Does CADA override sector-specific EU rules for finance or health cloud?

Summary As proposed, the Cloud and AI Development Act (CADA) does not override sector-specific EU regulations such as the Digital Operational Resilience Act (DORA) or the European Health Data Space (EHDS). Instead, CADA establishes a parallel sovereignty framework for cloud procurement and infrastructure that co-exists with these vertical rules. Recital 63 of the CADA proposal explicitly mandates that sector-specific obligations—including those under the GDPR, NIS2, and DORA—must be assessed when determining the appropriate Union assurance level. This ensures that sectoral duties and sovereignty requirements are harmonized rather than conflicting. While CADA introduces new procurement mandates for public bodies, it leaves existing sectoral compliance regimes (like DORA for finance) fully intact.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, is designed to address a specific gap in the EU's digital landscape: the lack of a harmonised framework for "sovereignty" and "operational autonomy" in cloud infrastructure. A primary concern for legal and compliance teams in regulated sectors is whether this new horizontal instrument supersedes existing vertical regulations that impose strict cybersecurity, data protection, and operational resilience obligations on finance and health.

The definitive answer, grounded in the text of the proposal, is no. CADA is structured to complement, not replace, existing sectoral laws. The proposal explicitly acknowledges that it operates alongside the EU's broader digital policy framework.

CADA’s Relationship with Sectoral Laws

The CADA proposal is built on the premise that it fills gaps left by existing legislation regarding third-country control and supply-chain resilience, which are distinct from pure technical cybersecurity or data privacy.

1. Complementarity with DORA and Financial Sector Rules The explanatory memorandum of the CADA proposal explicitly states that the proposal "supports the objectives of the Digital Operational Resilience Act (DORA)." It notes that DORA "shapes compliance obligations for cloud computing service providers" and covers entities indirectly if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience.

However, the proposal clarifies that DORA has a "sectoral scope and is specific to the financial sector." While DORA focuses on ICT risk management, incident response testing, and the management of critical third-party service providers, CADA introduces a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). These frameworks operate on different axes:

• DORA ensures technical and operational resilience against cyber threats and operational failures.
• CADA ensures that the provider and its supply chain are not subject to third-country control that could compromise public order, data confidentiality, or operational continuity due to extraterritorial laws.

The two regimes are mutually reinforcing. A cloud provider serving a financial entity must satisfy DORA's ICT risk management requirements and, if serving a public authority or critical infrastructure, meet the relevant CADA Union assurance level.

2. Interaction with Health Data Rules (EHDS) Similarly, for the health sector, CADA does not override the proposed European Health Data Space (EHDS) regulation or the GDPR's specific provisions on health data. The CADA proposal emphasizes that it is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR)."

In the health sector, where data sensitivity is paramount, the CADA sovereignty framework would apply to the cloud infrastructure hosting that data, while the EHDS and GDPR would govern the processing, sharing, and rights related to that data. CADA does not alter the legal basis for processing health data; rather, it dictates the sovereign characteristics of the infrastructure used to process it.

3. The Role of Recital 63: Integrating Sectoral Obligations The most critical provision for understanding the interaction between CADA and sectoral laws is Recital 63. This recital explicitly mandates that sector-specific obligations must feed into CADA's risk assessment process. It states:

"In their risk assessments, Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment. Such processing may include ordinary business information, commercially sensitive information, operationally critical data, personal data within the meaning of Regulation (EU) 2016/679, and data that is subject to sector-specific obligations under Union law, including Directive (EU) 2022/2555 and Regulation (EU) 2022/2554."

Here, Directive (EU) 2022/2555 refers to NIS2, and Regulation (EU) 2022/2554 refers to DORA. By explicitly naming these acts, the proposal confirms that sectoral risks are a core input for CADA's sovereignty assessments.

Furthermore, Recital 63 clarifies the mechanism for integration:

"Where cloud computing services are used to process personal data, Regulation (EU) 2016/679 provides for an obligation to agree on organisational and technical measures to comply with that Regulation. [...] Where specific technical and organisational measures should be implemented pursuant to this Regulation to ensure that personal data are processed in line with this Regulation, such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met."

This language confirms that CADA does not create a vacuum where sectoral rules disappear. Instead, it requires that the technical and organizational measures required by GDPR, DORA, or future health data regulations be integrated into the contractual and technical setup that demonstrates compliance with CADA's Union Assurance Levels.

Co-Existence of Duties

The CADA proposal establishes a dual obligation for entities in regulated sectors, particularly when they are public sector bodies or entities providing public services.

1. Risk Assessments under Article 29 Under Article 29, Member States and Union entities must conduct risk assessments to determine which Union Assurance Level (1, 2, 3, or 4) is appropriate for their cloud services. These assessments must consider:

• The sensitivity, criticality, and magnitude of data processed.
• The risk of unlawful access by third countries.
• The risk of service disruption.

For a financial institution or a health authority, this risk assessment must account for the specific risks outlined in DORA or health data regulations. For example, if DORA requires specific incident response capabilities, a cloud provider failing to meet those technical standards would likely fail to meet the necessary assurance level for a financial public authority under CADA. The risk assessment acts as the bridge, ensuring that sectoral requirements inform the sovereignty level.

2. Procurement Obligations under Article 30 Article 30 mandates that contracting authorities procure cloud services that meet the assurance level determined by their risk assessment. If a public health body determines that its activities contribute to the preservation of public order (as defined in Article 29(1)), it must procure services recognized as offering Union Assurance Level 2, 3, or 4. This procurement obligation runs alongside any data sharing obligations imposed by the EHDS. The EHDS may dictate how health data is shared, while CADA dictates which cloud providers are eligible to host that data based on sovereignty criteria.

3. Private Sector Impact Assessments under Article 31 For private sector entities in critical sectors (as defined in Annex I of the NIS2 Directive, which includes financial market infrastructures), Article 31 allows them to carry out impact assessments similar to those required of public bodies. This suggests that while CADA's strict procurement mandates apply to public authorities, private financial and health entities will face market pressure to adopt similar sovereignty standards, especially if they interact with public sector bodies or are subject to DORA's third-party risk management requirements.

What this means for you

For in-house counsel and compliance officers in finance and health, the implementation of CADA (if adopted in its current form) will require a multi-layered compliance strategy. You cannot treat CADA as a replacement for your existing DORA or health data compliance programs; instead, you must integrate them.

1. Map Sectoral Obligations to Assurance Levels Your first step is to review your current cloud contracts and assess them against the four Union Assurance Levels in Annex II of the CADA proposal. You must determine which sector-specific obligations (e.g., DORA's ICT risk management requirements) align with which assurance level. For instance, if your sectoral rules require that data never leaves the EU and that the provider is not subject to third-country laws, you are likely looking at Assurance Level 3 or 4.

2. Update Risk Assessments When conducting the risk assessments required by Article 29 (for public entities) or voluntary impact assessments under Article 31 (for private critical entities), explicitly document how sector-specific regulations influence your choice of assurance level. For example, document that DORA's requirement for operational resilience necessitates a provider that can guarantee service continuity even under third-country pressure, thus justifying a higher assurance level.

3. Contractual Alignment Ensure that your cloud service agreements include clauses that satisfy both sectoral laws and CADA's sovereignty criteria. Recital 63 suggests that GDPR data processing agreements (DPAs) can be used to demonstrate compliance with CADA's technical measures. You should extend this logic to DORA and health data agreements, ensuring that the technical and organizational measures required by these laws are contractually enforced as part of the CADA compliance package.

4. Monitor Penalties and Enforcement Be aware that Article 24 of CADA introduces penalties for infringements of the sovereignty framework. While these penalties are separate from those under DORA or the GDPR, a failure to meet CADA's assurance levels could result in fines for public sector bodies or loss of contract eligibility for providers. For private entities, while direct CADA penalties may be less immediate, failure to meet the sovereignty expectations of public sector clients could lead to exclusion from procurement processes.

Common misconceptions

Misconception 1: CADA replaces DORA for financial cloud providers. Correction: CADA and DORA address different risks. DORA focuses on operational resilience and ICT risk management, while CADA focuses on sovereignty, data confidentiality, and protection from third-country extraterritorial laws. Financial cloud providers must comply with both. CADA's assurance levels may require additional controls beyond DORA's baseline, such as strict limitations on third-country control and personnel screening.

Misconception 2: The EHDS overrides CADA's data localization rules. Correction: The EHDS governs the processing and sharing of health data, while CADA governs the sovereignty of the cloud infrastructure hosting that data. They are complementary. CADA's assurance levels (particularly Levels 2, 3, and 4) require that data remain exclusively within the Union unless explicitly required otherwise by the public sector body. This aligns with, rather than contradicts, the strict data protection requirements of health data regulations.

Misconception 3: Private companies are exempt from CADA's sovereignty framework. Correction: While CADA's procurement mandates (Article 30) apply primarily to public sector bodies, Article 31 allows private entities in critical sectors (like finance and health) to conduct impact assessments. Furthermore, the market will likely drive private entities to adopt CADA standards because public sector bodies and regulated entities will only procure from providers meeting the necessary assurance levels. Additionally, cloud providers seeking recognition under CADA must meet the assurance levels regardless of whether their clients are public or private.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs Existing EU Cloud Rules: The Missing Sovereignty Layer
• CADA vs Sectoral EU Laws: How Conflicting Cloud Rules Are Resolved
• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• CADA and the AI Act: Dual Compliance for Public-Sector AI Buyers
• DGA Data Intermediaries and CADA: Do Sovereignty Rules Apply?

This is general information about a draft EU regulation, not legal advice.