Does CADA affect private companies that buy cloud services?

Summary As proposed, the Cloud and AI Development Act (CADA) does not require most private companies to buy cloud services at any particular sovereignty assurance level. Its procurement mandates target the public sector. But private entities listed in Annex I of the NIS2 Directive may carry out voluntary impact assessments, and the Commission could later make such assessments — and risk-mitigation measures — mandatory for high-criticality sectors through delegated acts. For everyone else, CADA's four-tier "Union assurance level" framework would act as a market signal rather than a direct obligation. These are proposals, not yet law.

Detail

CADA (COM(2026) 502 final) is a Commission proposal to strengthen the EU's cloud and AI ecosystem. Its sovereignty and procurement mechanisms are aimed mainly at public procurement and data centre deployment, but a few provisions reach private-sector entities, especially in critical sectors.

Impact assessments for NIS2 entities (Article 31)

The most direct private-sector touchpoint is Article 31 ("Impact assessments"), which targets entities listed in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) that are not public sector bodies.

Under Article 31(1), those entities "may carry out similar assessments as those set out in Article 29." Article 29 requires Member States and Union entities to run risk assessments to determine the appropriate Union assurance level for public-sector activities with public-order relevance. Extending a comparable, voluntary process to NIS2-scope private entities gives them a way to evaluate their exposure to third-country control.

Article 31(2) lets the Commission issue guidance on the methodology for these assessments and possible mitigation measures for entities in sectors of high criticality. Article 31(3) sets out an escalation path: where, because of specific circumstances and where duly justified and in consultation with the Member States, the Commission concludes that non-public-sector entities operating in sectors of high criticality require an impact assessment, it may adopt delegated acts specifying the need for such assessment and the risk-mitigation measures those entities must take.

So while the current text frames the assessment as permissible ("may carry out"), the Commission retains the power, via future delegated acts, to make assessments and mitigation measures mandatory for high-criticality private sectors — such as energy, transport, banking or health, which are already in NIS2 scope.

Sovereignty tiers as a market signal

For private companies outside the high-criticality NIS2 scope, CADA would impose no direct procurement obligation. But the proposed "Union cloud computing sovereignty framework" comprises four assurance levels, with the criteria set out in Annex II (Article 16). The levels rise from Union assurance level 1 (a conformity self-assessment against Annex II level 1) up to Union assurance level 4, whose Annex II criteria include that the service obtains a European cybersecurity certificate of at least assurance level "high", that data remains exclusively within the Union, that personnel are Union citizens, and that the provider and relevant subcontractors are not subject to third-country control.

Although the procurement mandates in Article 30 bind only public contracting authorities and Union entities, recognition under Article 17 and the central repository of recognised services (Article 22) would give private buyers a transparent, auditable benchmark. A company handling sensitive IP or customer data could choose a higher-level provider to reduce exposure to extraterritorial access laws — the kind exemplified by the US CLOUD Act — without being compelled to.

No mandatory tier procurement for most private buyers

It is essential to separate public from private obligations. Article 30 applies to "contracting authorities" and Union entities that procure cloud for their exclusive use. Article 30(2) requires public bodies whose activities are not identified as contributing to public order to use services recognised at Union assurance level 1; Article 30(3) requires those whose activities are identified as public-order-relevant (in NIS2 Annex I/II sectors or in national security, internal security, border management, defence, justice or law enforcement) to procure only services recognised at level 2, 3 or 4. There is no equivalent article obliging private companies. Private buyers remain free to choose on commercial, technical and cost grounds, subject to other EU law such as the GDPR and the Data Act.

Market dynamics may still shift: as public demand for sovereign cloud grows, providers may adapt their offerings, and CADA recognition could become a de facto differentiator.

What this means for you

The practical impact depends on your sector and risk appetite.

For NIS2-scope entities: If you operate in a sector listed in Annex I of NIS2 (e.g. energy, transport, banking, drinking water, digital infrastructure), prepare for possible mandatory impact assessments.

• Action: Review current cloud contracts and exposure to third-country control. Consider a voluntary impact assessment using any methodology guidance the Commission issues under Article 31(2).
• Monitoring: Watch for delegated acts under Article 31(3). If your sector is designated, you may have to implement specific risk-mitigation measures.

For SMEs and other private companies: CADA would impose no direct compliance burden, but its framework is a useful risk-management tool.

• Leverage the framework: Use the four assurance levels as a vendor-evaluation benchmark; ask whether a provider has sought or obtained recognition under Article 17.
• Due-diligence efficiency: The central repository (Article 22) would list recognised services, reducing the burden of independent sovereignty audits.
• Strategic planning: Even if not mandated, higher-level providers can hedge against extraterritorial data-access requests or third-country-linked disruption.

Common misconceptions

"CADA forces all private companies to use EU-based providers." As proposed, no. The procurement mandates in Article 30 bind only public bodies and Union entities; private firms can continue to use non-EU providers.

"Only the public sector needs to worry about sovereignty." Private entities in NIS2-scope critical sectors are explicitly addressed in Article 31, and all firms can use CADA's tiers to assess cloud dependency risk.

"CADA replaces the GDPR." No. CADA would complement existing law; the GDPR remains the framework for personal-data protection. Meeting a CADA assurance level would not exempt a provider from GDPR obligations.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• What is the EU data-centre capacity gap that CADA addresses?
• What is the CADA central repository of sovereign cloud services?
• CADA Article 31: voluntary private-sector impact assessments explained
• How does CADA affect EU digital sovereignty and strategic autonomy?
• Does CADA require companies to use EU-only cloud providers?

This is general information about a draft EU regulation, not legal advice.