Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct mandatory risk assessments to identify public sector activities critical to public order, as mandated by Article 29. While finance-sector bodies are generally private entities and thus not subject to this mandatory obligation, Article 31 explicitly provides a pathway for entities in sectors of high criticality (including those under the NIS2 Directive) to carry out "similar assessments." Crucially, Recital 63 and Article 29(2)(a) require these assessments to consider data subject to sector-specific obligations, explicitly citing Regulation (EU) 2022/2554 (DORA). For finance, CADA does not replace DORA's ICT third-party risk rules but adds a layer of "sovereignty assurance" focused on third-country control and concentration risk, creating a dual-compliance landscape for critical financial infrastructure.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework designed to mitigate strategic dependencies and protect public order. For the financial sector, the interaction between CADA's new sovereignty requirements and the existing Digital Operational Resilience Act (DORA) is a pivotal compliance consideration.

The Mandatory vs. Voluntary Divide

The core of CADA's risk assessment regime lies in Article 29. This article imposes a strict obligation on Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine the appropriate "Union assurance level" (levels 2, 3, or 4) required for cloud services used in those activities.

However, the financial sector is predominantly composed of private entities (credit institutions, investment firms, etc.). Consequently, they are not directly bound by the mandatory Article 29 obligation unless they are acting as public authorities. Instead, Article 31 creates a specific mechanism for the private sector:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Since Annex I of the NIS2 Directive explicitly lists credit institutions, payment institutions, and other financial entities, these bodies are empowered to conduct voluntary risk assessments under CADA. Furthermore, Article 31(3) grants the Commission the power to adopt delegated acts requiring such impact assessments for entities in sectors of high criticality if specific circumstances arise, potentially making these assessments mandatory for certain financial players in the future.

The DORA and NIS2 Connection: Recital 63 and Article 29(2)(a)

A critical feature of CADA is its explicit recognition of existing sectoral frameworks. The proposal does not seek to create a parallel silo but rather to integrate sovereignty considerations into the broader risk landscape.

Recital 63 clarifies the scope of data sensitivity assessments, stating:

"In their risk assessments, Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment. Such processing may include ordinary business information, commercially sensitive information, operationally critical data, personal data within the meaning of Regulation (EU) 2016/679, and data that is subject to sector-specific obligations under Union law, including Directive (EU) 2022/2555 and Regulation (EU) 2022/2554."

Regulation (EU) 2022/2554 is the Digital Operational Resilience Act (DORA). This citation is not merely a reference; it anchors the CADA risk assessment methodology to the existing financial regulatory regime. It confirms that when a finance sector body (or a public body serving the finance sector) assesses risk under CADA, it must account for the data and risks already identified under DORA.

This alignment is further reinforced by Article 29(2)(a), which mandates that risk assessments consider:

"the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects;"

By requiring the assessment of "criticality" and "magnitude" in the context of sector-specific obligations (like DORA), CADA ensures that the sovereignty risk assessment is not abstract but grounded in the operational reality of the financial sector.

Overlap with DORA ICT Third-Party Risk

The overlap between CADA and DORA is significant but distinct. Both regulations address third-party risk, yet they target different dimensions of that risk.

DORA's Focus: Operational Resilience DORA (Regulation (EU) 2022/2554) focuses on the operational resilience of financial entities. Its ICT third-party risk management framework requires entities to:

  • Identify and map all ICT third-party service providers.
  • Assess the criticality of these providers.
  • Ensure robust exit strategies and contingency plans.
  • Manage concentration risks related to ICT providers.

DORA is agnostic regarding the nationality or sovereignty of the provider, provided the provider meets strict operational resilience and cybersecurity standards.

CADA's Focus: Sovereignty and Control CADA introduces the concept of "Union assurance levels" (Article 16). While DORA asks "Is this provider resilient?", CADA asks "Is this provider under third-country control that could compromise EU public order?"

  • Third-Country Control: CADA's criteria in Annex II (specifically Section 3.1(g) for Level 3 and 4.1(g) for Level 4) explicitly prohibit providers subject to third-country control, unless a derogation is granted.
  • The Derogation Mechanism: Annex II, Section 3.1(g) states that a provider subject to third-country control may be eligible for Level 3 "where the Commission has adopted an implementing act under Article 19."
    • Correction Note: This is a known drafting slip in the proposal text. Article 18 is titled "Associated third countries" and grants the Commission the power to adopt decisions identifying third countries with sufficient safeguards. Article 19 is titled "Conformity self-assessment" (for Level 1). The operative power for the third-country derogation is legally located in Article 18, despite the cross-reference error in Annex II.
  • Data Localisation: CADA requires data to remain exclusively within the Union (Annex II, 2.1(c), 3.1(c), 4.1(c)), a stricter requirement than DORA's general data protection compliance.

For finance-sector bodies, this means a cloud provider might be fully compliant with DORA (resilient, secure) but fail CADA's sovereignty criteria (e.g., subject to US CLOUD Act access or controlled by a non-EU entity without an Article 18 derogation).

Concentration Risk Relevance

Concentration risk is a primary driver for CADA. The proposal's explanatory memorandum notes that "three non-EU hyperscalers control over 70% of the European cloud market." This concentration creates systemic vulnerability.

DORA addresses concentration risk by requiring financial entities to monitor their reliance on critical ICT providers and to have exit strategies. CADA addresses concentration risk structurally by:

  1. Promoting EU Providers: The sovereignty framework incentivizes the use of EU-established providers (Annex II, 2.1(a), 3.1(a), 4.1(a)).
  2. Reducing Dependency: By mandating higher assurance levels for public-order-relevant activities (Article 30), CADA aims to shift procurement away from concentrated non-EU providers.
  3. Multi-Cloud Strategy: Article 29(9) explicitly encourages Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" to limit dependency on a single provider.

For finance, this implies that relying solely on a single non-EU hyperscaler, even if DORA-compliant, may increasingly be viewed as a strategic risk under CADA's sovereignty lens, particularly if the entity serves public sector clients or critical infrastructure.

What this means for you

For in-house counsel, risk officers, and compliance teams in the finance sector, CADA represents a new layer of due diligence that sits atop DORA.

1. Dual-Layer Risk Mapping

You must map your ICT third-party risk not just against DORA's operational resilience criteria but also against CADA's sovereignty criteria.

  • Action: Review your critical cloud providers. Do they meet Annex II criteria for Union assurance levels 2, 3, or 4? Specifically, check their establishment location, data residency, and control structure.
  • Action: If a provider is subject to third-country control, verify if the Commission has adopted an implementing act under Article 18 (despite the Annex II reference to Article 19) allowing them to qualify for Level 3.

2. Voluntary Assessments under Article 31

While not currently mandatory for all private finance entities, conducting a CADA-style risk assessment under Article 31 is a proactive strategy.

  • Action: Use the methodology in Article 29 and Recital 63 to assess your own exposure. Consider the "sensitivity, criticality, and magnitude" of your data as defined in Article 29(2)(a), explicitly factoring in DORA obligations.
  • Action: Document how your current cloud strategy mitigates concentration risk, aligning with the multi-cloud encouragement in Article 29(9).

3. Procurement and Supply Chain Pressure

Even if you are a private entity, your public sector clients (e.g., central banks, regulators) will be bound by Article 30, which mandates procurement of cloud services at specific assurance levels.

  • Action: If you supply services to the public sector, ensure your cloud providers can demonstrate compliance with the relevant Union assurance levels. Failure to do so could disqualify you from public tenders.
  • Action: Update your contracts to include audit rights and transparency clauses that satisfy CADA's Annex III audit evidence requirements (e.g., SBOMs, control structure documentation).

4. Monitoring Delegated Acts

The Commission retains the power under Article 31(3) to adopt delegated acts requiring impact assessments for entities in sectors of high criticality.

  • Action: Monitor the Commission's guidance and delegated acts closely. The definition of "high criticality" may expand to include specific financial sub-sectors, potentially making CADA assessments mandatory for you in the future.

Common misconceptions

"CADA replaces DORA for finance entities." No. CADA is a proposal that complements DORA. DORA focuses on operational resilience, incident management, and ICT risk. CADA focuses on sovereignty, third-country control, and data location. A provider can be DORA-compliant but CADA-non-compliant (e.g., if it is US-controlled). Both regimes apply concurrently.

"Finance entities are exempt from CADA risk assessments." Partially true but misleading. Finance entities are exempt from the mandatory public-sector assessment in Article 29. However, Article 31 explicitly allows them to carry out "similar assessments," and the Commission may mandate them for high-criticality sectors. Furthermore, market pressure from public sector clients will likely make CADA compliance a de facto requirement.

"The third-country derogation is in Article 19." No. The operative power for the Commission to identify third countries with sufficient safeguards is in Article 18 ("Associated third countries"). Annex II, Section 3.1(g) contains a drafting slip referencing "Article 19" (which is actually about Level 1 self-assessment), but the legal basis for the derogation remains Article 18.

"CADA only applies to public procurement." While the mandatory procurement rules in Article 30 apply to contracting authorities, the sovereignty framework (Title IV) applies to any cloud provider seeking recognition. Private finance entities will feel the impact through supply chain requirements, as their providers must meet these standards to serve the public sector or to be considered "sovereign" by the market.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.