How do NIS2 sectors relate to CADA risk assessments?

Summary Under the proposed Cloud and AI Development Act (CADA), the sectors defined in the NIS2 Directive (Directive (EU) 2022/2555) serve as the primary trigger for mandatory sovereignty risk assessments, but only for public sector bodies. Article 29(1)(a) explicitly requires Member States and Union entities to assess whether their activities "contribute to the preservation of public order" in sectors falling under Annex I (Essential Entities) or Annex II (Important Entities) of the NIS2 Directive. If a public activity falls within these sectors, a risk assessment is mandatory to determine the required Union assurance level (1–4). Private sector entities operating in these same critical sectors are not currently mandated to perform this specific statutory assessment; instead, Article 31 allows them to carry out similar impact assessments voluntarily, unless the Commission later adopts delegated acts to make them mandatory.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a novel framework to reduce the EU's strategic dependence on non-European cloud providers. A cornerstone of this framework is the "Union cloud computing sovereignty framework," which categorises cloud services into four assurance levels. The mechanism that determines which level a public body must procure is the risk assessment mandated by Article 29.

Understanding the intersection between CADA and the NIS2 Directive is critical because CADA does not reinvent the wheel regarding critical infrastructure; it piggybacks on the sectoral definitions already established in NIS2 to identify where "public order" is at stake.

The Statutory Link: Article 29(1)(a) and NIS2 Annexes

The most direct connection between the two regimes is found in Article 29(1)(a) of the CADA proposal. This provision mandates that Member States and Union entities shall carry out risk assessments to identify public sector activities that:

"contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555."

This clause creates a two-step logic for public sector compliance:

1. Sector Identification: The entity must first determine if its activity falls within the scope of Annex I (Essential Entities) or Annex II (Important Entities) of the NIS2 Directive.
   • Annex I includes high-impact sectors such as energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution, digital infrastructure, ICT service management, space, and food.
   • Annex II covers sectors of significant importance, including waste management, manufacturing of medical devices, postal and courier services, digital providers, research organisations, and waste water management.
2. Public Order Determination: If the activity is within these sectors, the entity must assess whether that specific activity "contributes to the preservation of public order."

The proposal does not treat all activities within these sectors as automatically requiring the highest sovereignty level. Instead, the risk assessment is the tool used to make that determination. As stated in Article 29(1)(b), the assessment must "determine which Union assurance level 2, 3, or 4... is appropriate for the identified public sector activities."

The Distinction: Mandatory Public vs. Voluntary Private Obligations

A common point of confusion is whether private entities operating in NIS2 sectors are subject to the same mandatory risk assessment as public bodies. The text of CADA draws a sharp distinction here.

Public Sector Bodies (Mandatory): For Member States and Union entities, the obligation is absolute. Article 29(1) requires these bodies to conduct risk assessments by the date of entry into force plus one year, and subsequently "every two years, or whenever necessary." If the assessment concludes that an activity contributes to public order, Article 30(3) triggers a procurement mandate: the contracting authority "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

Private Sector Entities (Voluntary/Conditional): For private entities, the regime is different. Article 31 addresses "Private sector entities." It states that entities referred to in Annex I of Directive (EU) 2022/2555 (i.e., essential entities) "may carry out similar assessments as those set out in Article 29."

• Voluntary Nature: The use of "may" indicates that, as proposed, private entities are not legally compelled to perform the Article 29-style risk assessment.
• Commission Power: However, Article 31(3) reserves the right for the Commission to intervene. It states that if the Commission concludes, "because of specific circumstances," that entities in high-criticality sectors require an impact assessment, it "may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment."
• Implication: Until such delegated acts are adopted, private NIS2 entities are encouraged but not required to assess their cloud sovereignty risks. This creates a "comply or explain" dynamic where private entities may choose to self-assess to mitigate supply chain risks, but they do not face the same statutory procurement mandates as public bodies unless the Commission acts.

The Concept of "Public Order" and NIS2 Overlap

The term "public order" is the linchpin of CADA's sovereignty framework. Recital 50 of the proposal explains that dependence on third-country providers creates risks of "misuse," "access to sensitive information," and "dependency vulnerabilities" (such as political coercion).

By referencing NIS2 Annexes I and II, CADA acknowledges that disruptions in these sectors have systemic consequences that extend beyond commercial loss. For example, a disruption in the energy sector (Annex I) or a cyberattack on a digital infrastructure provider (Annex I) could destabilise the economy or national security. Therefore, cloud services supporting these sectors are presumed to have "public order relevance."

However, the proposal emphasises proportionality. Recital 52 notes that "Most public services would not require the highest levels of assurance." The risk assessment is designed to distinguish between activities that merely exist in a critical sector and those that are actually critical to public order. For instance, a public hospital (Annex I) might need Level 4 assurance for its patient records system but only Level 1 for its public-facing cafeteria booking system. The assessment under Article 29(2) requires entities to consider the "sensitivity, criticality, and magnitude" of the data and the "risk and consequent impact on public order of unlawful access... by a third country."

Implementation Timeline and Deadlines

As CADA is currently a proposal, the following timelines are conditional on adoption:

• Initial Assessment: Under Article 29(1), Member States and Union entities must carry out their first risk assessments by the date of entry into force plus one year.
• Periodic Review: Assessments must be repeated "every two years, or whenever necessary."
• Migration: If an assessment determines that a current cloud provider does not meet the required assurance level, Article 29(6) allows for a "reasonable transition period that shall not exceed 12 months" to migrate to a compliant service, taking into account technical feasibility and continuity.
• Reporting: Under Article 29(4), Member States must provide the Commission with the results of these assessments within three months of carrying them out.

What this means for you

For Public Sector Legal and Procurement Teams: You must immediately map your organisation's activities against NIS2 Annex I and II. If your department operates in energy, transport, health, or digital infrastructure, you are likely subject to the mandatory risk assessment under Article 29.

• Action: Prepare to document how your specific cloud usage contributes to "public order." Do not assume all activities in a critical sector require Level 4; the assessment will determine the appropriate level (2, 3, or 4).
• Procurement: Be aware that once an activity is deemed to have public order relevance, Article 30(3) prohibits the procurement of Level 1 services. You will need to verify that your providers have been recognised at the required level via the central repository.

For Private Sector Counsel (NIS2 Essential Entities): While you are not currently mandated to perform the Article 29 assessment, the regulatory intent is clear.

• Action: Proactively conduct similar impact assessments. The Commission has the power to make this mandatory via delegated acts under Article 31(3). Early assessment allows you to identify dependencies on non-EU providers and prepare for potential future mandates.
• Strategy: Demonstrating that you have assessed and mitigated sovereignty risks may become a de facto requirement for winning public contracts or maintaining trust with critical infrastructure partners.

For Cloud Service Providers: The NIS2 sector definitions effectively define your target market for high-assurance services. If you wish to serve public bodies in energy, health, or finance, you must be prepared to undergo the independent audits required for Union assurance levels 2, 3, or 4 (as per Article 20 and Annex II). Note that Level 3 and 4 have strict criteria regarding personnel citizenship and the absence of third-country control.

Common misconceptions

"All NIS2 entities must conduct a CADA risk assessment." This is incorrect. The mandatory obligation under Article 29 applies strictly to Member States and Union entities (public sector). Private sector entities, even those classified as "Essential" under NIS2 Annex I, are only permitted to carry out similar assessments under Article 31 unless the Commission adopts delegated acts to mandate them.

"NIS2 cybersecurity compliance satisfies CADA sovereignty requirements." NIS2 focuses on technical cybersecurity risk management (e.g., incident reporting, supply chain security). CADA focuses on sovereignty, data localisation, and protection against third-country extraterritorial laws. A cloud provider can be fully NIS2-compliant but fail CADA's Union assurance levels if it is controlled by a third-country entity or if its data can be accessed by foreign governments. They are complementary, not interchangeable.

"Being in a NIS2 sector automatically requires the highest cloud assurance level (Level 4)." Not necessarily. While NIS2 sectors trigger the need for a risk assessment, the outcome determines the level. Article 29(1)(b) requires the assessment to determine which Union assurance level (2, 3, or 4) is appropriate. Not all activities in essential sectors require the most restrictive Level 4; the level depends on the sensitivity of the data and the criticality of the specific activity as determined by the risk assessment.

"CADA replaces the NIS2 Directive." No. CADA is a proposal that complements NIS2. It uses NIS2's sectoral definitions to identify where public order is at risk, but it adds a layer of sovereignty-specific procurement rules that NIS2 does not contain.

Related

• CADA Risk Assessments: How Article 29 Mandates Highest Assurance for Critical Sectors
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessments: What Cloud Providers Must Know

This is general information about a draft EU regulation, not legal advice.