Does DORA testing satisfy CADA service-continuity concerns?

Summary No, complying with the Digital Operational Resilience Act (DORA) testing requirements does not satisfy the service-continuity concerns mandated by the proposed Cloud and AI Development Act (CADA). While DORA focuses on operational resilience within the financial sector, CADA Article 29(2)(c) requires a distinct, strategic risk assessment of the "risk and consequent impact on public order of possible service disruption." DORA testing provides evidence of technical robustness, but it does not address the sovereignty, third-country control, or geopolitical disruption risks that define the CADA assessment. Providers must treat these as parallel obligations: DORA proves the system can recover from a failure, while CADA assesses whether the provider's legal and operational autonomy prevents intentional or politically motivated disruptions that would harm public order.

Detail

The relationship between the Digital Operational Resilience Act (DORA) and the proposed Cloud and AI Development Act (CADA) is one of complementarity, not substitution. For cloud computing service providers, data-centre operators, and public-sector bodies, understanding the precise legal boundary between these two regimes is critical. A widespread misconception is that demonstrating compliance with DORA's rigorous incident response testing and resilience frameworks automatically fulfills the service-continuity obligations under CADA. This is legally incorrect.

The Distinct Legal Mandates

DORA (Regulation (EU) 2022/2554) is a sector-specific regulation designed to ensure the financial sector's operational resilience. It imposes strict requirements on financial entities and their critical third-party ICT providers, including cloud service providers. DORA mandates regular testing, such as Threat-Led Penetration Testing (TLPT), and requires comprehensive incident response and recovery plans. Its primary objective is to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions, thereby maintaining financial stability.

CADA, as proposed in COM(2026) 502 final, establishes a Union-wide sovereignty framework. Its objective is to mitigate risks stemming from the EU's dependence on third-country providers and to safeguard the Union's public order. Central to this framework is the obligation for Member States and Union entities to conduct specific risk assessments under Article 29 of the CADA proposal. These assessments determine the appropriate "Union assurance level" for cloud computing services based on their contribution to public order.

The Specific Requirement of Article 29(2)(c)

The core of the distinction lies in the specific criteria mandated for CADA risk assessments. Article 29(1) requires Member States and Union entities to identify public sector activities that contribute to the preservation of public order. This includes sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement.

Crucially, Article 29(2) specifies the aspects that must be considered in these risk assessments. While Article 29(2)(a) addresses the sensitivity and criticality of data, and Article 29(2)(b) addresses the risk of unlawful access by third countries, Article 29(2)(c) explicitly requires an assessment of:

"the risk and consequent impact on public order of possible service disruption;"

This provision creates a specific legal test that goes beyond technical resilience. It asks: Does the potential disruption of this specific cloud service pose a threat to public order? The answer depends on the nature of the public sector activity supported by the service and the source of the potential disruption, not merely on the technical robustness of the service itself.

Why DORA Testing is Insufficient for CADA

DORA testing provides valuable evidence of a provider's operational continuity capabilities. It demonstrates that a system can recover from technical failures, cyberattacks, or natural disasters. However, it does not address the "public order" dimension required by CADA for the following reasons:

1. Scope of Risk: DORA focuses on operational risks within the financial sector. CADA focuses on sovereignty risks across the entire cloud ecosystem, specifically the risk that a third-country government or legal entity could compel a provider to disrupt service.
2. Nature of Disruption: DORA testing assumes disruptions are technical or criminal in nature. CADA Article 29(2)(c) requires an assessment of disruptions that could be intentional, geopolitically motivated, or the result of extraterritorial legal compulsion (e.g., sanctions, embargoes, or foreign laws mandating data access or service shutdown).
3. Public Order Impact: DORA assesses the impact on financial stability. CADA assesses the impact on public order, which includes national security, defence, and the continuity of essential public services. A service may be fully DORA-compliant yet still pose a public-order risk if the provider is subject to third-country control that could force a service shutdown during a geopolitical crisis.

Therefore, while DORA testing informs the CADA assessment by demonstrating technical resilience, it does not satisfy the broader sovereignty and public-order evaluation. The CADA assessment under Article 29 is a separate, mandatory process that looks at control, jurisdiction, and the strategic importance of the service to public order—factors that are outside the scope of DORA.

The Role of DORA in the CADA Framework

DORA testing is not irrelevant to CADA. Under Article 29, Member States and Union entities must consider all relevant aspects when assessing risks. DORA testing results can serve as evidence of a provider's technical capability to maintain service continuity. However, this evidence must be contextualized within the sovereignty framework.

For example, a cloud provider may have passed DORA's TLPT, proving it can withstand a sophisticated cyberattack. However, if that provider is subject to the control of a third country that has no adequacy decision and has laws allowing for extraterritorial data access or service disruption, the CADA risk assessment under Article 29(2)(c) would likely identify a high risk to public order. The technical resilience (DORA) does not negate the sovereignty risk (CADA).

What this means for you

As a cloud service provider, data-centre operator, or public-sector body, you must treat DORA compliance and CADA sovereignty assurance as parallel, non-substitutable obligations.

1. Separate Documentation and Evidence

Do not assume your DORA compliance reports, TLPT results, or incident response plans will suffice for CADA's Union assurance level recognition. You must prepare separate documentation that addresses the specific criteria in CADA's Annex II, particularly regarding third-country control, legal exposure, and service continuity risks related to public order. While DORA evidence can be included as supporting material for technical resilience, it must be supplemented with evidence addressing sovereignty and geopolitical risk.

2. Supporting Article 29 Risk Assessments

If you are serving public sector clients, be prepared to support their Article 29 risk assessments. Your DORA testing results can be used as evidence of technical robustness, but you must also provide clear information on:

• Your ownership structure and ultimate beneficial owners.
• Your jurisdictional exposure and any third-country laws that could compel service disruption.
• Your incident response capabilities specifically in the context of geopolitical risks or foreign government interference.

3. Union Assurance Levels and Audits

To be recognised for Union assurance levels 2, 3, or 4 under CADA, you must undergo independent audits. These audits will evaluate your compliance with sovereignty criteria, including the prevention of service disruption by third countries. Article 20 requires auditors to assess compliance with the criteria in Annex II. While auditors may consider DORA testing as part of the evidence for technical resilience, they will also assess the legal and organisational measures you have in place to prevent external interference. A "positive" audit opinion under CADA requires meeting all cumulative criteria, not just technical ones.

4. Public Order Relevance

Understand that your service's classification under CADA depends on how your public sector clients use it. If your service supports activities deemed critical to public order under Article 29(1) (e.g., law enforcement, defence, or critical infrastructure), your client must procure a service with a higher Union assurance level (2, 3, or 4). Your ability to meet this requirement depends on your sovereignty profile, not just your DORA compliance. A DORA-compliant provider may still be ineligible for these higher assurance levels if it cannot demonstrate sufficient autonomy from third-country control.

Common misconceptions

"DORA compliance equals CADA sovereignty." This is false. DORA addresses operational resilience in the financial sector; CADA addresses sovereignty and public order across the entire cloud ecosystem. A provider can be DORA-compliant but fail CADA's sovereignty criteria if it is subject to third-country control that could disrupt service in a manner that undermines EU public order.

"Technical resilience testing replaces public-order risk assessments." CADA Article 29(2)(c) requires an assessment of the impact of service disruption on public order. This is a strategic and legal assessment, not just a technical one. DORA testing proves technical resilience but does not assess the strategic impact on public order or the risk of politically motivated disruption.

"Only financial sector providers need to worry about DORA and CADA." While DORA is sectoral, CADA applies to all cloud providers serving the public sector. Even if you are not a critical third-party provider under DORA, you may still need to comply with CADA's sovereignty framework if you serve public entities. Conversely, a financial provider serving the public sector must comply with both.

"CADA and DORA are the same law." They are distinct instruments with different legal bases and objectives. DORA is a sectoral regulation for financial resilience. CADA is a horizontal framework for cloud sovereignty and public order. They interact, but one does not replace the other.

Related

• DORA vs CADA: Does financial compliance satisfy cloud sovereignty?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies
• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?
• CADA, FIDA & DORA: What the trio means for fintechs
• CADA vs DORA: What banks must know about cloud procurement

This is general information about a draft EU regulation, not legal advice.