Does CADA replace DORA for the financial sector?

Summary No, the proposed Cloud and AI Development Act (CADA) does not replace the Digital Operational Resilience Act (DORA) for the financial sector. Instead, CADA complements DORA by adding a specific "sovereignty" layer that DORA does not cover. While DORA remains the lex specialis (the specific law) for the digital operational resilience of financial entities, CADA introduces a horizontal framework to address strategic dependencies and third-country control. As proposed, CADA explicitly "supports the objectives of the Digital Operational Resilience Act (DORA)" but distinguishes itself by focusing on sovereignty rather than just technical cybersecurity.

Detail

To understand the relationship between these two regulations, it is essential to distinguish their primary objectives and legal scopes. DORA (Regulation (EU) 2022/2554) is a sector-specific regulation focused on the digital operational resilience of the financial sector. It mandates that financial entities implement robust ICT risk management, report major incidents, and conduct regular testing to ensure they can withstand and recover from ICT-related disruptions. Its scope is strictly limited to the financial sector and its critical third-party ICT providers.

CADA, conversely, is a horizontal framework aimed at strengthening the EU's cloud and AI ecosystem by addressing technological sovereignty and reducing dependence on third-country providers. The Explanatory Memorandum of the CADA proposal (COM(2026) 502 final) explicitly states that the proposal "supports the objectives of the Digital Operational Resilience Act (DORA)." It notes that DORA "shapes compliance obligations for cloud computing service providers" if their role is significant enough in terms of operational resilience. However, the memorandum clarifies a critical distinction: DORA "has a sectoral scope and is specific to the financial sector" and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Therefore, CADA does not supersede DORA. Instead, it operates alongside it. DORA remains the primary legal framework for financial entities regarding their operational resilience and ICT risk management. CADA adds a new dimension: sovereignty assurance.

The Sovereignty Gap in DORA

DORA focuses heavily on technical cybersecurity, operational continuity, and the management of ICT third-party risk. It requires financial entities to carry out due diligence on cloud computing service providers. However, DORA does not contain a harmonized Union-wide framework for assessing the "sovereignty" of those providers. It does not explicitly address risks related to third-country jurisdiction, extraterritorial data access laws (such as the US CLOUD Act), or the potential for service disruption due to geopolitical coercion or foreign government control.

CADA fills this gap by establishing a Union cloud computing sovereignty framework. This framework defines four "Union assurance levels" (Levels 1 through 4) that cloud services must meet to be considered trustworthy. These levels assess criteria such as the location of infrastructure, the citizenship of personnel, and the absence of third-country control—factors that are outside the scope of DORA's technical resilience requirements.

How CADA Applies to the Financial Sector

While CADA's mandatory procurement obligations (Articles 29 and 30) primarily target public sector bodies and Union entities, the proposal extends its reach to the private financial sector through Article 31. This article addresses private sector entities operating in sectors of high criticality, which includes entities within the meaning of Annex I to the NIS2 Directive (covering major financial market infrastructures and credit institutions).

Under Article 31, these private sector entities "may carry out similar assessments as those set out in Article 29." Article 29 requires public bodies to conduct risk assessments to determine which Union assurance level is appropriate for their activities to preserve public order. While Article 31 currently frames this as a voluntary mechanism for private entities, it includes a powerful enforcement hook:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This means that a major bank or financial market infrastructure operator, already subject to DORA's strict ICT risk management rules, may soon be required by delegated act to conduct specific sovereignty impact assessments. These assessments would determine if their cloud providers meet CADA's sovereignty criteria (e.g., Union Assurance Level 2, 3, or 4) to mitigate strategic risks that DORA does not explicitly address.

Compliance and Penalties

It is crucial to note that CADA is a proposal and is not yet in force. If adopted, it would introduce new compliance burdens that run parallel to DORA:

1. Dual Risk Assessments: Financial entities in critical sectors may need to perform sovereignty risk assessments (under CADA Article 31) in addition to their DORA ICT risk assessments.
2. Procurement Standards: While private entities are not strictly mandated to procure only sovereign services under the current text, the Commission's power to issue delegated acts under Article 31(3) could impose such requirements for high-criticality entities. Public sector bodies, however, will be strictly obligated to procure only cloud services meeting specific Union assurance levels.
3. Penalties: CADA proposes that Member States lay down rules on penalties for infringements of the sovereignty chapter. Under Article 24, these penalties must be "effective, proportionate and dissuasive." The regulation lists non-exhaustive criteria for imposing penalties, including the nature, gravity, and duration of the infringement, any financial benefits gained, and the infringer's annual turnover in the Union.

What this means for you

For in-house counsel and compliance officers in the financial sector, the coexistence of DORA and CADA necessitates a dual-track compliance strategy.

1. Do Not Deregister DORA: Continue to fully implement DORA's requirements for ICT risk management, incident reporting, and third-party risk management. DORA's obligations remain unchanged by CADA. DORA remains the lex specialis for financial operational resilience.
2. Monitor Article 31 Developments: Watch closely for delegated acts and guidance from the Commission regarding Article 31. If your entity is listed in Annex I of the NIS2 Directive (e.g., credit institutions, payment institutions, crypto-asset service providers), you may soon be required to conduct sovereignty impact assessments.
3. Update Vendor Due Diligence: Your current due diligence processes for cloud providers (required by DORA) will likely need expansion. You will need to ask vendors not just about their cybersecurity certifications (like ISO 27001 or DORA compliance), but also about their Union Assurance Level status under CADA. Can they demonstrate that their infrastructure, assets, and personnel remain within the EU? Are they subject to third-country control?
4. Prepare for Sovereignty Audits: CADA requires independent third-party audits for higher assurance levels (Levels 2–4). Ensure your cloud contracts allow for the necessary access and transparency to support these audits, which may be required if the Commission adopts delegated acts for your sector.

Common misconceptions

Misconception 1: CADA replaces DORA for banks. Fact: No. DORA remains the primary regulation for financial sector operational resilience. CADA adds a sovereignty layer but does not repeal or replace DORA's core obligations. The Explanatory Memorandum explicitly states CADA "supports" DORA, not replaces it.

Misconception 2: All financial firms must use only "Sovereign Cloud" providers immediately. Fact: CADA mandates specific assurance levels for public sector procurement. For private financial entities, Article 31 currently allows for voluntary impact assessments, with the Commission holding the power to mandate them via delegated acts for high-criticality sectors. It is not an automatic blanket mandate for all financial firms yet, but the regulatory trajectory strongly favors providers who can demonstrate high levels of EU sovereignty.

Misconception 3: Cybersecurity certification is enough. Fact: DORA focuses on technical cybersecurity and operational resilience. CADA focuses on sovereignty (control, location, and third-country influence). A provider can be highly secure (cyber-resilient) but still subject to third-country data access laws (e.g., the US CLOUD Act) or foreign government control. CADA addresses this latter risk, which DORA does not.

Misconception 4: CADA is already in force. Fact: CADA is a proposal (COM(2026) 502 final). It is not yet law. Obligations will only apply once the regulation is adopted by the European Parliament and Council and enters into force.

Related

• When do CADA obligations start applying to the financial sector?
• When do CADA provisions affect the automotive sector?
• When do CADA obligations start for the telecom sector?
• When do CADA obligations start for the healthcare sector?
• What sovereign-cloud pressure does CADA place on the public sector?

This is general information about a draft EU regulation, not legal advice.