Does NIS2 incident reporting satisfy any CADA obligation?

Summary No, NIS2 incident reporting does not satisfy any obligation under the proposed Cloud and AI Development Act (CADA). The two regimes address fundamentally different policy objectives: NIS2 (Directive (EU) 2022/2555) mandates cybersecurity risk management and incident notification to ensure network resilience, whereas CADA (COM(2026) 502 final) establishes a "Union cloud computing sovereignty framework" to mitigate strategic dependencies and safeguard public order in procurement. CADA contains no general incident-reporting duty that could be fulfilled by NIS2 notifications. While CADA references NIS2 to acknowledge existing cybersecurity baselines, it imposes distinct, additive obligations regarding data localisation, personnel citizenship, and third-country control. Providers must comply with NIS2 for security incidents and separately pursue CADA "Union assurance levels" for public-sector eligibility.

Detail

To understand why NIS2 incident reporting cannot satisfy CADA obligations, it is necessary to distinguish the legal basis, scope, and specific duties of each instrument as presented in the CADA proposal.

The Distinct Legal Mandates

NIS2: Cybersecurity Resilience Directive (EU) 2022/2555 (NIS2) imposes strict cybersecurity risk management and incident-reporting obligations on entities in essential and important sectors. Cloud computing service providers and data centre operators are explicitly listed in Annex I of NIS2. Under NIS2, these entities must notify significant cyber incidents to competent authorities within strict timelines (e.g., an initial notification within 24 hours). The primary goal is to protect the security of network and information systems and ensure operational continuity against cyber threats. The regime is technical and operational in nature, focusing on the "how" of security.

CADA: Sovereignty and Capacity As proposed, CADA has two primary legal bases: Article 114 TFEU (internal market harmonisation) and Article 173(3) TFEU (industrial competitiveness). Its measures focus on structural and strategic autonomy rather than immediate incident response:

1. Data Centre Deployment: Accelerating the build-out of compute capacity through "data centre acceleration zones" (Article 10) and streamlined permitting (Article 13).
2. Cloud Sovereignty: Establishing a "Union cloud computing sovereignty framework" with four assurance levels (Article 16) to mitigate risks from third-country dependencies in public procurement (Articles 29–30).

No Equivalent Incident-Reporting Duty in CADA

CADA does not impose a general incident-reporting obligation on cloud providers or data centre operators that mirrors NIS2. The proposal explicitly distinguishes itself from NIS2 in Recital 5, stating: "The Directive on Security of Network and Information Systems (NIS2) improves the cybersecurity risk management of cloud computing service providers and data centres in the EU... However, it does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Consequently, there is no CADA provision that mirrors NIS2's incident-notification requirements. A provider cannot "tick the box" for a CADA compliance requirement by pointing to their NIS2 incident reports because CADA does not mandate such reports. The transparency obligations in CADA (Article 23) are strictly limited to reporting "material changes in circumstances" that may affect a provider's recognised assurance level (e.g., a change in ownership structure or a shift in third-country control), not operational security breaches.

Distinct Obligations Do Not Substitute

While the regimes overlap in terms of affected entities, their obligations are additive, not substitutive:

• NIS2 requires you to manage cyber risks and report breaches to national authorities.
• CADA requires you to undergo specific audits or self-assessments to achieve "Union assurance levels" (Article 17) if you wish to serve public sector clients. It also requires data centre operators to comply with sustainability and permitting rules in acceleration zones (Articles 10–13).

For example, to achieve Union Assurance Level 2, 3, or 4, a provider must undergo an independent third-party audit (Article 20). This audit assesses criteria such as data localisation, personnel citizenship, and absence of third-country control (Annex II). It does not assess the provider's history of cyber incidents, nor does it replace the need to report such incidents under NIS2.

The Role of Cybersecurity Certification in CADA

CADA does incorporate cybersecurity standards, but in a specific, limited manner that does not equate to NIS2 compliance. Under Annex II, Union assurance levels 2, 3, and 4 require the service to obtain a European cybersecurity certificate of at least assurance level "substantial" (for levels 2 and 3) or "high" (for level 4) under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act).

Crucially, this certification is a static requirement regarding the service's architecture and controls, distinct from the dynamic incident reporting of NIS2. Furthermore, Recital 5 clarifies that "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, even a valid cybersecurity certificate does not automatically satisfy the full breadth of CADA's sovereignty criteria, let alone NIS2's incident reporting duties.

Regulatory Interaction and the "Sovereignty Gap"

CADA acknowledges NIS2 but does not merge its obligations. Recital 47 notes that existing Union law, including NIS2, addresses cybersecurity requirements. However, CADA introduces a "harmonised and auditable set of criteria" for sovereignty (Recital 47) that goes beyond technical cybersecurity. The proposal states that NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Therefore, a provider must comply with NIS2 for cybersecurity compliance and separately engage with CADA's assurance levels if they seek to participate in public cloud procurement. The two regimes operate in parallel: NIS2 ensures the cloud is secure; CADA ensures the cloud is sovereign.

What this means for you

If you are a cloud service provider or data centre operator, you must manage two parallel compliance tracks that do not overlap in their reporting duties:

1. Maintain NIS2 Compliance: Continue to implement robust cybersecurity risk management measures and adhere to incident-reporting timelines. This remains mandatory regardless of CADA's status. NIS2 reporting is a legal duty to national authorities for security incidents.
2. Prepare for CADA Assurance Audits: If you target public sector customers, you will need to pursue recognition under the Union Assurance Levels (Article 17). This involves:
   • Conducting a conformity self-assessment for Level 1 (Article 19).
   • Engaging an independent auditing organisation for Levels 2–4 (Article 20).
   • Demonstrating compliance with sovereignty criteria (e.g., data remaining in the Union, no third-country control, Union citizenship of personnel for higher levels) as set out in Annex II.
3. Do Not Assume Overlap: Do not assume that your NIS2 incident logs or cybersecurity certifications will satisfy CADA's sovereignty audits. CADA audits focus on legal and operational sovereignty (e.g., supply chain transparency, personnel location, control structures), not just technical security posture. A provider could be fully NIS2-compliant (having reported all incidents) yet fail a CADA audit due to third-country control or data localisation issues.

Common misconceptions

Misconception 1: "CADA replaces NIS2 for cloud providers." Incorrect. CADA complements NIS2. NIS2 remains the primary law for cybersecurity incident reporting and risk management. CADA adds a layer of sovereignty assurance for public procurement and data centre deployment rules. The proposal explicitly states in Recital 5 that NIS2 is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Misconception 2: "Reporting a cyber incident under NIS2 counts as transparency under CADA." Incorrect. CADA's transparency obligations (Article 23) relate to reporting material changes in circumstances that affect a provider's recognised assurance level (e.g., a change in ownership that introduces third-country control). It does not cover operational cyber incidents. NIS2 reporting is for security breaches; CADA reporting is for sovereignty status changes.

Misconception 3: "NIS2 cybersecurity certification satisfies CADA's assurance levels." Partially, but not entirely. CADA Annex II requires a European cybersecurity certificate (e.g., under the EU Cybersecurity Certification Scheme for Cloud Services, EUCS) for Levels 2–4. However, this is just one criterion among many. You must also meet data localisation, personnel, and control criteria. NIS2 compliance alone does not grant a CADA assurance level, and NIS2 incident reporting is irrelevant to the CADA audit process.

Misconception 4: "CADA has a general incident reporting duty like NIS2." Incorrect. CADA does not impose a general incident-reporting obligation on cloud providers or data centre operators. The proposal focuses on pre-emptive sovereignty criteria and post-recognition transparency regarding status changes, not real-time incident notification.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Reporting vs NIS2 & DORA: Separate Duties, No Merged Channel
• Which CADA obligations stack with NIS2 obligations?
• Which CADA definitions come from the NIS2 Directive?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies
• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?

This is general information about a draft EU regulation, not legal advice.