Does CADA require banks to use EU sovereign cloud providers?

Summary No, the proposed Cloud and AI Development Act (CADA) does not directly mandate banks or other private financial institutions to use EU sovereign cloud providers. As proposed, CADA's binding procurement obligations apply strictly to public sector bodies and Union entities. However, banks falling within the scope of the NIS2 Directive are permitted to conduct voluntary impact assessments to determine their own sovereignty needs under Article 31. While not legally compelled by CADA, financial institutions face significant indirect market pressure, as public procurement signals and private-sector spillover effects described in Recital 66 are expected to drive a broader shift toward sovereign cloud services.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a significant shift in the EU's regulatory approach to cloud infrastructure, focusing on sovereignty, strategic autonomy, and the reduction of dependencies on third-country providers. A critical question for the financial sector is whether this framework imposes a direct legal obligation on private banks to migrate to EU-based or "sovereign" cloud infrastructure. Based on the verbatim text of the proposal, the answer is no. The regulatory architecture of CADA distinguishes sharply between mandatory public-sector procurement and voluntary private-sector engagement.

The Public Sector Mandate: Article 30

The core mandatory provisions of CADA regarding cloud sovereignty are directed exclusively at "contracting authorities" and "Union entities." Article 30 establishes the procurement obligations that define the "sovereign cloud" requirement. Specifically, Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having a Union assurance level 1.

More critically, Article 30(3) imposes a stricter requirement: contracting authorities whose activities have been identified as contributing to the preservation of public order (such as law enforcement, defence, or critical infrastructure) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." These higher levels entail rigorous independent audits, strict data localisation, and prohibitions on third-country control.

However, the scope of Article 30 is explicitly limited. The text states in Article 30(1): "This Article applies to contracting authorities that procure cloud computing services for their exclusive use." It does not extend this mandatory procurement requirement to private entities, including banks, insurance companies, or other financial institutions. Consequently, a private bank is not legally required by CADA to procure services at any specific Union assurance level, nor is it required to migrate its infrastructure to a provider recognised under the CADA sovereignty framework.

Article 31: The Voluntary Framework for Private Entities

The primary provision addressing private sector entities, including banks, is Article 31, titled "Impact assessments." This article creates a specific, permissive framework for entities referred to in Annex I of Directive (EU) 2022/2555 (NIS2 Directive) that are not public sector bodies. The financial sector is explicitly covered under Annex I of the NIS2 Directive.

Under Article 31(1), these entities "may carry out similar assessments as those set out in Article 29." Article 29 outlines the mandatory risk assessments for Member States and Union entities to determine which Union assurance level is appropriate for their public-order-relevant activities. Therefore, Article 31 allows banks to voluntarily conduct impact assessments to evaluate their dependency on cloud providers, the risks associated with third-country control, and the potential need for higher assurance levels.

Crucially, the language is permissive, not mandatory. The text states entities "may carry out" these assessments. There is no obligation in the current proposal for a bank to perform this assessment. Furthermore, Article 31(2) notes that the Commission "may issue guidance" on the methodology for these impact assessments.

Article 31(3) introduces a potential future mechanism for compulsion, but it is conditional and not yet active. It states: "Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

As of the current proposal text, this power has not been exercised. The Commission has not adopted a delegated act mandating impact assessments for banks. Therefore, under the current draft, the requirement remains entirely voluntary. Banks retain the discretion to decide whether to assess their cloud sovereignty risks under the CADA framework.

Indirect Pressure: Recital 66 and Market Spillover

While CADA does not legally force banks to use sovereign clouds, the proposal explicitly acknowledges that public procurement acts as a powerful market signal that will inevitably affect the private sector. This is articulated in Recital 66 of the explanatory memorandum:

"Public procurement frequently serves as a primary signal of market direction. Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This recital confirms the Commission's expectation that the mandatory public-sector shift toward Union assurance levels 2, 3, and 4 will create a "spillover effect." As public bodies (including government regulators, central banks, and public-sector clients of financial institutions) mandate these standards, the market dynamics will shift. Private banks may find that:

1. Commercial Pressure: Clients or partners in the public sector may require their suppliers (including banks) to demonstrate similar sovereignty standards.
2. Market Availability: As providers focus on meeting public-sector requirements, the availability and cost-effectiveness of non-sovereign cloud services may change.
3. Regulatory Expectations: While CADA does not mandate it, national regulators or the Commission may increasingly view the voluntary adoption of CADA standards as a best practice for operational resilience, potentially influencing supervisory expectations under other frameworks like DORA.

Thus, while the legal mandate is absent, the market mandate is anticipated to be significant.

What this means for you

For in-house counsel, compliance officers, and CIOs in the banking and financial services sector, the immediate takeaway is that CADA, if adopted in its current form, does not create a new statutory duty to migrate to EU sovereign clouds. Your existing obligations remain governed by sector-specific regulations such as the Digital Operational Resilience Act (DORA) and the NIS2 Directive.

However, the strategic landscape is shifting. You should monitor the development of Article 31 closely. The Commission retains the power to require impact assessments for high-criticality private entities through delegated acts. If the Commission exercises this power in the future, banks may be required to formally assess their cloud dependencies and implement specific risk mitigation measures.

In the interim, you can utilize the framework in Article 31 voluntarily. Conducting an impact assessment similar to the public sector risk assessments in Article 29 can help your institution:

1. Identify Critical Dependencies: Map out reliance on non-EU cloud providers and assess the risk of third-country control or data access.
2. Evaluate Sovereignty Risks: Determine if your current infrastructure meets the criteria for Union assurance levels 2, 3, or 4, even if not legally required.
3. Prepare for Market Shifts: Proactively aligning with CADA standards may position your institution favorably as the market realigns around sovereign cloud services, potentially reducing future migration costs and regulatory friction.

Additionally, consider the "spillover" effect mentioned in Recital 66. As public sector bodies increasingly mandate Union assurance levels, the commercial environment for non-sovereign cloud services may evolve. Proactively engaging with the voluntary assessment framework is a prudent step to manage this transition.

Common misconceptions

Misconception 1: CADA replaces DORA's operational resilience requirements. CADA and DORA serve different purposes. DORA focuses on the operational resilience of financial entities, requiring them to manage ICT risks and ensure continuity. CADA focuses on sovereignty, data localisation, and reducing strategic dependencies on third-country providers. A bank must comply with DORA regardless of CADA. CADA does not override DORA; rather, it complements it by providing a framework for assessing sovereignty risks that may not be fully addressed by technical cybersecurity standards alone.

Misconception 2: Banks must immediately audit their cloud providers against Union assurance levels. Article 31 does not require banks to undergo independent third-party audits against the Union assurance levels (2, 3, or 4) defined in Annex II of CADA. Those audit requirements are mandatory only for cloud providers seeking recognition to serve public sector bodies (Article 20). Banks may voluntarily assess their risks, but they are not subject to the same certification regime as public procurement targets.

Misconception 3: CADA bans the use of non-EU cloud providers for banks. CADA does not prohibit private entities from using non-EU cloud providers. The restrictions on third-country control and data localisation are tied to the Union assurance levels, which are mandatory only for public sector procurement in specific high-risk contexts. Private banks remain free to choose their cloud providers, subject to their own risk management frameworks and other applicable laws like the GDPR.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Does CADA require telecoms to use EU sovereign cloud?
• Does CADA require public hospitals to use sovereign cloud?
• Does CADA require energy operators to use EU sovereign cloud?
• Does CADA require defence procurement to use EU-only cloud providers?
• Does CADA require automotive firms to use EU sovereign cloud?

This is general information about a draft EU regulation, not legal advice.