves the cybersecurity risk management of cloud computing service providers and data centres, resulting in greater trust. However, the memorandum clarifies a critical distinction: NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

CADA complements NIS2 by addressing sovereignty, data localization, operational autonomy, and the reduction of third-country dependencies—areas that are outside the scope of NIS2. Therefore, a cloud provider may need to report to a cybersecurity authority under NIS2 for technical security incidents, while simultaneously reporting to a potentially different CADA NCA for changes in its Union assurance level status, material changes in control, or sovereignty risk assessments. The two regimes are designed to run in parallel, addressing different layers of risk: technical security (NIS2) and strategic sovereignty (CADA).

What this means for you

For in-house counsel, compliance officers, and general counsel, the lack of a mandatory merged authority means you must map your regulatory obligations carefully across potentially multiple agencies. The "one-stop-shop" principle of CADA applies only to CADA enforcement, not to the broader digital regulatory landscape.

1. Identify Your Authorities: Do not assume your NIS2 supervisory authority is also your CADA NCA. Monitor national transposition measures and public consultations to identify which authority is designated under Article 25 of CADA. It may be a data protection authority, a communications regulator, a ministry of digital affairs, or a newly created agency. The designation could vary significantly between Member States.
2. Prepare for Parallel Reporting Lines: Be ready for dual reporting obligations. You may need to submit cybersecurity incident reports under NIS2 to one body, while notifying a different CADA NCA of material changes affecting your Union assurance level under Article 23 (transparency obligations) or changes in control. Ensure your internal governance structures can route information to the correct authority without delay.
3. Manage Distinct Penalty Exposures: Understand that non-compliance with CADA's sovereignty criteria (e.g., failing to maintain data exclusively within the Union for Level 1, or failing to meet the "substantial" cybersecurity certification for Level 2/3) carries distinct penalties under Article 24, separate from NIS2 fines. Your compliance programs must track these distinct risk profiles, as the criteria for "effective, proportionate and dissuasive" penalties differ between the two regimes.
4. Facilitate Cross-Border Coordination: If you operate across the EU, be aware that Article 28 requires your home CADA NCA to respond to inquiries from other Member States within two months. Ensure your internal processes can provide the necessary evidence (e.g., audit reports, data flow diagrams, control structures) to your local NCA quickly to facilitate these cross-border resolutions. Delays in providing evidence to your NCA could trigger enforcement actions in destination Member States.

Common misconceptions

• "NIS2 and CADA are enforced by the same body." This is incorrect. While Member States may designate the same authority, CADA does not require it. The proposal explicitly allows for separate designations. Many Member States may keep cybersecurity (NIS2) and sovereignty/data protection (CADA/GDPR) enforcement separate to maintain specialized expertise in each domain.
• "CADA replaces NIS2 for cloud providers." CADA does not replace NIS2. NIS2 continues to govern cybersecurity risk management for essential and important entities, including cloud providers. CADA adds a layer of sovereignty assurance, procurement rules, and data localization requirements. Both regimes apply concurrently, and providers must comply with both.
• "The 'One-Stop-Shop' applies to NIS2 issues." CADA's single-point-of-contact model under Article 25(4) applies only to CADA enforcement. It does not extend to NIS2, GDPR, or other EU laws unless a Member State voluntarily consolidates these roles. A provider may have a "one-stop-shop" for CADA but still face multiple supervisory authorities for other digital obligations.
• "Article 28 merges CADA and NIS2 cooperation." Article 28 establishes a cross-border cooperation mechanism specifically for CADA NCAs. It does not automatically merge with NIS2's cooperation mechanisms. Unless a Member State designates the same body for both, the two regimes will maintain separate cross-border communication channels.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why a Cybersecurity Act certificate cannot prove cloud sovereignty under CADA
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• CADA vs CSA2: How the Cybersecurity Act 2.0 revision complements the Cloud and AI Development Act
• CADA vs the EU Cybersecurity Act: How the Sovereignty Layer Works

This is general information about a draft EU regulation, not legal advice.