Does CADA recognition help with DORA, NIS2 or EUCS compliance?

Summary As proposed, CADA recognition at Union assurance levels 1–4 does not automatically satisfy compliance obligations under the Digital Operational Resilience Act (DORA), the NIS2 Directive, or the European Cybersecurity Certification Scheme for Cloud Services (EUCS). These regimes assess fundamentally distinct criteria: DORA and NIS2 focus on operational resilience and technical cybersecurity, while CADA focuses on sovereignty, data localisation, and third-country control. While CADA's rigorous audit evidence (Article 20) and governance requirements may serve as partially reusable evidence for these other frameworks, compliance is not interchangeable. Providers must maintain separate compliance tracks; CADA recognition is a "sovereignty stamp," not a "master key" for EU digital regulation.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a four-tier sovereignty framework (Union assurance levels 1–4) to mitigate risks associated with dependence on third-country cloud providers. While CADA, DORA, NIS2, and EUCS all intersect in the cloud sector, they pursue divergent policy objectives. Understanding the relationship between CADA recognition and these existing regimes is critical for cloud service providers (CSPs) navigating the EU's complex regulatory landscape.

CADA vs. DORA: Operational Resilience vs. Sovereignty

The Digital Operational Resilience Act (DORA) imposes strict ICT risk management, incident reporting, and third-party risk management obligations on financial entities and their critical ICT third-party service providers. DORA's primary objective is ensuring the continuity and resilience of financial services against cyber threats and operational failures.

CADA, by contrast, is designed to protect public order and technological sovereignty by ensuring that critical data and infrastructure remain under EU control and are not subject to extraterritorial access or disruption by third countries. As noted in the CADA explanatory memorandum, the proposal "supports the objectives of the Digital Operational Resilience Act (DORA)" but does not replace it. The memorandum clarifies that DORA "indirectly covers cloud computing service providers if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience." Under DORA, providers must implement ICT risk management and conduct regular incident response testing.

CADA recognition (Articles 17–23) requires providers to demonstrate that their infrastructure, data, and personnel are located in the Union and that they are not subject to third-country control. While a CADA Level 3 or 4 provider will likely have robust security measures that align with DORA's high standards, DORA compliance requires specific testing protocols, incident reporting timelines, and contractual arrangements with financial entities that CADA does not mandate. Therefore, CADA recognition does not confer DORA compliance. A provider may be fully sovereign (CADA Level 4) but fail DORA's specific operational resilience tests if their incident response procedures do not meet financial sector standards.

CADA vs. NIS2: Cybersecurity vs. Strategic Autonomy

The NIS2 Directive improves the cybersecurity risk management of cloud computing service providers and data centres. NIS2 is fully focused on technical cybersecurity, requiring entities to implement appropriate technical and organisational measures to manage cybersecurity risks.

CADA addresses broader sovereignty considerations that go beyond technical cybersecurity. The explanatory memorandum explicitly states that "NIS2 improves the cybersecurity risk management... However, it does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Consequently, NIS2 compliance does not guarantee CADA recognition, nor does CADA recognition automatically satisfy NIS2. A provider might meet NIS2's cybersecurity requirements but fail CADA's data localisation or personnel citizenship criteria (e.g., CADA Level 3 requires Union citizen personnel). Conversely, a provider might meet CADA's sovereignty criteria but lack the specific incident reporting or supply chain security measures mandated by NIS2. However, the governance structures required for CADA audits (Article 20) may overlap with NIS2's risk management obligations, allowing for some administrative synergy.

CADA vs. EUCS: Technical Certification vs. Holistic Assurance

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a certification scheme under the Cybersecurity Act that assesses the technical cybersecurity of cloud services at basic, substantial, or high assurance levels. CADA explicitly references EUCS in its criteria, creating a directional dependency rather than a reciprocal one.

• Levels 2 & 3: CADA Union assurance levels 2 and 3 require providers to obtain a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881 (Annex II, criteria 2.1(e) and 3.1(e)).
• Level 4: CADA Union assurance level 4 requires a 'high' assurance level (Annex II, criterion 4.1(e)).

This creates a clear hierarchy: to achieve CADA Levels 2–4, a provider must hold the corresponding EUCS certification. However, holding an EUCS certificate does not automatically grant CADA recognition. EUCS assesses technical cybersecurity; CADA assesses technical cybersecurity plus sovereignty criteria such as data localisation, absence of third-country control, and personnel nationality.

Therefore, CADA recognition helps with EUCS compliance in the sense that CADA mandates it for higher tiers, but EUCS compliance alone is insufficient for CADA recognition. Providers cannot use CADA recognition to "skip" EUCS; rather, they must complete EUCS as a prerequisite for CADA Levels 2–4.

Reusability of Evidence: Partial, Not Automatic

While compliance is not automatic, the evidence gathered for CADA recognition may be partially reusable. CADA requires independent third-party audits for Levels 2–4 (Article 20). These audits involve rigorous assessments of governance, data flows, and supply chain transparency (Annex III). Much of this documentation—such as data flow diagrams, access control policies, and supply chain risk assessments—may also be relevant for DORA, NIS2, or EUCS assessments.

However, the compliance is not interchangeable. Each regime has its own specific criteria, audit methodologies, and enforcement mechanisms. For instance, while CADA Annex III requires evidence of "location of infrastructure" and "personnel," DORA requires specific "ICT risk management" frameworks and "incident reporting" timelines that CADA does not prescribe. Providers should expect to maintain separate compliance files but can leverage the foundational governance and security documentation developed for CADA audits to streamline efforts for other regimes. The key is that CADA recognition is a "sovereignty stamp," not a "master key" for EU digital regulation.

What this means for you

For cloud service providers and data centre operators, the takeaway is clear: do not assume that achieving CADA recognition will absolve you of DORA, NIS2, or EUCS obligations.

1. Maintain Parallel Tracks: You must continue to comply with DORA if you serve financial entities, NIS2 if you are an essential or important entity, and EUCS if you seek CADA Levels 2–4. Each regime has its own competent authorities, reporting lines, and penalties.
2. Leverage Synergies: Use the rigorous audit processes required for CADA (Article 20) to strengthen your overall compliance posture. The documentation produced for CADA's sovereignty audits (e.g., data localisation proofs, third-country control assessments) can often be adapted for NIS2 or DORA risk management reports, saving time and resources.
3. Prioritise EUCS for Higher CADA Tiers: If you aim for CADA Level 3 or 4, you must first secure the corresponding EUCS certification. Start this process early, as EUCS assessments are resource-intensive.
4. Monitor Legislative Development: CADA is a proposal. The final text may clarify the relationship with existing laws, but as of now, the regimes remain distinct. Ensure your compliance strategy is flexible enough to adapt to finalised texts.

Common misconceptions

• "CADA replaces NIS2 or DORA for cloud providers." False. CADA complements these laws by adding sovereignty requirements. It does not repeal or replace their technical cybersecurity and operational resilience obligations.
• "EUCS certification is enough for CADA Level 3." False. EUCS is a prerequisite for CADA Level 3, but you must also meet all other sovereignty criteria, including data localisation, personnel citizenship, and absence of third-country control.
• "CADA recognition automatically satisfies public procurement requirements under NIS2 sectors." False. While CADA recognition helps demonstrate trustworthiness, public procurement under NIS2 sectors may still require specific risk assessments and contractual clauses mandated by DORA or national implementations of NIS2.
• "One audit covers all regimes." False. While evidence may be reusable, the audit scope and criteria differ. CADA audits focus on sovereignty (Annex II), while DORA/NIS2/EUCS audits focus on resilience and technical security.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Compliance Order: NIS2, DORA, Risk Assessments & Recognition
• Does CADA recognition expire or align with EUCS/DORA review cycles?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies
• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act

This is general information about a draft EU regulation, not legal advice.