Do stock exchanges and market infrastructures fall under CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose direct, mandatory procurement obligations on stock exchanges or market infrastructures in the same way it does for public bodies. However, these entities are critically impacted because they are classified as "operators of financial market infrastructures" under Annex I of the NIS2 Directive. Under Article 31 of the CADA proposal, such private-sector entities are explicitly empowered to carry out impact assessments similar to the public-sector risk assessments required by Article 29. While currently voluntary, the Commission retains the power to mandate these assessments and specific mitigation measures for high-criticality sectors. For systemic activities, aligning with CADA's Union assurance levels (Levels 2–4) is becoming a necessary risk mitigation strategy to address geopolitical sovereignty risks that technical cybersecurity frameworks like DORA do not cover.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, establishes a framework primarily to safeguard the Union's public order by reducing dependence on third-country cloud providers. While its most stringent procurement mandates apply to Union entities and Member States, the proposal explicitly extends its logic to the private sector for entities operating in sectors of high criticality. To determine if stock exchanges and market infrastructures fall under CADA, one must analyze the intersection of Article 31, the NIS2 Directive, and the concept of systemic risk.

The NIS2 Annex I Connection

The scope of CADA's private-sector provisions is anchored in the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) (Directive (EU) 2022/2555). Recital 66 of the CADA proposal notes that public procurement requirements often signal market direction, and these requirements tend to be mirrored by private-sector entities operating in regulated industries. Consequently, the proposal identifies entities referred to in Annex I of the NIS2 Directive as the primary private-sector actors subject to its influence.

Annex I of the NIS2 Directive lists entities of high importance, including "operators of financial market infrastructures." This category explicitly encompasses:

• Central securities depositories (CSDs);
• Central counterparties (CCPs);
• Trading venues (including regulated markets and multilateral trading facilities, i.e., stock exchanges).

Because these entities are classified as essential entities under NIS2 due to their systemic importance to the economy, they are the specific private-sector bodies to which Article 31 of CADA applies. The proposal recognizes that a disruption to these infrastructures poses a direct threat to the Union's economic security and public order.

Article 31: Impact Assessments for Critical Private Entities

Article 31 of the CADA proposal introduces a mechanism for private-sector entities operating in sectors of high criticality. It states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision allows stock exchanges and market infrastructures to conduct impact assessments modeled on the risk assessments required of public bodies under Article 29. The purpose of these assessments is to determine the appropriate Union assurance level (Levels 2, 3, or 4) required for their cloud services based on the sensitivity of the data and the criticality of the activity.

Article 31(1) empowers these entities to evaluate risks related to:

• The sensitivity, criticality, and magnitude of data processed;
• The risk of unlawful access by a third country;
• The risk of service disruption.

While the current text uses the permissive "may carry out," Article 31(3) provides a crucial escalation mechanism. It states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This means that for stock exchanges, the assessment could transition from voluntary to mandatory if the Commission determines that the systemic risk is too high to be left to market discretion.

Sovereign Cloud Assurance for Systemic Activities

For financial market infrastructures, the "public order" concern is economic stability and market integrity. Recital 50 of the CADA proposal highlights risks such as "misuse (i.e. manipulation, remote access and control, sabotage...)" and "dependency vulnerabilities (i.e. political and/or economic coercion...)" as fundamental to preserving public order.

If an impact assessment under Article 31 determines that a cloud service poses a risk to the continuity of trading or the integrity of market data, the entity would need to mitigate this risk. The most robust mitigation strategy under CADA is migrating to a cloud service recognized under a higher Union assurance level:

• Level 2: Requires substantial cybersecurity certification and ensures data remains in the Union.
• Level 3: Requires "substantial" cybersecurity certification, Union citizenship for personnel (conditional on public body requirements), and no third-country control (unless a derogation under Article 18 applies).
• Level 4: Requires "high" cybersecurity certification, mandatory Union citizenship for personnel, and strict no third-country control.

For a stock exchange handling real-time trading data, Level 3 or 4 would likely be the target to ensure that no third-country law (such as the US CLOUD Act) could compel a provider to disclose market data or disrupt service continuity.

Interaction with DORA and Other Financial Regulations

It is vital to distinguish CADA from the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). DORA already imposes strict ICT risk management obligations on financial entities, including market infrastructures. CADA does not replace DORA but complements it by adding a sovereignty dimension.

• DORA focuses on technical cybersecurity, operational resilience, and the management of ICT third-party risk.
• CADA focuses on geopolitical sovereignty, data localization, and the absence of third-country control.

The explanatory memorandum of the CADA proposal explicitly states that it supports the objectives of DORA. However, DORA does not contain measures to boost the uptake of sovereign cloud services or address sovereignty criteria directly. CADA fills this gap by providing a harmonized EU-wide sovereignty framework.

For a stock exchange, complying with DORA's cybersecurity requirements is necessary but may no longer be sufficient. A cloud provider can be technically secure (DORA-compliant) but still subject to third-country laws that allow data access or service disruption (CADA non-compliant). The CADA framework provides the specific criteria (Annex II) to evaluate these non-technical, sovereignty-related risks.

What this means for you

For in-house counsel, risk officers, and CIOs at stock exchanges, central counterparties, and trading venues, the practical implications of CADA are significant. Even though the direct regulatory burden is currently lighter than for public authorities, the strategic imperative is high.

1. Conduct Voluntary Impact Assessments Now

Although Article 31(1) currently uses permissive language ("may carry out"), the regulatory trajectory suggests these assessments will become standard practice for systemic entities. You should begin conducting impact assessments modeled on the public-sector risk assessments in Article 29.

• Action: Map your critical trading systems, clearing mechanisms, and data repositories to the cloud services that support them.
• Action: Evaluate your current providers against the Union assurance levels in Annex II. Specifically, check if your provider meets the criteria for data localization, personnel screening, and the absence of third-country control.

2. Monitor for Delegated Acts

Stay vigilant for delegated acts under Article 31(3). The Commission has the power to mandate impact assessments and specific risk mitigation measures for entities in high-criticality sectors. If such acts are adopted, your entity may be legally required to migrate critical workloads to Union-assured cloud services (Level 2, 3, or 4) within a defined timeframe.

• Action: Establish a monitoring protocol for Commission communications regarding "sectors of high criticality."

3. Integrate Sovereignty into ICT Risk Management

Update your ICT risk management frameworks (as required by DORA) to include sovereignty risks alongside traditional cybersecurity risks.

• Action: When evaluating cloud vendors, assess their compliance with CADA's Union assurance criteria.
• Action: Document your due diligence regarding the provider's establishment, infrastructure location, and control structure. This due diligence will position your entity ahead of any future mandatory requirements.

4. Prepare for Procurement Changes

If your entity procures cloud services, ensure your tender documents begin to reflect sovereignty criteria. While CADA does not mandate the "Union added value" criteria for private entities, it sets a market standard.

• Action: Include questions in your RFPs regarding the provider's ability to meet Annex II criteria (e.g., "Can you demonstrate that no third-country law compels you to disclose data?").
• Action: Aligning your procurement processes with CADA's sovereignty framework can reduce future migration costs and ensure continuity if regulatory requirements tighten.

5. Deadlines and Penalties

CADA does not currently specify direct penalties for private entities under Article 31, as the obligations are largely voluntary or subject to future delegated acts. However:

• Future Risk: Non-compliance with future mandatory impact assessments could lead to regulatory action.
• Operational Risk: Failing to mitigate identified sovereignty risks could expose your entity to operational disruptions. Such disruptions may trigger penalties under existing regulations like DORA or NIS2 for inadequate ICT risk management, as sovereignty risks are now recognized as a subset of operational resilience.

Common misconceptions

Misconception 1: CADA only applies to government bodies. Many assume CADA is purely a public procurement regulation. While its strongest obligations target Union entities and Member States, Article 31 explicitly brings private-sector entities in critical sectors (like financial market infrastructures) into the scope of impact assessments. The influence of CADA on the private sector is indirect but powerful, as it shapes the market for cloud services and sets the standard for what constitutes a "trusted" provider.

Misconception 2: DORA compliance is sufficient for cloud risk management. DORA and CADA address different risks. DORA focuses on technical resilience and cybersecurity. CADA focuses on sovereignty and geopolitical risk. A cloud provider can be technically secure (DORA-compliant) but still subject to third-country laws that allow data access or service disruption (CADA non-compliant). Relying solely on DORA compliance leaves market infrastructures exposed to sovereignty risks.

Misconception 3: Stock exchanges are exempt because they are private companies. The private nature of a stock exchange does not exempt it from CADA's influence. Because stock exchanges are classified as "operators of financial market infrastructures" under NIS2 Annex I, they are explicitly named in CADA Article 31 as entities that may (and potentially will) be required to conduct impact assessments. Their systemic importance makes them a priority for sovereignty considerations.

Misconception 4: Union assurance levels are optional for private entities. Currently, Article 31 allows private entities to carry out assessments. It does not explicitly mandate that they must procure Union-assured services. However, the Commission's power to adopt delegated acts under Article 31(3) could change this. Furthermore, market forces and the need to protect systemic stability will likely drive private entities to voluntarily adopt higher assurance levels to mitigate risk.

Related

• What sovereign-cloud market opportunity does CADA create for startups?
• Why does CADA emphasise secure and verifiable compute for sensitive sectors?
• Which CADA obligations bite hardest for fintech companies?
• Which CADA assurance level should defence workloads use?
• Which CADA assurance level applies to patient and medical records?

This is general information about a draft EU regulation, not legal advice.