Summary Under the proposed Cloud and AI Development Act (CADA), financial entities face a layered compliance landscape that operates alongside, but distinct from, the Digital Operational Resilience Act (DORA). Public financial bodies (e.g., central banks, state-owned funds) are subject to mandatory risk assessments under Article 29, which may compel them to procure cloud services meeting specific Union assurance levels (2, 3, or 4) to safeguard public order. Private financial entities, including those covered by the NIS2 Directive, are not automatically bound by these mandatory procurement rules but are explicitly permitted to conduct voluntary impact assessments under Article 31. While DORA focuses on operational resilience and technical due diligence, CADA introduces a distinct sovereignty dimension addressing extraterritorial control and strategic autonomy. Consequently, public financial actors must integrate CADA tiers into procurement, whereas private entities may adopt them voluntarily to mitigate geopolitical risks, pending potential future delegated acts.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonized framework for cloud computing sovereignty designed to reduce the EU's dependence on non-European providers and safeguard public order. For the financial sector, this creates a dual regulatory obligation: existing resilience requirements under DORA and new sovereignty assurance requirements under CADA. Understanding the interaction requires a precise distinction between public and private financial actors, as CADA imposes fundamentally different obligations on each.

The Distinction Between Public and Private Financial Entities

CADA's sovereignty framework is primarily demand-side driven for the public sector. Article 29 obliges Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. This assessment explicitly covers sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), which includes financial services.

If a financial entity qualifies as a "public sector body" or "Union entity" (e.g., a central bank, a publicly owned pension fund, or a state-controlled investment agency), it falls squarely within the scope of Article 29(1). This entity must perform a risk assessment to identify whether its cloud-dependent activities are critical to public order. If the assessment concludes that the activities contribute to the preservation of public order, Article 30(3) stipulates that the contracting authority must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4.

For private financial entities, the regulatory pressure is different. Article 31 provides a voluntary mechanism for entities referred to in Annex I of the NIS2 Directive (which includes financial institutions) who are not public sector bodies. These entities may carry out "similar assessments" to those set out in Article 29. The proposal acknowledges that public procurement signals often influence private sector behavior, but it does not mandate private banks or insurance companies to procure sovereign cloud tiers by default. However, Article 31(3) reserves the power for the Commission to adopt delegated acts requiring impact assessments for private entities in sectors of high criticality if specific circumstances justify it.

Interaction with DORA Due Diligence

The Digital Operational Resilience Act (DORA) already requires financial entities to perform rigorous due diligence on critical ICT third-party providers. DORA focuses on operational resilience, ensuring that financial entities can continue to provide services during disruptions. It mandates contractual arrangements, incident reporting, exit strategies, and testing of ICT systems.

CADA complements this by addressing "sovereignty" and "strategic autonomy," which DORA does not explicitly define. While DORA asks, "Can this provider keep my systems running securely?", CADA asks, "Is this provider subject to extraterritorial laws that could compromise my data or service continuity?"

For public financial entities, this means their due diligence process must expand. Beyond DORA's technical and operational checks, they must verify if a cloud provider holds a recognized Union assurance level. This involves checking the central repository established under Article 22 of CADA. If a provider does not meet the required assurance level determined by the Article 29 risk assessment, the public financial entity cannot procure from them, regardless of their DORA compliance status. A provider may be fully DORA-compliant yet fail CADA's sovereignty criteria due to third-country control or infrastructure location.

For private financial entities, the interaction is more nuanced. While not legally required to enforce sovereignty tiers under CADA, they may choose to adopt Article 31 assessments to align with public sector standards or to mitigate geopolitical risks. This voluntary step adds a sovereignty layer to their DORA-driven due diligence, creating a more comprehensive risk profile that covers both operational continuity and data sovereignty.

Risk Assessments and Assurance Levels

The core of CADA's demand-side measure is the risk assessment under Article 29. These assessments must consider:

  1. The sensitivity, criticality, and magnitude of non-personal and personal data processed.
  2. The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  3. The risk and consequent impact on public order of possible service disruption.

Based on this assessment, a public financial entity will be mapped to a specific Union assurance level (1 to 4). Article 30(2) establishes Union assurance level 1 as the baseline for all public procurement where activities are not identified as contributing to public order. However, Article 30(3) mandates that for activities contributing to public order, only services recognized at levels 2, 3, or 4 may be procured.

Levels 2, 3, and 4 impose progressively stricter criteria regarding establishment, infrastructure location, personnel (including Union citizenship requirements), and the absence of third-country control. Article 31 provides the template for private entities wishing to mirror this process. It allows them to assess their own exposure to similar risks. The Commission may issue guidance on the methodology for these assessments and potential mitigation measures. This voluntary alignment is crucial for private financial entities that interact heavily with public infrastructure or handle sensitive data that, while not legally classified as "public order" critical, carries significant reputational or strategic risk.

Deadlines and Implementation

CADA proposes that Member States and Union entities carry out their initial risk assessments under Article 29(1) within one year of the Regulation's entry into force. Subsequent assessments are required every two years or whenever necessary. This timeline is critical for public financial entities, as they must have their risk profiles mapped and procurement strategies adjusted well before the mandatory procurement rules under Article 30 take full effect.

For private entities, there is no fixed deadline for Article 31 assessments. However, the Commission may adopt delegated acts specifying the need for impact assessments for entities in high-criticality sectors. Financial entities should monitor these developments closely, as the line between voluntary best practice and mandatory requirement could shift if the Commission identifies systemic risks in the financial cloud market.

What this means for you

For In-House Counsel at Public Financial Institutions: You must integrate CADA's sovereignty requirements into your existing ICT procurement workflows. Your current DORA due diligence checklists are insufficient. You need to:

  1. Initiate Article 29 Risk Assessments: Begin mapping your cloud-based activities against the criteria in Article 29(2). Determine which services are critical to public order (e.g., payment systems, market infrastructure).
  2. Verify Assurance Levels: Ensure your cloud providers are listed in the CADA central repository (Article 22) with the appropriate Union assurance level (2, 3, or 4) as determined by your risk assessment.
  3. Update Contracts: Review cloud contracts to ensure they can support the transparency and audit requirements of CADA, particularly regarding subcontractor visibility, data localization, and the right to audit for sovereignty criteria.

For Compliance Officers at Private Financial Entities: While you are not currently mandated to enforce CADA tiers, you should consider the strategic value of Article 31 assessments.

  1. Voluntary Alignment: Conducting an Article 31 impact assessment can demonstrate robust governance to regulators and partners. It shows you are proactively managing sovereignty risks beyond basic operational resilience.
  2. Monitor Delegated Acts: Watch for Commission guidance on mandatory impact assessments for high-criticality private sectors under Article 31(3). If the financial sector is targeted, your voluntary early adoption will position you ahead of the curve.
  3. Enhance DORA Due Diligence: Use the CADA assurance criteria as a supplementary checklist in your DORA vendor assessments. Even if not legally required, asking providers about their Union assurance status can reveal hidden geopolitical risks that DORA alone might miss.

For Procurement Teams: Prepare for a two-tiered evaluation process. Technical and financial criteria remain primary, but CADA introduces non-price award criteria under Article 32 that favor European added value. For public entities, this is mandatory; for private entities, it is a strategic lever. Ensure your RFPs include questions about cloud providers' sovereignty status and their ability to provide the necessary audit evidence for CADA recognition.

Common misconceptions

Misconception 1: DORA compliance makes CADA irrelevant. DORA and CADA address different risks. DORA ensures your systems don't go down; CADA ensures your data isn't accessible to foreign governments and your services aren't disrupted by geopolitical coercion. A provider can be DORA-compliant but fail to meet CADA's Union assurance levels due to third-country control. You need both frameworks for a complete risk picture.

Misconception 2: All financial entities must procure sovereign cloud. Only public financial entities (Union entities and public sector bodies) are strictly bound by the mandatory procurement rules in Article 30 following an Article 29 risk assessment. Private financial entities are only subject to voluntary assessments under Article 31, unless the Commission specifically mandates impact assessments for high-criticality private sectors via delegated acts.

Misconception 3: CADA replaces existing data protection laws. CADA does not replace the GDPR or the Data Act. It complements them by adding a sovereignty layer. While the GDPR protects individual privacy rights, CADA protects public order and strategic autonomy. A cloud provider must comply with both. For example, data localization requirements in CADA's assurance levels may exceed the minimums required by the GDPR, providing an extra layer of protection for public sector data.

Misconception 4: Assurance Level 1 is enough for all financial activities. Article 30(2) states that entities whose activities have not been identified as contributing to public order must use Level 1. However, financial services often handle critical infrastructure data. If your Article 29 risk assessment determines that your activities contribute to public order (e.g., payment systems, critical market infrastructure), you must procure Level 2, 3, or 4 services. Assuming Level 1 is sufficient without a formal risk assessment is a compliance failure for public entities.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.