Summary The proposed Cloud and AI Development Act (CADA) and the Digital Operational Resilience Act (DORA) address distinct but overlapping layers of risk in the financial sector. DORA focuses on technical cybersecurity, operational resilience, and the oversight of critical third-party providers (CTPPs) for financial entities. CADA, conversely, introduces a Union cloud computing sovereignty framework (Article 16) targeting data sovereignty, operational autonomy, and the protection of public order. A cloud service provider (CSP) serving the financial sector may simultaneously be regulated as a CTPP under DORA and subject to CADA's sovereignty audits. Crucially, CADA does not replace DORA; it adds a layer of sovereign compliance. While DORA ensures the service works securely, CADA ensures the service remains under EU control. Financial entities are currently invited to voluntarily align with CADA's assurance levels via Article 31, though the Commission retains the power to mandate these assessments for high-criticality sectors.

Detail

To understand the intersection of these regimes, one must distinguish their primary objectives and legal scopes. DORA (Regulation (EU) 2022/2554) establishes a harmonised framework for managing ICT risk in the financial sector. As explicitly noted in the CADA explanatory memorandum, DORA "shapes compliance obligations for cloud computing service providers" indirectly. It covers them "if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience." DORA has a sectoral scope specific to the financial sector, requiring cloud providers to implement ICT risk management and conduct regular incident response testing.

CADA, as proposed in COM(2026) 502 final, introduces a Union cloud computing sovereignty framework consisting of four assurance levels (Article 16). This framework is designed to mitigate risks stemming from the EU's reliance on third-country providers, such as extraterritorial data access, service disruption, and loss of operational autonomy. The two regimes operate in parallel: DORA ensures the service is technically resilient and secure, while CADA ensures the service aligns with EU public order interests and strategic autonomy.

The Role of DORA Entities Under CADA

CADA explicitly acknowledges the overlap with DORA in Article 31, which governs private sector entities. Article 31(1) states that "Entities referred to in Annex I of Directive (EU) 2022/2555 [NIS2] who are not public sector bodies may carry out similar assessments as those set out in Article 29."

While many financial entities regulated under DORA are also listed in Annex I of the NIS2 Directive, Article 31(1) specifically cites the NIS2 Directive as the trigger for voluntary assessments, not DORA directly. This distinction is legally significant: the current proposal creates a voluntary pathway for NIS2-listed entities (which includes many financial firms) to conduct risk assessments similar to those mandated for the public sector. These assessments determine the appropriate Union assurance level (2, 3, or 4) for their cloud usage.

However, this voluntary mechanism is not the only tool. Article 31(3) provides a mechanism for the Commission to expand the scope. It states that "where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This means that while financial entities are currently invited to assess their cloud sovereignty under Article 31(1), the Commission holds the power to mandate these assessments for high-criticality sectors (like finance) via delegated acts under Article 31(3). Therefore, relying solely on the current voluntary nature of Article 31(1) may be insufficient for long-term compliance planning.

Mapping DORA Oversight to CADA Assurance Levels

While DORA does not define sovereignty levels, CADA's four levels (detailed in Annex II) map logically onto the risk profiles of financial services. The criteria for each level escalate in strictness regarding establishment, personnel, and third-country control.

  • Union Assurance Level 1: This is the baseline. It requires the CSP to be established in the Union, with infrastructure and data remaining exclusively within the Union unless the customer explicitly requires otherwise. It does not require an independent audit, only a conformity self-assessment (Article 19). For many standard financial services not handling sensitive state-level data, this may be the minimum viable standard, but it offers limited protection against third-country legal compulsion or ownership control.
  • Union Assurance Level 2: This level introduces mandatory independent third-party audits (Article 20). It requires that the audited provider and subcontractors be established in the Union, with personnel and infrastructure located in the Union. Crucially, it mandates that data generated by the service is not used to train third-country AI systems. It also requires a European cybersecurity certificate of at least 'substantial' assurance (Annex II, 2.1(e)). This aligns well with the enhanced due diligence expected of DORA CTPPs, ensuring that technical resilience is paired with data localization and independent verification.
  • Union Assurance Level 3: This level adds strict personnel requirements, mandating that personnel involved in the service are Union citizens (Annex II, 3.1(d)). It also requires a European cybersecurity certificate of at least 'substantial' assurance. A key feature of Level 3 is the handling of third-country control: while generally prohibited, a derogation exists where the Commission has adopted an implementing act identifying a third country as providing sufficient assurances (Article 18). Level 3 is designed for services where public order relevance is higher. For financial entities handling critical market data or national strategic assets, this level offers robust protection against foreign control.
  • Union Assurance Level 4: The highest level, requiring a European cybersecurity certificate of at least 'high' assurance (Annex II, 4.1(e)). It strictly prohibits any third-country control and requires that the provider and subcontractors are not subject to such control. It is designed for the most sensitive data, including classified information. While primarily targeted at public sector defense and justice applications, large financial institutions managing critical national infrastructure data may voluntarily adopt this standard via Article 31 assessments to maximize sovereignty.

Simultaneous Application and Compliance Burdens

A CSP can be subject to both regimes simultaneously. A US-based hyperscaler, for example, must comply with DORA's direct oversight if designated as a CTPP by the European Supervisory Authorities (ESAs). However, under CADA, it would face significant hurdles in achieving Union Assurance Levels 2–4 due to the requirement that the provider and subcontractors be established in the Union and not subject to third-country control (Annex II).

Consequently, a DORA-regulated bank seeking to reduce sovereignty risk might use CADA's framework to justify migrating away from a non-EU CTPP that cannot meet the higher assurance levels, even if that provider is fully DORA-compliant. The bank would argue that while the provider is technically resilient (DORA), it poses a strategic sovereignty risk (CADA) that threatens the bank's operational autonomy.

The CADA explanatory memorandum reinforces this by stating that the proposal "complements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations." It notes that certification under the Cybersecurity Act (and by extension, DORA's technical requirements) "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."

What this means for you

For in-house counsel and compliance officers in the financial sector, the interplay between DORA and CADA requires a two-track compliance strategy:

  1. Audit Your CTPPs Against Sovereignty Criteria: Do not rely solely on DORA compliance certificates or the "critical third-party" designation. Begin mapping your critical third-party providers against CADA's Annex II criteria. Identify which providers can realistically achieve Union Assurance Level 2 or higher. If a provider is subject to third-country laws (e.g., the US CLOUD Act), it will likely fail Levels 3 and 4 due to the prohibition on third-country control and the requirement for Union citizenship of personnel.
  2. Prepare for Voluntary (and Potentially Mandatory) Risk Assessments: Under Article 31(1), you may voluntarily conduct risk assessments similar to those mandated for the public sector under Article 29. Document these assessments now. They will serve as evidence of due diligence and may be required if the Commission exercises its power to mandate impact assessments for high-criticality sectors under Article 31(3). Do not treat Article 31(1) as a permanent voluntary option; view it as a preparatory step for potential mandatory compliance.
  3. Contractual Due Diligence: Review contracts with cloud providers for clauses that address data localization, personnel citizenship, and the absence of third-country control. CADA's higher assurance levels require specific contractual guarantees regarding the prevention of remote tampering and the separation of Union and third-country subsidiaries. Ensure your contracts allow for the independent audits required by Article 20 and the transparency obligations of Article 23.
  4. Monitor Legislative Developments: CADA is a proposal. The final text may tighten the link between DORA entities and CADA assurance levels. Stay alert for delegated acts under Article 31(3) that could make sovereignty impact assessments mandatory for financial entities. The Commission's power to specify "risk mitigation measures" for private companies in high-criticality sectors is a significant lever that could transform the voluntary nature of Article 31(1) into a binding obligation.

Common misconceptions

  • "DORA compliance replaces CADA sovereignty requirements." Incorrect. DORA focuses on technical resilience, incident reporting, and ICT risk management. It does not address the extraterritorial reach of third-country laws, the strategic autonomy of data, or the ownership structure of the provider. A provider can be DORA-compliant yet fail CADA's highest sovereignty levels due to ownership or jurisdictional issues.
  • "CADA applies only to the public sector." Incorrect. While Article 30 mandates assurance levels for public procurement, Article 31 explicitly allows private entities in critical sectors (including finance, via the NIS2 link) to conduct similar assessments. Furthermore, market pressure from public sector demand will likely drive private sector adoption of higher assurance levels.
  • "Union Assurance Level 1 is sufficient for critical financial data." Level 1 requires only a self-assessment and basic establishment in the EU. It does not require independent audits, strict personnel localization, or the prevention of third-country control. For entities handling sensitive financial data, Levels 2–4 provide the necessary independent verification and control safeguards.
  • "Article 31(1) is the only way for finance to engage with CADA." Incorrect. While Article 31(1) provides the current voluntary pathway for NIS2 entities, Article 31(3) allows the Commission to mandate assessments for high-criticality sectors via delegated acts. Financial entities must prepare for both the voluntary and the potential mandatory scenarios.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.