Does CADA require NIS2 registration for cloud providers?

Summary No, the proposed Cloud and AI Development Act (CADA) does not require cloud providers to register under the NIS2 Directive, nor does it create a new NIS2-style registration system. NIS2 entity registration remains a separate obligation governed by Directive (EU) 2022/2555. Under CADA, cloud providers seeking to serve public sector bodies must instead undergo a distinct "recognition" process under Article 17 to prove they meet specific Union assurance levels for sovereignty. While NIS2 focuses on cybersecurity risk management, CADA focuses on strategic autonomy and data control. Providers may be subject to both regimes simultaneously, but the processes are legally and operationally distinct.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem. A critical aspect of this proposal is the introduction of a "Union cloud computing sovereignty framework" comprising four assurance levels. However, this framework operates independently from the existing cybersecurity supervision mechanisms established by the Directive on Security of Network and Information Systems (NIS2).

CADA Does Not Create a NIS2-Style Registration

CADA does not impose a general registration obligation on all cloud computing service providers akin to the mandatory registration of "essential" and "important" entities under NIS2. The NIS2 Directive requires entities in specific sectors to register in national registries to facilitate cybersecurity oversight and incident reporting. CADA does not repeal, replace, or merge into this registration process.

Instead, CADA introduces a voluntary recognition mechanism for providers who wish to offer their services to Union entities and public sector bodies. This mechanism is designed to verify compliance with sovereignty criteria, not to establish a baseline cybersecurity registry.

Under Article 17(1) of the proposed Regulation, the process is triggered only by a provider's intent to be recognised:

"A cloud computing service provider that aims to be recognised as offering a Union assurance level, shall submit an application for recognition to the national competent authority of establishment."

This recognition process is focused on assessing whether a provider meets the cumulative criteria for the specific assurance level they are targeting (Levels 1–4), as detailed in Annex II. It is not a general market access registration. A provider operating solely in the private sector with no public sector contracts would not need to seek recognition under CADA, though they might still be subject to NIS2 if they fall within its scope.

NIS2 Registration Remains Separate

The NIS2 Directive (Directive (EU) 2022/2555) requires essential and important entities, including many cloud computing service providers, to register in national registries. This obligation continues to be governed by NIS2 and its national transpositions. The CADA explanatory memorandum explicitly clarifies this distinction, noting that while NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU," it "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Therefore, a cloud provider may be required to register under NIS2 due to its sectoral classification and size, regardless of whether it seeks recognition under CADA. The two processes serve fundamentally different purposes:

• NIS2 Registration: Ensures entities meet baseline cybersecurity risk management obligations, report incidents, and are visible to national supervisory authorities for security oversight. It is a mandatory requirement for entities within the directive's scope.
• CADA Recognition (Article 17): Certifies that a provider's infrastructure, data handling, personnel, and governance meet specific EU sovereignty criteria (e.g., location of assets, citizenship of personnel, absence of third-country control). This certification allows public authorities to procure their services with confidence in data confidentiality and operational autonomy.

The CADA Recognition Process Under Article 17

The recognition process under CADA is tiered and depends on the assurance level sought. It is a distinct administrative procedure managed by the national competent authority of establishment, separate from NIS2 supervision.

1. Union Assurance Level 1: Providers must submit an EU statement of conformity and necessary evidence to the evaluating national competent authority. Article 17(3) states:

   "For Union assurance level 1, the candidate cloud computing service provider shall submit to the evaluating national competent authority the EU statement of conformity referred to in Article 19(2) and all the necessary evidence." Notably, for Small and Medium-sized Enterprises (SMEs), this statement is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

2. Union Assurance Levels 2, 3, and 4: Providers must undergo independent third-party audits. Article 17(4) requires:

   "For Union assurance levels 2, 3 and 4, the candidate cloud computing service provider shall submit to the evaluating national competent authority the audit report, the 'positive' audit opinion referred to in Article 20 and all the evidence provided to the auditing organisation during the audit procedure."

Once recognised, the service is registered in a central repository maintained by the Commission, as per Article 22, making it visible to public sector buyers across the EU. This repository is distinct from the NIS2 national registries, which are maintained by Member States for cybersecurity supervision and incident management.

What this means for you

If you are a cloud service provider or data centre operator, you must manage two parallel compliance tracks. These tracks are not interchangeable, and compliance with one does not satisfy the requirements of the other.

1. Managing NIS2 Obligations

If you fall within the scope of NIS2 as an essential or important entity (e.g., based on your size and sector), you must:

• Register with your national competent authority under the NIS2 framework.
• Implement cybersecurity risk management measures.
• Report significant incidents.
• CADA does not exempt you from these obligations. Even if you achieve CADA recognition, your NIS2 registration remains mandatory if you are an "essential" or "important" entity.

2. Pursuing CADA Recognition

If you want to sell to EU public sector bodies or Union entities, you must pursue recognition under Article 17. This involves:

• Identifying the appropriate level: Determine which Union assurance level (1–4) your potential customers require based on their risk assessments under Article 29.
• Conducting the assessment: Perform a self-assessment for Level 1 or engage an independent auditing organisation for Levels 2–4.
• Submitting the application: Submit your application to the national competent authority in your Member State of establishment.
• Maintaining recognition: Report material changes under Article 23 and undergo annual reviews for higher levels.

Failure to obtain recognition under CADA will not prevent you from operating in the private sector, but it will likely exclude you from public procurement contracts that mandate Union assurance levels 1–4, as required by Article 30 of CADA. Conversely, failing to register under NIS2 (if applicable) could lead to significant penalties under that directive, independent of your CADA status.

Common misconceptions

"CADA replaces NIS2 registration for cloud providers." No. CADA complements NIS2. NIS2 focuses on cybersecurity resilience and incident reporting, while CADA focuses on sovereignty, data autonomy, and supply-chain control. Both registrations may apply simultaneously to the same provider.

"All cloud providers must register under CADA." No. CADA recognition is voluntary. It is only necessary if you wish to serve Union entities or public sector bodies that require specific assurance levels. Private sector clients are not legally bound to use recognised services under CADA, though they may choose to do so for risk management.

"The CADA central repository is the same as the NIS2 national registry." No. The CADA central repository (Article 22) lists services recognised for sovereignty assurance levels to facilitate public procurement. The NIS2 registries list entities subject to cybersecurity supervision for incident management and enforcement. They are separate databases with different purposes and legal bases.

"CADA recognition is just a cybersecurity certificate." No. While cybersecurity is a component (e.g., requiring a "substantial" or "high" assurance certificate under Annex II), CADA recognition covers broader sovereignty criteria, including the location of infrastructure, citizenship of personnel, and the absence of third-country control.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• Does CADA require a separate risk assessment from DORA and NIS2 risk management?
• Which CADA obligations stack with NIS2 obligations?
• Which CADA definitions come from the NIS2 Directive?

This is general information about a draft EU regulation, not legal advice.