Does FIDA require sovereign cloud for open-finance data?

Summary The Financial Data Access (FIDA) framework does not mandate the use of sovereign cloud infrastructure for open-finance data. FIDA focuses on data portability, interoperability, and user consent. However, the proposed Cloud and AI Development Act (CADA) introduces a separate sovereignty framework that would require specific Union assurance levels (2, 3, or 4) if a financial activity is classified as contributing to the preservation of public order. This infrastructure obligation stems entirely from CADA's risk-assessment and procurement rules (Articles 29 and 30), not from FIDA's data-sharing mandates.

Detail

To navigate the regulatory landscape for open finance, legal and compliance teams must distinguish between the data-access regime (FIDA) and the infrastructure-sovereignty regime (CADA). While they operate in the same ecosystem, their triggers and obligations are distinct.

FIDA: Data Access, Not Infrastructure Sovereignty

The proposed FIDA framework (often discussed alongside the Data Act and PSD3) is designed to foster competition and innovation by enabling customers to share their financial data securely with third-party providers. Its core objective is to break down data silos and ensure portability.

As proposed, FIDA does not contain provisions mandating the physical location of servers, the national origin of cloud providers, or specific "sovereign" infrastructure tiers for general open-finance transactions. The framework relies on existing horizontal legislation—such as the General Data Protection Regulation (GDPR) for data protection, the Digital Operational Resilience Act (DORA) for ICT risk management, and the NIS2 Directive for cybersecurity—to ensure the security and privacy of data in transit and at rest. FIDA governs who can access the data and how it is shared, but it does not dictate where the data must be hosted in terms of national sovereignty.

CADA: The Sovereignty Framework

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses a different gap: the risk of strategic dependency on non-EU providers and the need to protect the Union's public order. CADA establishes a "Union cloud computing sovereignty framework" comprising four distinct Union assurance levels (Article 16). These levels define cumulative criteria regarding establishment, infrastructure location, personnel citizenship, and third-country control.

Crucially, the obligation to procure these sovereign services is not automatic for all financial data. It is triggered by a specific risk assessment process defined in Article 29.

The Link: Public Order and Financial Services

The intersection of FIDA and CADA occurs only where financial activities are deemed critical to the Union's stability.

1. Risk Assessment Trigger (Article 29): Member States and Union entities must carry out risk assessments to identify public sector activities that use cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive (which covers financial market infrastructures) and areas such as national security, defence, and law enforcement.
2. Determination of Assurance Level: If the risk assessment determines that a specific financial activity contributes to public order (e.g., critical payment systems, central banking functions, or state-guaranteed savings schemes), the entity must procure cloud services recognized as offering Union assurance levels 2, 3, or 4 (Article 30(3)).
3. The Baseline: For financial activities not identified as contributing to public order, the baseline requirement is Union assurance level 1 (Article 30(2)). This level requires establishment in the Union and data location in the Union but does not mandate the stricter personnel or third-country control restrictions of higher tiers.

Therefore, the sovereignty obligation is a function of the risk profile of the activity under CADA, not the mere existence of open-finance data sharing under FIDA.

Deadlines and Compliance Milestones

As proposed, the timeline for compliance is tied to CADA's entry into force:

• Risk Assessments: Member States and Union entities must conduct initial risk assessments within one year of CADA's entry into force, repeating them every two years (Article 29(1)).
• Migration: If a risk assessment identifies a need to migrate to a higher assurance level, the transition period must not exceed 12 months (Article 29(6)).
• National Strategies: Member States must establish national cloud and AI strategies within one year of entry into force, which will inform the risk assessment outcomes (Article 7).

Penalties and Enforcement

CADA empowers Member States to lay down rules on penalties for infringements by cloud computing service providers (Article 24). These penalties must be "effective, proportionate and dissuasive." Factors for imposition include the nature, gravity, and duration of the infringement, as well as any financial benefits gained. Additionally, recipients of cloud services have the right to seek compensation for damage caused by a provider's infringement (Article 24(3)).

What this means for you

For in-house counsel, compliance officers, and procurement teams in the financial sector, the distinction between FIDA and CADA is critical for risk management. You cannot assume FIDA compliance satisfies CADA requirements.

1. Conduct or Review Public Order Risk Assessments

You must determine whether your specific financial activities are classified as contributing to "public order" under your Member State's risk assessment pursuant to Article 29. This is a nuanced evaluation of the sensitivity, criticality, and magnitude of the data processed (Article 29(2)).

• Scenario A: If your open-finance service handles general consumer transaction data not deemed critical to public order, you likely only need Union assurance level 1.
• Scenario B: If your service supports critical payment infrastructure or state-guaranteed deposits, you may be required to procure Union assurance levels 2, 3, or 4.

2. Audit Your Cloud Stack Against Assurance Levels

If your risk assessment places you in a higher tier, you must verify that your cloud providers are recognized in the central repository (Article 22).

• Levels 2, 3, and 4: Require independent third-party audits (Article 20) and a "positive" audit opinion.
• Key Criteria: Ensure your providers can demonstrate compliance with Annex II criteria, including:
  • Data Localization: Data must remain exclusively within the Union (Annex II, 2.1(c), 3.1(c)).
  • Personnel: For levels 3 and 4, personnel must be Union citizens (Annex II, 3.1(d), 4.1(d)). Note: For Level 2, Union citizenship is conditional only if the public sector body explicitly requires it (Annex II, 2.1(d)).
  • Third-Country Control: Providers must demonstrate no third-country control or, for Level 3, prove the third country is "associated" via an implementing act (Article 18).

3. Plan for Migration Within 12 Months

If your current cloud setup does not meet the required assurance level after a risk assessment, you have a maximum of 12 months to migrate (Article 29(6)). Begin planning this transition immediately. Consider multi-cloud or multi-vendor strategies to enhance resilience, as encouraged by Article 29(9).

4. Monitor National Implementation

Since Member States conduct the initial risk assessments, stay informed about your national authority's determinations. The Commission retains the power to specify Union assurance levels if it concludes that a Member State's assessment is inadequate (Article 29(5)).

Common misconceptions

Misconception 1: FIDA requires sovereign cloud for all open-finance data. False. FIDA focuses on data access, portability, and interoperability. It does not prescribe the sovereignty tier of the underlying infrastructure. The sovereignty requirement comes from CADA, and it applies only to activities deemed to affect public order.

Misconception 2: All financial data is automatically subject to the highest sovereignty tier. False. CADA employs a risk-based approach. Not all financial activities are classified as contributing to public order. Only those identified in the risk assessment under Article 29 as critical to public order must use Union assurance levels 2, 3, or 4. General consumer banking services may only require Union assurance level 1 (Article 30(2)).

Misconception 3: GDPR compliance is sufficient for CADA sovereignty requirements. False. While CADA complements GDPR, it addresses sovereignty and operational autonomy, which go beyond data protection. GDPR focuses on lawful processing and individual rights, whereas CADA focuses on supply chain resilience, data localization, and protection against third-country extraterritorial access. A GDPR-compliant cloud provider may not meet CADA's Union assurance levels (e.g., if it is controlled by a third country or uses non-EU personnel for critical support).

Misconception 4: CADA replaces the AI Act or FIDA. False. CADA regulates the infrastructure layer (the cloud beneath the data), while FIDA regulates data access and the AI Act regulates AI systems. An organisation deploying public-sector or critical-infrastructure AI for finance would likely need to comply with all three instruments independently.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs EHDS & FIDA: How Sovereign Cloud Complements Data Spaces
• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• CADA vs FIDA: How the Cloud Act interacts with Financial Data Access
• CADA vs DGA: How Sovereign Cloud Rules Apply to Data Altruism and Public Reuse
• Does FIDA financial data infrastructure need a CADA tier?

This is general information about a draft EU regulation, not legal advice.