Summary Yes, as proposed, the Cloud and AI Development Act (CADA) requires a distinct risk assessment process under Article 29 that is legally separate from the cybersecurity risk management obligations under the NIS2 Directive or the Digital Operational Resilience Act (DORA). While the technical data and threat inputs you gather for NIS2 and DORA may serve as evidence, the CADA assessment is a sovereignty-focused exercise designed specifically to determine the required "Union assurance level" for cloud services handling public-order activities. Compliance with NIS2 or DORA does not satisfy the Article 29 requirement, and the outputs of these regimes differ fundamentally: NIS2/DORA produce technical controls, while CADA produces procurement mandates.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a new regulatory layer focused on strategic autonomy and the protection of public order. For legal counsel and compliance officers, the critical interaction point is Article 29, which mandates a specific "risk assessment" to determine the appropriate level of sovereignty for cloud services. This assessment is often confused with the risk management frameworks already established by the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554).

The short answer is that CADA does not replace existing risk management frameworks; it sits alongside them with a different legal objective and a different output. Article 29(1) obliges Member States and Union entities to carry out risk assessments to identify which public sector activities contribute to the preservation of public order. This assessment is fundamentally different in purpose from the technical risk assessments required by NIS2 or DORA, even if the underlying data sources overlap.

The Distinct Purpose of Article 29

Under Article 29(1), Member States and Union entities are obligated to carry out risk assessments by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. The primary goal of these assessments is not to evaluate the technical robustness of IT systems against cyberattacks, but to determine the sensitivity and criticality of the data and activities involved in the context of public order.

Specifically, Article 29(1)(a) requires the identification of public sector activities that use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2). It also explicitly covers areas of national security, internal security, external border management, defence, justice, and law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

The output of this assessment is a determination of the appropriate "Union assurance level" (UAL) for the cloud services used in those activities. Article 29(1)(b) states that the assessment must determine which Union assurance level 2, 3, or 4 is appropriate for the identified activities. This is a sovereignty classification, not a cybersecurity certification. The result dictates procurement obligations under Article 30(3), which mandates that contracting authorities whose activities contribute to public order must procure only services recognised at levels 2, 3, or 4.

Inputs Overlap, Outputs Diverge

While the purpose differs, the inputs for a CADA Article 29 assessment may draw heavily from existing NIS2 and DORA documentation. Article 29(2) lists the specific aspects Member States and Union entities must consider, which mirror the risk factors already analyzed under other regimes:

  1. Data Sensitivity and Criticality: The sensitivity, criticality, and magnitude of non-personal data processed, including the potential impact on public order. This also includes the nature, scope, context, and purpose of processing personal data, as well as the risk to the rights and freedoms of data subjects.
  2. Third-Country Access Risks: The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
  3. Service Disruption Risks: The risk and consequent impact on public order of possible service disruption.

For an organization already subject to NIS2 or DORA, much of this analysis has likely been performed. NIS2 requires entities to implement appropriate technical and organizational cybersecurity measures, which inherently involves assessing the impact of cyber incidents on operations. DORA requires financial entities to identify, measure, monitor, manage, and control ICT-related risks, including those from third-party providers.

However, the output of a NIS2 or DORA assessment is a set of technical controls, incident response plans, and operational resilience strategies. The output of a CADA Article 29 assessment is a procurement requirement. It dictates that if an activity is deemed to preserve public order, the contracting authority must procure cloud services that have been recognised as offering Union assurance levels 2, 3, or 4. A NIS2-compliant provider might still be subject to third-country control, rendering them ineligible for a high Union assurance level under CADA.

The Sovereignty Dimension

The key differentiator is the concept of "sovereignty" and "public order." NIS2 and DORA are primarily concerned with the availability, integrity, and confidentiality of data and systems from a technical and operational standpoint. They do not explicitly address the geopolitical risks associated with the jurisdictional control of cloud providers or the risk of extraterritorial access by foreign governments.

CADA's Article 29 assessment explicitly looks at the risk of "unlawful access... by a third country" and "service disruption" in the context of public order. This aligns with CADA's broader objective of reducing dependencies on non-European cloud providers. As Recital 50 of the CADA proposal notes, dependence on providers subject to third-country control can lead to risks such as misuse, access to sensitive information, and dependency vulnerabilities like political or economic coercion.

Therefore, a cloud provider might be fully compliant with NIS2 cybersecurity requirements and DORA operational resilience standards, yet still fail to meet the sovereignty criteria required for a Union assurance level 3 or 4 service. Conversely, a provider might meet sovereignty criteria but have technical gaps that would fail a NIS2 audit. The two regimes are complementary but distinct.

Role of the Commission and Guidance

To ensure consistency, Article 29(3) empowers the Commission to specify the methodology, templates, and elements to be taken into account for these risk assessments via implementing acts. The Commission will also provide guidance to assist Member States. This suggests that the Article 29 assessment will be a standardized, EU-wide process, whereas NIS2 implementation can vary more significantly between Member States in terms of specific national cybersecurity strategies.

Furthermore, Article 29(5) gives the Commission the power to intervene if it concludes that the Union assurance level identified in a Member State's risk assessment is not appropriate or does not adequately address public order concerns. The Commission can adopt implementing acts specifying the required assurance levels. This central oversight is unique to CADA and does not exist in the same form for NIS2 or DORA risk management plans.

What this means for you

For in-house counsel and compliance officers in the public sector or in regulated private sectors (such as finance under DORA or essential services under NIS2), the introduction of CADA means managing a dual-track compliance strategy.

1. Maintain Separate Documentation Do not assume that your NIS2 risk assessment or DORA ICT risk management framework satisfies Article 29 of CADA. You must maintain a distinct "Sovereignty Risk Assessment" document. This document should explicitly map your cloud-dependent activities to the preservation of public order and justify the required Union assurance level. While you can reference your NIS2/DORA findings as evidence of data sensitivity and disruption risks, the final output must clearly state the required UAL (1, 2, 3, or 4) for each service.

2. Procurement Implications The result of your Article 29 assessment directly impacts your procurement strategy. Under Article 30(3), if your activities are identified as contributing to the preservation of public order, you may only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4. This means you must verify that any cloud provider you engage has successfully undergone the recognition process outlined in Article 17 of CADA. You cannot simply rely on a provider's ISO 27001 certification or NIS2 compliance status.

3. Timeline and Deadlines CADA will apply one year after its entry into force. Member States and Union entities must carry out the initial risk assessments by this date (Article 29(1)). Private sector entities in high-criticality sectors (Annex I of NIS2) are not strictly mandated to perform the Article 29 assessment, but Article 31 allows them to carry out similar impact assessments. The Commission may issue guidance on these voluntary assessments, and in specific circumstances, could require them via delegated acts. Monitor Commission guidance closely to determine if your private sector entity will be required to formalize this assessment.

4. Multi-Cloud and Vendor Strategy Article 29(9) explicitly states that Member States and Union entities must consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. Your risk assessment should therefore include an analysis of vendor concentration risk. Relying on a single cloud provider, even if they are Union-assured, may be deemed a risk to public order if that provider faces operational difficulties.

5. Penalties and Enforcement While CADA's primary penalties under Article 24 target cloud service providers for providing misleading information about their assurance level, public sector bodies face different consequences. Failure to conduct the Article 29 risk assessment or to procure the correct assurance level could lead to non-compliance with EU procurement rules and potential challenges to the legality of contracts. Furthermore, the Commission can intervene under Article 29(5) if it deems your risk assessment inadequate, potentially forcing a change in your cloud strategy.

Common misconceptions

Misconception 1: "NIS2 compliance covers all cloud risks." NIS2 focuses on cybersecurity: preventing, detecting, and responding to cyber incidents. It does not address the legal and geopolitical risks of data access by foreign governments or the strategic risk of vendor lock-in. CADA's Article 29 assessment specifically targets these sovereignty risks, which are outside the scope of NIS2.

Misconception 2: "DORA's ICT risk management includes sovereignty." DORA requires financial entities to manage ICT-related risks, including those from third-party providers. However, DORA's focus is on operational resilience and the continuity of critical financial services. It does not define "sovereignty" or mandate the use of "Union assurance levels." A cloud provider can be DORA-compliant without being CADA-recognized.

Misconception 3: "The Article 29 assessment is a one-time exercise." Article 29(1) requires assessments to be carried out every two years, or whenever necessary. Given the rapid evolution of cloud technologies and the geopolitical landscape, this is likely to be a recurring compliance obligation. Additionally, if the Commission issues new guidance or identifies new public order risks, you may need to update your assessment sooner.

Misconception 4: "Private companies don't need to worry about Article 29." While Article 29 explicitly binds Member States and Union entities, Article 31 extends the concept to private sector entities in high-criticality sectors (NIS2 Annex I). While currently framed as a possibility to carry out similar assessments, the Commission has the power to require impact assessments and risk mitigation measures for these entities via delegated acts. Private companies should prepare for the possibility that a formalized sovereignty impact assessment becomes mandatory.

Related

This is general information about a draft EU regulation, not legal advice.