Summary Under the proposed Cloud and AI Development Act (CADA), entities listed in Annex I of the NIS2 Directive that are not public sector bodies are not automatically required to conduct impact assessments. Article 31(1) explicitly states that such private sector entities "may" carry out assessments similar to those required for the public sector, making the current obligation voluntary. Mandatory requirements for these private firms would only arise if the European Commission adopts a specific delegated act under Article 31(3), targeting entities operating in sectors deemed to be of "high criticality." Until such a delegated act is adopted, private NIS2 entities retain the discretion to align with the public sector's sovereignty risk methodologies or opt out.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework for cloud sovereignty, primarily designed to safeguard the Union's public order through mandatory risk assessments and procurement rules for public bodies. However, the proposal also acknowledges the critical role of the private sector, particularly those entities operating in essential infrastructure sectors defined by the Directive on Security of Network and Information Systems (NIS2). The treatment of these private entities under CADA is distinct from the public sector, characterized by a "voluntary-by-default" approach that can be escalated to mandatory status under specific conditions.

The Voluntary Baseline: Article 31(1)

The core provision governing private sector participation is Article 31, titled "Impact assessments." Paragraph 1 of this article sets the baseline rule for entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) that are not public sector bodies. The text states clearly that these entities "may carry out similar assessments as those set out in Article 29."

The use of the modal verb "may" is legally significant. It establishes that, as proposed, there is no direct legal obligation for private NIS2 entities to perform these impact assessments. Unlike Member States and Union entities, which are mandated under Article 29(1) to conduct risk assessments to determine the appropriate Union assurance level for their activities, private entities are granted the option to do so.

The assessments referenced are "similar" to those in Article 29. Article 29 requires public bodies to identify activities contributing to the preservation of public order and determine the necessary Union assurance level (2, 3, or 4) based on factors such as data sensitivity, the risk of unlawful third-country access, and the risk of service disruption. By allowing private entities to conduct "similar" assessments, CADA provides a standardized methodology for critical infrastructure operators to evaluate their own exposure to sovereignty risks. This voluntary mechanism enables private firms to proactively manage supply chain dependencies, align their procurement strategies with EU digital autonomy goals, and potentially demonstrate compliance with the sovereignty framework to public sector clients, even in the absence of a direct legal mandate.

The Escalation Mechanism: Article 31(3) and Delegated Acts

While the current status is voluntary, the proposal includes a robust mechanism to escalate these obligations if the Commission deems it necessary. Article 31(3) empowers the Commission to adopt delegated acts to supplement the Regulation.

The text of Article 31(3) specifies that where, "because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment," it may adopt a delegated act. This act would:

  1. Specify the need for such impact assessment.
  2. Define the risk mitigation measures that those entities must take.

This provision creates a conditional mandatory regime. The Commission cannot unilaterally impose these requirements on all private entities immediately. Instead, it must first identify specific sectors of "high criticality," justify the necessity based on specific circumstances, and consult with Member States before adopting the delegated act. Only upon the entry into force of such an act would the "may" in Article 31(1) effectively become a "must" for the targeted entities. This ensures that mandatory obligations are reserved for sectors where the risk to public order or security is sufficiently acute to warrant regulatory intervention beyond the voluntary baseline.

Guidance and Methodology: Article 31(2)

To support entities that choose to exercise their option under Article 31(1), Article 31(2) authorizes the Commission to issue guidance. This guidance would cover:

  • The methodology for carrying out the impact assessments.
  • Possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality.

This guidance serves a dual purpose. First, it ensures that voluntary assessments are conducted consistently, using the same risk criteria (data sensitivity, third-country access risks, service disruption) as the public sector assessments under Article 29. Second, it prepares the market for potential future mandatory requirements by establishing a clear standard for "high criticality" sectors even before a delegated act is adopted.

Distinction from Public Sector Obligations

It is crucial to distinguish the private sector provisions from the mandatory regime applicable to public authorities.

  • Public Sector (Article 29 & 30): Member States and Union entities must conduct risk assessments. The outcome of these assessments directly dictates procurement obligations under Article 30. If an activity is identified as contributing to public order, the contracting authority must procure only cloud services recognized at Union assurance level 2, 3, or 4.
  • Private Sector (Article 31): Private NIS2 entities are not subject to Article 30's procurement mandates. Their impact assessments under Article 31 are primarily tools for internal risk management and supply chain resilience. They do not automatically trigger a legal requirement to procure specific assurance levels unless the Commission adopts a delegated act under Article 31(3) making the assessment mandatory and specifying the required mitigation measures.

What this means for you

For cloud service providers, data centre operators, and critical infrastructure entities falling under the NIS2 Annex I scope, the proposed CADA framework offers a period of flexibility but signals a clear trajectory toward potential mandatory compliance.

  • Voluntary Participation is Strategic: You are not legally compelled to conduct a CADA impact assessment today. However, conducting one voluntarily can serve as a powerful differentiator. Public sector clients, bound by Article 30 to procure sovereign services, will increasingly seek providers who can demonstrate alignment with the Union assurance framework. A voluntary assessment provides documented evidence of your sovereignty posture.
  • Monitor for Delegated Acts: The "voluntary" status is not permanent. You must monitor the Commission's legislative agenda for the adoption of delegated acts under Article 31(3). If your sector is classified as "high criticality," the voluntary nature of these assessments could become mandatory. Early adoption of the assessment methodology will position you to comply swiftly if regulations tighten, avoiding last-minute operational disruptions.
  • Align with Public Sector Methodologies: Since Article 31(1) refers to assessments "similar" to those in Article 29, you should familiarize yourself with the public sector risk assessment framework. This includes evaluating the sensitivity of the data you process, the risk of unlawful access by third countries, and the potential for service disruption. Aligning your internal risk models with these criteria will streamline any future compliance efforts and ensure your voluntary assessments are robust.
  • Prepare Supply Chain Transparency: Whether voluntary or mandatory, these assessments will likely require detailed information about your supply chain, including subcontractors and third-country dependencies. Ensuring your supply chain documentation is robust, transparent, and up-to-date will facilitate the assessment process and demonstrate your readiness for potential regulatory changes.

Common misconceptions

"NIS2 entities must automatically do CADA impact assessments." This is incorrect. Article 31(1) uses the word "may," making the assessment voluntary for all private NIS2 entities under the current proposal. Mandatory requirements only apply if the Commission specifically targets your sector via a delegated act under Article 31(3).

"The impact assessment is identical to the public sector risk assessment." While Article 31(1) states that private entities may carry out "similar" assessments, they are not legally identical in their consequences. Public sector assessments under Article 29 are tied to mandatory procurement rules (Article 30) and the preservation of public order. Private sector assessments are primarily for internal risk management and supply chain resilience, unless and until the Commission exercises its powers under Article 31(3) to mandate them.

"Only public sector bodies are affected by CADA's sovereignty rules." This is a partial misconception. While the procurement mandates in Article 30 apply strictly to public bodies, the sovereignty framework (Union assurance levels 1–4) applies to all cloud providers seeking recognition. Private NIS2 entities are directly addressed in Article 31, meaning they are an integral part of the regulatory ecosystem, even if their current obligations are limited to voluntary assessments.

"The Commission can immediately make all private assessments mandatory." The Commission cannot unilaterally impose mandatory assessments on all private entities overnight. Article 31(3) requires the adoption of a delegated act, which involves a legislative process including consultation with Member States and justification based on "specific circumstances" and "high criticality." This process provides time for industry adaptation and ensures that mandatory obligations are proportionate to the risk.

Related

This is general information about a draft EU regulation, not legal advice.