Summary No, oversight under the Digital Operational Resilience Act (DORA) does not count toward, replace, or substitute the recognition process for Union assurance levels under the proposed Cloud and AI Development Act (CADA). While DORA ensures operational resilience for the financial sector, CADA establishes a distinct, horizontal sovereignty framework. CADA recognition is strictly governed by Article 17 and requires specific evidence of compliance with the sovereignty criteria in Annex II (e.g., third-country control, data localization, personnel citizenship). DORA findings may inform a provider's internal controls but cannot serve as the legal basis for CADA recognition.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, introduces a mandatory sovereignty framework for cloud computing services used by Union entities and public sector bodies. This framework relies on four "Union assurance levels" (1 to 4), which dictate the degree of sovereignty, data localization, and independence from third-country control required for a service to be procured by the public sector.

A critical question for cloud service providers (CSPs), particularly those already designated as critical third-party ICT providers under the Digital Operational Resilience Act (DORA), is whether existing DORA compliance or oversight by competent authorities under that regime can be leveraged to achieve CADA recognition. The short answer is no. The two instruments pursue fundamentally different legal objectives, apply to different scopes, and utilize distinct assessment mechanisms.

Distinct Legal Objectives and Scopes

DORA (Regulation (EU) 2022/2554) primarily targets the financial sector. It imposes digital operational resilience requirements on financial entities and their critical third-party ICT service providers. Its focus is on managing ICT risks, incident reporting, testing, and ensuring business continuity. As explicitly stated in the CADA explanatory memorandum under "Consistency with other Union policies," DORA "has a sectoral scope and is specific to the financial sector" and "indirectly covers cloud computing service providers if they provide services to specified financial entities." The memorandum further clarifies that DORA is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

In contrast, CADA is a horizontal instrument aimed at strengthening the EU's cloud and AI ecosystem, reducing dependencies on non-European providers, and safeguarding public order. The CADA sovereignty framework (Title IV) applies to any cloud computing service provider seeking to serve Union entities and public sector bodies, regardless of their sector. The criteria for Union assurance levels, set out in Annex II of CADA, go significantly beyond technical cybersecurity to include:

  • Establishment and Control: Requirements regarding the legal establishment of the provider and its subcontractors in the Union, and strict limits on control by third countries or legal entities established in third countries.
  • Data Localization: Mandates that customer data, including metadata and telemetry, remain exclusively within the Union.
  • Personnel: Requirements for Union citizenship for personnel involved in service provision, particularly at higher assurance levels (L3/L4).
  • Software Supply Chain: Detailed requirements for software bills of materials (SBOM), source code audits, and blocking remote tampering features.

DORA oversight does not assess these sovereignty-specific criteria. A provider may be fully compliant with DORA's ICT risk management and incident reporting obligations while still being subject to the control of a third-country legal entity, thereby failing to meet the criteria for Union assurance levels 2, 3, or 4 under CADA.

The CADA Recognition Process: Article 17

CADA recognition is not an automatic consequence of existing certifications or sectoral oversight. Article 17 of CADA establishes a specific, self-contained mechanism for cloud computing service providers to be recognized as offering a Union assurance level. The process is rigorous and distinct:

  1. Application: The provider must submit an application for recognition to the national competent authority of their establishment.
  2. Evidence Submission:
    • For Union assurance level 1, the provider must submit an EU statement of conformity based on a self-assessment (Article 19).
    • For Union assurance levels 2, 3, and 4, the provider must submit an audit report and a 'positive' audit opinion from an independent auditing organisation, along with all evidence provided during the audit (Article 20).
  3. Assessment: The evaluating national competent authority assesses the evidence within 60 days. It may request further information or collaborate with other Member States' authorities.
  4. Recognition Decision: If the evidence is sufficient and no reasoned objections are raised by other Member States within the review period, the authority adopts a recognition decision. The service is then recognized throughout the Union at the applicable assurance level.

This process is strictly tied to the audit criteria in Annex II and the specific audit evidence requirements in Annex III. Annex III lists the evidence auditors must request, including company extracts, data flow diagrams, SBOMs, and proof of personnel location and citizenship. DORA oversight findings or reports are not listed as valid evidence for this recognition. While a DORA-compliant provider might have robust cybersecurity controls, they must still undergo the specific CADA audit process to demonstrate compliance with sovereignty criteria such as the absence of third-country control and the location of personnel and infrastructure.

DORA Findings May Inform, But Not Replace

While DORA oversight does not replace CADA recognition, the two frameworks are not entirely siloed. The CADA explanatory memorandum notes that CADA "supports the objectives of the Digital Operational Resilience Act (DORA)." Furthermore, for Union assurance levels 2, 3, and 4, Annex II requires that the audited service obtains a European cybersecurity certificate of at least assurance level 'substantial' (or 'high' for level 4) under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act), specifically the European Cybersecurity Certification Scheme for Cloud Services (EUCS).

If a provider is already subject to DORA, they may have undergone assessments that align with some technical cybersecurity aspects of EUCS. However, DORA itself is not the certification scheme. The provider must still obtain the specific EUCS certificate (or national equivalent until EUCS is available) and undergo the independent third-party audit required by CADA Article 20. DORA findings may inform the provider's internal controls and risk management, which could streamline the audit process by demonstrating existing maturity in ICT risk management, but they do not constitute the legal recognition required under CADA. The audit must explicitly verify the sovereignty criteria that DORA does not cover.

What this means for you

For cloud service providers and data centre operators, particularly those serving the financial sector or already designated as critical third-party ICT providers under DORA:

  1. Separate Compliance Tracks: You must maintain separate compliance tracks for DORA and CADA. Do not assume that your DORA compliance report, your status as a critical third-party provider, or oversight by the European Central Bank (or other competent authorities under DORA) satisfies CADA's sovereignty requirements.
  2. Prepare for CADA Audits: If you intend to serve public sector bodies or Union entities, you must prepare for the CADA recognition process under Article 17. This includes:
    • Conducting a conformity self-assessment for Level 1.
    • Engaging an independent auditing organisation for Levels 2–4 to verify compliance with Annex II criteria, including data localization, personnel citizenship, and third-country control.
  3. Leverage Overlapping Controls: While the frameworks are distinct, you can leverage your DORA-compliant ICT risk management and cybersecurity controls to demonstrate robustness during the CADA audit. However, you must explicitly address the additional sovereignty criteria (e.g., legal establishment, data residency, software supply chain transparency) that DORA does not cover.
  4. Monitor EUCS Development: For Levels 2–4, you will need a cybersecurity certificate under the EUCS scheme (or national scheme). If you are already undergoing cybersecurity assessments for DORA, ensure these align with EUCS requirements to avoid duplication, but remember that the EUCS certificate is only one part of the CADA audit evidence.

Common misconceptions

  • Misconception: "If I am a critical ICT provider under DORA, I am automatically recognized under CADA."
    • Reality: DORA and CADA have different scopes and objectives. DORA focuses on financial sector resilience; CADA focuses on EU sovereignty and autonomy. Recognition under CADA requires a specific application and audit under Article 17 and Annex II.
  • Misconception: "My DORA compliance report can be submitted as evidence for CADA recognition."
    • Reality: CADA Article 17 requires specific evidence: an EU statement of conformity (Level 1) or an audit report and opinion from an independent auditor (Levels 2–4). DORA reports are not listed as valid evidence for CADA recognition in Annex III.
  • Misconception: "CADA replaces DORA for cloud providers."
    • Reality: CADA complements DORA. Providers serving financial entities will likely remain subject to DORA. CADA adds an additional layer of sovereignty requirements for providers serving public sector bodies and Union entities.
  • Misconception: "DORA oversight covers third-country control risks."
    • Reality: DORA focuses on technical cybersecurity and operational resilience. It does not assess the legal control of a provider by a third country or the citizenship of personnel, which are central to CADA's Annex II criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.