Summary The proposed Cloud and AI Development Act (CADA) does not replace the Digital Operational Resilience Act (DORA) but layers a sovereignty framework on top of it. While DORA mandates technical cybersecurity and operational resilience for critical ICT third-party providers (including cloud), CADA introduces "Union assurance levels" that determine whether a cloud service can be used for public-order-critical activities. Financial entities must therefore satisfy DORA's baseline resilience requirements while also meeting CADA's stricter sovereignty criteria if their risk assessments under Article 29 dictate higher assurance levels. As proposed, DORA handles the "can the system survive an attack?" question, while CADA answers "who controls the system and can a third country disrupt it?"

Detail

To understand the relationship between DORA and CADA, one must distinguish between operational resilience and sovereign autonomy. DORA (Regulation (EU) 2022/2554) focuses on the technical and organizational ability of financial entities and their ICT third-party providers to prevent, detect, and respond to ICT-related incidents. CADA, by contrast, addresses the risk of external control, data access by third-country authorities, and strategic dependency on non-European providers.

DORA's Baseline: Technical Resilience for Critical Providers

Under DORA, financial entities must manage ICT third-party risk. Crucially, DORA designates and oversees critical ICT third-party providers (including major cloud providers) through the European Supervisory Authorities (ESAs). These providers are subject to direct supervision, including on-site inspections, to ensure they maintain high standards of cybersecurity and operational resilience.

The CADA proposal explicitly acknowledges this existing framework. Recital 63 of the CADA explanatory memorandum notes that DORA "shapes compliance obligations for cloud computing service providers" and has a "sectoral scope specific to the financial sector." Under DORA, cloud providers must implement ICT risk management and conduct regular incident response testing. However, DORA does not address sovereigntyβ€”it does not prevent a financially resilient provider from being subject to third-country laws that compel data access or service disruption.

CADA's Addition: Sovereignty Assurance Levels

CADA introduces a Union cloud computing sovereignty framework consisting of four assurance levels (Article 16). This framework is not limited to the financial sector; it applies to Union entities and public sector bodies across all sectors. The assurance levels range from Level 1 (basic establishment and data localization) to Level 4 (strictest controls, including Union citizenship for personnel and no third-country control).

The interaction between the two regimes is defined by risk assessment. Article 29 of CADA obliges Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for their specific activities. This assessment considers:

  1. The sensitivity, criticality, and magnitude of the data processed.
  2. The risk of unlawful access by third countries.
  3. The risk of service disruption.

For financial entities, this creates a dual obligation. They must first ensure their cloud provider is DORA-compliant (technically resilient). Second, if their activities are deemed to contribute to the preservation of public order (which includes financial stability and critical infrastructure), they must procure services that meet the specific Union assurance level identified in their CADA risk assessment.

The Role of Article 29 and Public Order

Article 29(1) requires risk assessments to identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as in areas of national security, defense, and law enforcement. While the financial sector is not explicitly listed in the "national security/defense" clause of Article 29(1), it is covered under the NIS2 Annex I/II reference for critical infrastructure and digital infrastructure.

Recital 63 of CADA further clarifies that in these risk assessments, entities must assess the "sensitivity, criticality and magnitude of personal and non-personal data processed," including data subject to sector-specific obligations under Union law, specifically citing Directive (EU) 2022/2555 (NIS2) and Regulation (EU) 2022/2554 (DORA). This means the DORA-compliance status of a provider is a factor in the CADA risk assessment, but it is not the sole determinant. A provider can be fully DORA-compliant yet fail to meet CADA Union Assurance Level 3 or 4 if it is subject to third-country control.

Procurement Implications

Article 30 of CADA mandates that contracting authorities whose activities are identified as contributing to public order must only procure cloud services recognized as offering Union assurance levels 2, 3, or 4. For financial entities acting as public sector bodies or where their services are deemed critical to public order, this creates a hard constraint. They cannot simply choose the most resilient DORA-supervised provider; they must choose one that has been formally recognized under CADA's sovereignty framework.

For private financial entities, Article 31 allows them to conduct similar impact assessments. While not strictly mandatory for all private entities, the Commission may require impact assessments for entities in sectors of high criticality if specific circumstances warrant it. Given the systemic importance of financial services, private banks and insurers are expected to align their procurement with these sovereignty standards to mitigate systemic risk.

The "Sovereignty Gap" in DORA

The critical distinction lies in the scope of oversight. DORA's oversight of critical ICT third-party providers ensures that the provider has robust incident response, testing, and business continuity plans. It ensures the service works. CADA ensures the provider is not subject to external political control that could force the service to stop or data to be handed over.

For example, a US-based hyperscaler might be designated as a critical ICT third-party provider under DORA, subject to ESA inspections and fines for operational failures. However, under CADA, this same provider might be ineligible for Union Assurance Level 3 or 4 unless the Commission adopts an implementing act under Article 18 (associated third countries) confirming that US laws do not compel data access or service disruption in a way that conflicts with EU public order. Without such a derogation, the provider would likely be capped at Level 2 (which allows for some third-country control provided specific safeguards are met) or excluded from public-order-critical procurement entirely.

What this means for you

For in-house counsel and compliance officers in the financial sector, the convergence of DORA and CADA requires a two-track compliance strategy:

1. Audit Your Current Providers Against CADA Criteria

  • DORA Check: Ensure your cloud provider is registered as a critical ICT third-party provider under DORA and passes ESAs inspections. This covers your technical resilience baseline.
  • CADA Check: Evaluate if your provider holds a Union assurance level recognition. If your organization's activities are deemed critical to public order (likely for systemically important banks and insurers), you may be legally required to use providers with Assurance Level 2, 3, or 4.
  • Action: Request evidence from providers regarding their status under CADA Article 17 (recognition). If they are not yet recognized, assess their trajectory toward compliance. Note that for Level 3 and 4, the criteria in Annex II include strict requirements on personnel (Union citizenship) and the absence of third-country control.

2. Conduct Joint Risk Assessments

  • Perform the risk assessment required by CADA Article 29. This assessment must explicitly consider the DORA obligations of your providers (as referenced in Recital 63).
  • Document how the sensitivity of your financial data and the criticality of your services necessitate a specific Union assurance level.
  • Deadline: Member States and Union entities must carry out these risk assessments by the date of entry into force plus one year, and thereafter every two years (Article 29(1)). Private entities should prepare now to align with potential Commission guidance under Article 31.

3. Review Contractual Clauses

  • Update ICT third-party risk management contracts to include CADA-specific clauses. These should cover:
    • Third-Country Control: Guarantees that the provider is not subject to extraterritorial laws that could compromise data confidentiality (CADA Annex II).
    • Personnel Sovereignty: For higher assurance levels, ensure personnel handling critical data are Union citizens (Annex II, Level 3/4).
    • Audit Rights: Ensure contracts allow for the independent audits required by CADA Article 20 for Levels 2-4.

4. Monitor Penalties and Enforcement

  • DORA Penalties: Under DORA, penalties for breaches of ICT risk management obligations can be significant, often tied to turnover.
  • CADA Penalties: Article 24 of CADA requires Member States to lay down effective, proportionate, and dissuasive penalties. While specific fine amounts are not set in the proposal, the criteria include the nature, gravity, and scale of the infringement, as well as the infringing party's annual turnover. Non-compliance with sovereignty levels in critical sectors could lead to significant reputational and operational risks, potentially triggering DORA sanctions for inadequate third-party risk management.

Common misconceptions

Misconception 1: DORA compliance is sufficient for CADA.

  • Reality: DORA ensures a provider is resilient against cyberattacks and operational failures. It does not ensure sovereignty. A US-based hyperscaler may be DORA-compliant (resilient) but fail CADA Assurance Level 3 or 4 because it is subject to US laws like the CLOUD Act, which could allow extraterritorial data access. CADA adds a layer of political and legal sovereignty on top of technical resilience.

Misconception 2: CADA only applies to the public sector.

  • Reality: While CADA's procurement mandates (Article 30) target public sector bodies and Union entities, its sovereignty framework applies to all cloud providers seeking to serve these entities. Furthermore, Article 31 allows for impact assessments for private entities in critical sectors. Given the interconnectedness of the financial system, private banks will face immense pressure to adopt CADA-aligned services to maintain interoperability and trust with public sector partners and regulators.

Misconception 3: CADA replaces the need for NIS2 and DORA risk assessments.

  • Reality: CADA complements, not replaces, these frameworks. Recital 63 explicitly references DORA and NIS2. The CADA risk assessment (Article 29) incorporates the data sensitivity and criticality factors defined in DORA/NIS2 but adds the dimension of third-country control and public order preservation. You must still comply with DORA's reporting and resilience requirements while simultaneously navigating CADA's sovereignty tiers.

Misconception 4: Assurance Levels are purely technical.

  • Reality: Assurance Levels 3 and 4 include strict non-technical criteria, such as the absence of third-country control over the provider (Annex II, Level 3/4) and the requirement for Union citizenship for personnel handling sensitive data (Annex II, Level 3/4). These are legal and geopolitical criteria, not just cybersecurity configurations.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.