Does FIDA financial data infrastructure need a CADA tier?

Summary Under the proposed Cloud and AI Development Act (CADA), financial data infrastructure such as the Financial Data Access (FIDA) framework does not automatically trigger a specific high-level sovereignty tier. Instead, the required Union assurance level depends entirely on whether the specific cloud services support public sector activities that contribute to the preservation of public order. If FIDA-related infrastructure is procured or used by public authorities for critical functions (e.g., central bank operations, regulatory oversight), a risk assessment under Article 29 would determine if Union assurance levels 2, 3, or 4 are mandatory. For private financial entities, CADA does not impose direct procurement mandates but encourages voluntary impact assessments under Article 31 to mitigate critical dependencies, while acknowledging sector-specific obligations under Regulation (EU) 2022/2554 (DORA) and Directive (EU) 2022/2555 (NIS2) as noted in Recital 63.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework designed to reduce dependencies on third-country providers and safeguard the Union's public order. For financial data infrastructures like FIDA, which facilitate the sharing of financial data across the EU, the question of which "tier" (Union assurance level) applies is not a matter of automatic classification based on the sector alone. Rather, it is a functional determination driven by the nature of the activity, the identity of the user, and the outcome of a specific risk assessment.

The Sovereignty Framework: Four Union Assurance Levels

CADA introduces a four-tier framework in Article 16, where cloud computing service providers must meet cumulative criteria to be recognised as offering Union assurance levels 1 through 4. These levels are not merely technical certifications but legal thresholds for procurement by Union entities and public sector bodies.

• Union Assurance Level 1: This is the baseline. It requires the provider to be established in the Union, with infrastructure and customer data remaining exclusively within the Union unless the public sector body explicitly requires otherwise. It relies on a conformity self-assessment by the provider (Article 19).
• Union Assurance Levels 2, 3, and 4: These higher tiers are reserved for activities identified as contributing to the preservation of public order. They impose significantly stricter criteria, including mandatory independent third-party audits (Article 20), requirements for Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4), and prohibitions on third-country control over the provider.

The critical distinction for FIDA infrastructure lies in whether the cloud services hosting it are procured for activities falling under the "public order" definition.

Article 29: The Risk Assessment Mechanism

The core mechanism determining the applicable tier is the risk assessment mandated by Article 29. This article requires Member States and Union entities to carry out risk assessments to:

1. Identify public sector activities that use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), or in areas of national security, internal security, external border management, defence, justice, or law enforcement.
2. Determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

Financial services are explicitly listed in Annex I of the NIS2 Directive. Consequently, financial data infrastructure that supports public sector functions—such as central bank operations, regulatory reporting systems used by public authorities, or critical market infrastructure overseen by public bodies—may be deemed to contribute to the preservation of public order.

If a Member State or Union entity conducts an Article 29 risk assessment and concludes that a specific FIDA-related infrastructure supports such critical public order functions, the contracting authority must procure cloud services recognised as offering Union assurance levels 2, 3, or 4, as stipulated in Article 30(3). Conversely, if the activity is deemed not to contribute to public order, the baseline Article 30(2) applies, requiring only Union assurance level 1.

Recital 63: Sector-Specific Obligations and Data Sensitivity

Recital 63 provides essential context for the financial sector, clarifying that CADA's sovereignty framework operates in conjunction with existing sectoral regulations. It states that in their risk assessments, Union entities and Member States shall assess the sensitivity, criticality, and magnitude of personal and non-personal data processed in the cloud environment.

Crucially, Recital 63 notes that this processing may include data subject to sector-specific obligations under Union law, explicitly citing Regulation (EU) 2022/2554 (DORA) and Directive (EU) 2022/2555 (NIS2). This linkage ensures that the sovereignty requirements under CADA do not exist in a vacuum. For FIDA, which facilitates data sharing for financial services, the infrastructure must ensure that data processing complies with both the sovereignty criteria of the chosen CADA tier and the operational resilience and cybersecurity requirements of DORA.

The recital further emphasises that the Commission will provide guidance on mapping Union assurance levels to categories of information, taking into account the sensitivity and criticality of the data. This means that the classification of financial data under FIDA will be dynamic, dependent on the specific risk profile of the data being processed and the public order implications of its hosting.

Private Sector Entities: Voluntary Impact Assessments and Future Obligations

For private financial institutions using FIDA or similar cloud-based data sharing schemes, CADA does not impose mandatory procurement rules. Private entities are not "contracting authorities" under the strict definition of Article 30. However, Article 31 creates a parallel framework for the private sector.

Article 31(1) allows entities referred to in Annex I of the NIS2 Directive (which includes financial market infrastructures, investment firms, and credit institutions) to carry out impact assessments similar to those set out in Article 29. While not legally binding for private entities at this stage, these assessments allow financial firms to evaluate their exposure to third-country dependencies and service disruptions.

Furthermore, Article 31(3) empowers the Commission to adopt delegated acts requiring impact assessments and risk mitigation measures for private entities operating in sectors of high criticality if specific circumstances justify it. This creates a potential future obligation for critical financial infrastructure providers to align their cloud hosting with higher sovereignty standards to maintain market access and operational resilience. The Commission may also issue guidance on the methodology for these assessments, effectively setting a de facto standard for the sector.

Interaction with DORA and FIDA Data-Sharing Schemes

The interaction between CADA and the Digital Operational Resilience Act (DORA) is pivotal for FIDA. DORA focuses on the operational resilience of the financial sector, requiring financial entities to manage ICT risks, including those related to third-party service providers. CADA complements this by addressing the sovereignty and control aspects of those providers.

FIDA data-sharing schemes, which may run on cloud infrastructure, must navigate both frameworks. If a FIDA scheme is operated by a public authority or a critical entity designated under DORA, the cloud provider must not only meet DORA's critical third-party provider requirements but also the relevant CADA assurance level determined by the Article 29 risk assessment. The "tier" is not a static label for the FIDA scheme itself but a requirement for the specific cloud services used to host it, contingent on the risk assessment outcome.

Penalties and Enforcement

Non-compliance with the sovereignty framework carries significant risks. Article 24 requires Member States to lay down rules on penalties for infringements by cloud computing service providers. These penalties must be effective, proportionate and dissuasive. Factors considered include the nature, gravity, scale and duration of the infringement, as well as the provider's annual turnover.

For public sector bodies, failing to procure services at the required assurance level after a risk assessment has deemed it necessary could lead to administrative sanctions and reputational damage. For cloud providers, supplying services to public order-relevant activities without the required recognition could result in significant fines and exclusion from public procurement.

What this means for you

For in-house counsel, compliance officers, and data governance teams in the financial sector, particularly those overseeing FIDA or similar data-sharing initiatives, the following strategic actions are critical:

1. Conduct Internal Risk Mapping: Identify which parts of your data infrastructure support public sector activities or critical functions that may be deemed to preserve public order. If your infrastructure interacts with central banks, regulators, or public authorities, prepare for a potential Article 29 risk assessment. Determine if your specific use case falls under the "public order" definition in Article 29(1).
2. Align with DORA and NIS2: Ensure your cloud service providers are not only compliant with DORA's ICT risk management requirements but also capable of meeting CADA's sovereignty criteria. Review contracts to ensure providers can demonstrate compliance with Union assurance levels 2, 3, or 4 if required by a future risk assessment. Note that Recital 63 explicitly links these frameworks.
3. Monitor Commission Guidance: The Commission will issue guidance on mapping Union assurance levels to categories of information (Recital 63). Stay updated on how financial data is classified under this framework to anticipate whether your current cloud hosting meets future mandatory or recommended standards.
4. Prepare for Impact Assessments: Even if not yet mandatory for private entities, conduct voluntary impact assessments under Article 31 to evaluate your exposure to third-country cloud providers. This proactive step can demonstrate due diligence and preparedness for potential future delegated acts that may make higher sovereignty standards a requirement for critical financial infrastructure.
5. Assess Third-Country Control: For any cloud provider used for FIDA infrastructure, scrutinise the ownership and control structure. Annex II criteria for Levels 3 and 4 strictly prohibit third-country control unless a specific derogation under Article 18 is in place. Ensure your providers have the necessary legal and technical measures to prevent third-country interference.

Common misconceptions

"All financial data must be hosted at Level 4." This is incorrect. The required tier depends entirely on the outcome of the risk assessment under Article 29. Only activities deemed to contribute to the preservation of public order require levels 2, 3, or 4. Routine financial data processing that does not impact public order may only require Level 1.

"CADA replaces DORA." CADA and DORA are complementary, not substitutive. DORA focuses on operational resilience and ICT risk management, while CADA focuses on sovereignty and reducing third-country dependencies. Financial entities must comply with both frameworks simultaneously. Recital 63 explicitly acknowledges this overlap.

"Private banks are exempt from sovereignty requirements." While private entities are not subject to mandatory procurement rules under Article 30, they are encouraged to conduct impact assessments under Article 31. Furthermore, market pressure, the potential for future delegated acts under Article 31(3), and the requirements of critical third-party providers under DORA may effectively make higher sovereignty standards a de facto requirement for critical financial infrastructure.

"FIDA automatically triggers a high-tier requirement." FIDA is a data access framework, not a cloud service itself. The tier requirement applies to the cloud services hosting the FIDA infrastructure. If that infrastructure is used for non-public-order activities, Level 1 suffices. The trigger is the use case and the user, not the FIDA label itself.

Related

• CADA vs FIDA: How the Cloud Act interacts with Financial Data Access
• Does health data under EHDS need a CADA sovereignty tier?
• Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
• Do EU common data spaces need a CADA sovereignty tier?
• CADA vs EHDS & FIDA: How Sovereign Cloud Complements Data Spaces

This is general information about a draft EU regulation, not legal advice.