How do NIS2 supply-chain duties interact with CADA dependency reduction?

Summary The NIS2 Directive and the proposed Cloud and AI Development Act (CADA) address supply-chain risks through distinct but complementary lenses. NIS2 mandates technical cybersecurity risk management for critical entities, focusing on operational resilience against cyber threats. In contrast, CADA Article 1(1)(d) explicitly targets "reducing dependencies on critical technologies" to safeguard public order and strategic autonomy. As proposed, CADA does not replace NIS2's technical obligations; rather, it introduces a Union cloud computing sovereignty framework with four assurance levels to address non-technical risks, such as extraterritorial third-country laws and geopolitical control. Compliance officers must navigate both: NIS2 ensures the system is secure, while CADA ensures the provider is sovereign.

Detail

The interaction between the Directive on Security of Network and Information Systems (NIS2) and the proposed Cloud and AI Development Act (CADA) represents a dual-layered regulatory approach to securing the EU's digital ecosystem. While NIS2 focuses on the technical and operational cybersecurity of network and information systems, CADA addresses the broader strategic imperative of technological sovereignty and dependency reduction. Understanding the precise intersection of these instruments is critical for legal and compliance teams managing cloud and AI services.

NIS2: Technical Cybersecurity and Supply-Chain Risk Management

The NIS2 Directive requires entities in essential and important sectors to implement appropriate technical and organizational measures to manage cybersecurity risks. A core component of these obligations is supply-chain security risk management. Under NIS2, entities must ensure that their service providers, including cloud computing service providers, meet high cybersecurity standards.

The explanatory memorandum of CADA clarifies the scope of NIS2: it "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust." However, the memorandum explicitly notes that NIS2 "is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." NIS2 does not contain measures to actively boost the uptake of sovereign cloud services, nor does it address non-technical sovereignty issues such as the extraterritorial reach of third-country laws, geopolitical control, or the risk of operational discontinuity due to political decisions by non-EU actors.

CADA: Reducing Critical Technology Dependencies

In contrast, the CADA proposal is designed to address the Union's dependence on a limited pool of third-country providers. Article 1(1)(d) of the proposal sets out one of its five core measures: "reducing dependencies on critical technologies." This provision is part of a broader framework aimed at strengthening Europe's cloud and AI ecosystem by ensuring attractive conditions for deployment, safeguarding public order, and fostering the adoption of cloud computing services across the public sector.

CADA introduces a harmonized Union cloud computing sovereignty framework comprising four Union assurance levels (Levels 1 to 4). These levels provide criteria for cloud computing services to be assessed and formally recognized based on their level of sovereignty. The framework addresses concerns about data confidentiality, operational autonomy, and the risk of unilateral decisions by third-country actors disrupting service provision.

Unlike NIS2, which focuses on technical resilience against cyberattacks, CADA's sovereignty framework addresses the risk of extraterritorial effects of third-country laws. The explanatory memorandum notes that large market incumbents are subject to jurisdictions where laws with extraterritorial effects apply, including those mandating data access that may conflict with EU fundamental rights. CADA aims to mitigate these risks by establishing criteria that ensure the provider is not subject to control that could compromise the Union's public order.

Complementary but Distinct Obligations

The two regimes are complementary but distinct. NIS2 ensures that cloud providers and data centres maintain high cybersecurity standards, which is a prerequisite for trust but insufficient for sovereignty. CADA builds upon this by requiring that contracting authorities in the public sector conduct risk assessments to determine which sub-sectors and use cases should be served by services aligned with specific Union assurance levels.

The CADA explanatory memorandum states that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Consequently, CADA fills a long-standing gap in sovereignty and non-technical risks, working in tandem with NIS2's technical requirements.

Practical Intersection:

• NIS2 Requirement: A financial institution (an essential entity under NIS2) must ensure its cloud provider has robust incident response protocols, vulnerability management, and supply-chain security measures to prevent cyberattacks.
• CADA Requirement: A public authority procuring cloud services for law enforcement (a public-order activity) must verify that the provider meets Union assurance Level 2, 3, or 4 under CADA. This requires proving that the provider is not subject to third-country control that could compel data access or service disruption, a requirement that goes beyond NIS2's technical scope.

CADA also introduces demand-side measures, such as requiring Member States to undertake sovereignty risk assessments (Article 29) and apply Union added value criteria in public procurement (Article 32). These measures leverage the buying power of the public sector to lower existing dependencies, a goal not explicitly covered by NIS2. Furthermore, CADA supports the establishment of a European public sector cloud federation (EuroCloud Federation) to facilitate the sharing of secure and resilient public-sector data centre services, further reducing reliance on external providers.

Deadlines and Penalties

NIS2 is already in force, with Member States required to transpose the Directive into national law. Most provisions are applicable from October 2024. Organizations must already be implementing the required cybersecurity risk management measures, including supply-chain security. Penalties under NIS2 are determined by Member States but must be "effective, proportionate and dissuasive."

CADA is currently a proposal (COM(2026) 502 final). If adopted in its current form, it would enter into force on the 20th day after publication and apply one year later. Member States would have one year from entry into force to adopt national cloud and AI strategies (Article 7) and designate data centre acceleration zones (Article 10).

Under Article 24 of the proposal, Member States would be required to lay down rules on penalties for infringements of the sovereignty framework by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." The proposal specifies that penalties should take into account non-exhaustive criteria, including the nature, gravity, scale, and duration of the infringement, any previous infringements, and the financial benefits gained by the infringing party. Additionally, recipients of cloud services would have the right to seek compensation for damage or loss suffered due to a provider's infringement.

What this means for you

For in-house counsel and compliance officers, the interplay between NIS2 and CADA requires a bifurcated compliance strategy. You cannot rely on NIS2 compliance alone to meet future CADA sovereignty requirements, nor does CADA negate NIS2's technical mandates.

1. Audit Your Supply Chain for Both Technical and Sovereignty Risks: While NIS2 compliance ensures your cloud providers have robust cybersecurity practices, you must also assess their sovereignty profile. If CADA is adopted, public sector bodies and certain private entities in critical sectors will need to verify that their cloud services meet specific Union assurance levels. Begin mapping your cloud providers' data residency, legal jurisdiction, and operational control structures now.
2. Prepare for Risk Assessments: CADA requires Member States and Union entities to carry out risk assessments to determine the appropriate Union assurance level for different public sector activities (Article 29). Private sector entities in sectors listed under NIS2 Annex I may also conduct similar impact assessments (Article 31). Start evaluating the sensitivity and criticality of your data and the potential impact of third-country access or service disruption.
3. Monitor Procurement Processes: CADA introduces Union added value criteria for public procurement of cloud and AI services (Article 32). If your organization procures from the public sector or is a public entity itself, ensure your procurement processes can evaluate and prioritize providers that strengthen the EU's digital supply chain, integrate EU technologies, and deliver services using hardware designed or manufactured in the Union.
4. Stay Informed on Legislative Progress: Since CADA is a proposal, its final text and application dates may change. Monitor the legislative procedure closely. The proposal aims to triple EU data centre capacity and reduce dependencies on non-European providers by 2035. Aligning your long-term IT strategy with these goals can position your organization favorably in the evolving regulatory landscape.

Common misconceptions

• Misconception 1: NIS2 covers sovereignty. NIS2 is focused on technical cybersecurity and operational resilience. It does not address sovereignty concerns such as the extraterritorial reach of third-country laws or the risk of service disruption due to geopolitical factors. CADA explicitly fills this gap with its sovereignty framework and Union assurance levels.
• Misconception 2: CADA replaces NIS2 for cloud providers. CADA does not replace NIS2. Instead, it complements it. Cloud providers must still comply with NIS2's cybersecurity requirements. CADA adds an additional layer of scrutiny regarding sovereignty, data confidentiality, and operational autonomy, particularly for services used by the public sector.
• Misconception 3: Only the public sector is affected by CADA's dependency reduction. While CADA's procurement rules primarily target public sector bodies, its impact extends to the private sector. By mandating sovereignty standards for public procurement, CADA creates market incentives for private providers to align with these standards to remain competitive. Additionally, private entities in critical sectors may need to conduct impact assessments similar to those required for public entities.
• Misconception 4: Data localization is sufficient for sovereignty. CADA's sovereignty framework goes beyond simple data localization. It includes criteria for operational autonomy, the absence of third-country control, and the prevention of service degradation or disruption. A provider may store data in the EU but still be subject to third-country laws that allow access to that data or enable service disruption, which CADA aims to mitigate through its assurance levels.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does CADA interact with the NIS2 Directive?
• CADA Reporting vs NIS2 & DORA: Separate Duties, No Merged Channel
• Which CADA obligations stack with NIS2 obligations?
• Which CADA definitions come from the NIS2 Directive?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies

This is general information about a draft EU regulation, not legal advice.