How banks and financial entities prepare for CADA alongside DORA

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose mandatory sovereignty risk assessments on banks and other financial entities. Instead, Article 31 explicitly permits entities listed in Annex I of the NIS2 Directive (which includes credit institutions, payment institutions, and investment firms) to voluntarily carry out impact assessments "similar to those set out in Article 29." This voluntary mechanism allows financial entities to proactively assess strategic dependencies on non-EU cloud providers, focusing on operational autonomy and protection from extraterritorial interference. This complements the Digital Operational Resilience Act (DORA), which already mandates strict ICT third-party risk management but focuses primarily on technical cybersecurity and continuity rather than geopolitical sovereignty. Financial entities should treat CADA's Union assurance levels as a strategic benchmark to enhance their existing DORA compliance frameworks.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a dual-track approach to cloud sovereignty. While public sector bodies and Union entities face mandatory obligations to procure cloud services at specific Union assurance levels based on risk assessments, the private sector—particularly critical infrastructure entities like banks—is treated differently. The regulation adopts a facilitative model for these entities, acknowledging that their primary regulatory burden regarding ICT risk already exists under DORA.

The Voluntary Nature of Article 31

The core provision governing private-sector engagement in CADA is Article 31, titled "Impact assessments." This article specifically addresses "Entities referred to in Annex I of Directive (EU) 2022/2555" (the NIS2 Directive). This Annex explicitly lists "credit institutions," "payment institutions," "investment firms," and other financial entities as essential entities.

Article 31(1) states clearly that these entities "may carry out similar assessments as those set out in Article 29." The use of the word "may" is legally significant: it establishes a permissive, voluntary framework. Unlike Member States and Union entities, which are obliged under Article 29 to conduct risk assessments to determine the appropriate Union assurance level for public-order-relevant activities, financial entities are not currently mandated to do so.

However, the scope of a voluntary assessment under Article 31 is substantial. By choosing to conduct an assessment "similar to those set out in Article 29," a financial entity would adopt the rigorous methodology designed for the public sector. This involves:

1. Identifying Critical Activities: Determining which cloud computing services support activities that, if disrupted or compromised, could undermine public order or the stability of the financial sector.
2. Risk Evaluation: Assessing the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third-country authorities or service disruption.
3. Determining Assurance Levels: Deciding which Union assurance level (2, 3, or 4) would be appropriate to mitigate these risks, effectively benchmarking their cloud providers against the strict criteria in Annex II.

The Role of Commission Guidance and Future Mandates

While the baseline under Article 31 is voluntary, the regulatory landscape is not static. Article 31(2) empowers the Commission to issue guidance on the methodology for carrying out these impact assessments and on possible mitigation measures. This guidance would provide a standardized approach for financial entities wishing to align with CADA's sovereignty framework.

More critically, Article 31(3) introduces a potential future obligation. It states that "where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This clause creates a "sunset" on the purely voluntary nature of the assessment for high-criticality entities. If the Commission determines that the current voluntary approach is insufficient to address systemic risks in the financial sector, it can elevate the requirement to a mandatory one via delegated acts. For in-house counsel, this implies a need for proactive monitoring of Commission guidance and a readiness to transition from voluntary best practice to mandatory compliance if the regulatory trigger is pulled.

Interplay with DORA: Bridging the Sovereignty Gap

The relationship between CADA and the Digital Operational Resilience Act (DORA) is one of complementarity, not substitution. Financial entities are already subject to DORA's comprehensive regime, which mandates ICT risk management, incident reporting, and, crucially, the management of ICT third-party risk.

DORA's Focus: DORA focuses on technical operational resilience. It requires financial entities to ensure that their ICT third-party providers (including cloud providers) meet strict security standards, have robust exit strategies, and are subject to audit rights. It addresses the "how" of service delivery: ensuring the service is secure, available, and resilient to technical failures or cyberattacks.

CADA's Focus: CADA addresses the strategic and geopolitical dimension of risk that DORA does not explicitly cover. DORA does not mandate that a cloud provider be free from the control of a third-country government, nor does it require that data remain exclusively within the Union to prevent extraterritorial access. These are "sovereignty" risks. For instance, DORA might ensure a bank's cloud provider has a secure firewall, but it does not prevent a foreign government from compelling that provider to hand over data under laws like the US CLOUD Act.

The Synergy: By conducting a voluntary impact assessment under Article 31, a bank can identify gaps in its DORA compliance regarding sovereignty.

• DORA ensures the provider is technically secure and contractually robust.
• CADA (via Article 31) ensures the provider is legally and politically autonomous, with data localized in the Union and no third-country control that could compromise operational continuity.

The Union assurance levels defined in Annex II provide the specific criteria for this sovereignty layer. For example, Annex II, Section 3.1(d) requires personnel to be Union citizens for Level 3, and Section 3.1(g) prohibits third-country control unless specific derogations (under Article 18) are met. A bank using Article 31 can map its current DORA vendor assessments against these criteria to determine if its "critical" cloud services are truly resilient against geopolitical shocks.

Practical Steps for Preparation

For banks and financial entities, preparing for CADA alongside DORA involves a structured approach to integrate sovereignty risk into existing ICT third-party risk management frameworks:

1. Inventory and Criticality Mapping: Begin by mapping all cloud computing services used in critical operations. Identify the provider, the specific data processed (including metadata and telemetry), and the jurisdiction of control. This aligns with DORA's requirement to identify critical or important functions.

2. Voluntary Impact Assessment (Article 31): Conduct a voluntary impact assessment mirroring the Article 29 methodology. This involves:

   • Evaluating the sensitivity and criticality of the data and processes.
   • Assessing the risk of unlawful access by third-country authorities.
   • Determining the potential impact of service disruption due to geopolitical factors.
   • Deciding which Union assurance level (1–4) is appropriate for the identified risks.

3. Gap Analysis against Annex II: Compare current cloud contracts and provider capabilities against the criteria for Union assurance levels in Annex II.

   • Level 1: Is the provider established in the Union? Is data localized?
   • Level 2: Are personnel screened? Is there a European cybersecurity certificate of at least "substantial" assurance?
   • Level 3/4: Are personnel Union citizens? Is there a guarantee against third-country control? Identify gaps in data localization, personnel citizenship, and supply chain transparency.

4. Contractual Alignment and Mitigation: Update ICT third-party contracts to include clauses that address sovereignty risks. While DORA requires robust exit strategies and audit rights, CADA-inspired clauses should include:

   • Guarantees against unauthorized third-country access.
   • Commitments to maintain service continuity regardless of geopolitical pressures.
   • Specific provisions for data localization and personnel screening. This aligns with DORA's requirement for "comprehensive contractual arrangements" but adds the sovereignty dimension.

5. Monitoring and Reporting: Establish ongoing monitoring processes to track changes in provider circumstances (e.g., changes in ownership or control). Be prepared to submit information to the Commission if requested under Article 29(8), which allows the Commission to request information from cloud service providers to inform its guidance.

What this means for you

For in-house counsel and compliance officers in the financial sector, CADA presents a strategic opportunity to manage risks that are currently outside the scope of DORA. While you are not currently mandated to conduct Article 29-style risk assessments, doing so voluntarily demonstrates robust governance and preparedness for a potential future mandate.

Key Obligations and Deadlines:

• No Immediate Mandatory Deadline: Article 31 is permissive ("may"). There is no fixed deadline for private entities to conduct these assessments. However, the Commission's issuance of guidance under Article 31(2) will likely set de facto standards that the market will follow.
• Potential for Future Mandates: Monitor closely for delegated acts under Article 31(3). The Commission may specify that certain high-criticality entities must conduct these assessments and implement specific mitigation measures. The threshold for this is "specific circumstances" and "high criticality," which could easily encompass systemically important banks.
• Alignment with DORA: Ensure that your DORA compliance program includes a component for sovereignty risk. Your ICT third-party risk management framework should evaluate not just technical security, but also the legal and geopolitical risks associated with cloud providers.

Penalties and Enforcement: It is crucial to distinguish between penalties for providers and penalties for users. Article 24 sets out penalties for cloud computing service providers who infringe the sovereignty framework (e.g., failing to meet assurance level criteria). It does not currently impose direct penalties on financial entities for failing to conduct voluntary assessments. However, financial entities face significant penalties under DORA for non-compliance with ICT third-party risk management obligations. If a sovereignty risk (e.g., a third-country government seizing control of a provider) leads to operational disruption, and the bank failed to assess or mitigate this risk, it could be argued that the bank failed its DORA duty of care regarding ICT third-party risk.

Strategic Advantage: By adopting CADA's sovereignty framework voluntarily, financial entities can enhance their resilience against geopolitical shocks. This can be a competitive differentiator, demonstrating to clients, regulators, and stakeholders that the institution prioritizes data sovereignty and operational autonomy. It positions the bank as a leader in "sovereign finance."

Common misconceptions

Misconception 1: CADA mandates risk assessments for all banks immediately. Correction: Article 31 uses the term "may," indicating that impact assessments are voluntary for private entities listed in NIS2 Annex I. Mandatory risk assessments under Article 29 apply only to Member States and Union entities. However, the Commission retains the power to mandate these assessments for specific high-criticality entities through delegated acts under Article 31(3).

Misconception 2: CADA replaces DORA for financial entities. Correction: CADA and DORA address different risks. DORA focuses on technical cybersecurity and operational continuity, while CADA focuses on sovereignty and strategic autonomy. They are complementary, not substitutive. Financial entities must comply with both. DORA ensures the service works; CADA ensures the service is sovereign.

Misconception 3: Only public sector entities need to worry about Union assurance levels. Correction: While procurement mandates for Union assurance levels apply to public authorities, private entities can and should use these levels as a benchmark for their own risk assessments. Understanding the criteria for levels 1–4 helps financial entities evaluate their cloud providers' resilience against third-country interference.

Misconception 4: Voluntary assessments have no regulatory consequence. Correction: While currently voluntary, these assessments inform the Commission's guidance and potential future mandates. Moreover, demonstrating proactive risk management can mitigate regulatory scrutiny and enhance stakeholder trust. In a crisis, a bank that has voluntarily assessed its sovereignty risks will be better positioned to demonstrate due diligence than one that has not.

Related

• How private critical entities can carry out a CADA-style impact assessment
• How do Member States and Union entities carry out a joint CADA risk assessment?
• How do I prepare for CADA's first periodic review under Article 47?
• How to prepare for the annual CADA audit review: Article 20(8) explained
• How do I prepare for a CADA independent third-party audit?

This is general information about a draft EU regulation, not legal advice.