CADA Risk Assessment vs NIS2

Summary The proposed Cloud and AI Development Act (CADA) introduces a specific risk assessment mechanism under Article 29 to determine the required "Union assurance level" for cloud services used in activities preserving public order. This assessment is distinct from, yet complementary to, the cybersecurity risk-management and supply-chain obligations imposed by the NIS2 Directive (Directive (EU) 2022/2555). While NIS2 mandates broad ICT risk management to ensure technical resilience, CADA's Article 29 focuses specifically on sovereignty, operational autonomy, and the risks of third-country control over cloud infrastructure. As proposed, CADA does not replace NIS2; rather, it addresses the "sovereignty gap" that general cybersecurity frameworks do not cover, requiring public bodies to assess whether their cloud providers are subject to extraterritorial legal access or political coercion.

Detail

The interaction between the proposed CADA risk assessment and NIS2 supply-chain security obligations represents a layered regulatory approach to digital resilience. The CADA proposal explicitly frames these measures as complementary, ensuring that technical security (NIS2) is paired with strategic autonomy (CADA).

The CADA Risk Assessment: Article 29 and the NIS2 Link

Under the proposed CADA, Article 29 establishes a mandatory risk assessment mechanism for Member States and Union entities. This is a demand-side measure designed to ensure that cloud computing services supporting critical public functions meet specific sovereignty standards before they are procured.

Article 29(1)(a) explicitly requires Member States and Union entities to identify public sector activities that "contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555." This creates a direct legislative bridge between the CADA sovereignty framework and the critical sectors defined in the NIS2 Directive (such as energy, transport, banking, digital infrastructure, and health).

The assessment must determine which Union assurance level (Level 1, 2, 3, or 4) is appropriate for these activities. As detailed in Annex II, these levels impose increasingly stringent criteria regarding data location, personnel citizenship, cybersecurity certification, and, crucially, the absence of third-country control. For example:

• Union Assurance Level 2 requires that the provider and subcontractors are established in the Union and that data remains exclusively within the Union.
• Union Assurance Level 4 requires that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country, and that sensitive data remains exclusively within the Union.

Article 29(2) further specifies that the risk assessment must consider at least:

• The sensitivity, criticality, and magnitude of non-personal data processed.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption.

If a risk assessment concludes that a specific public sector activity requires a higher assurance level than the currently used cloud service provides, Article 29(6) mandates migration to a compliant service within a reasonable transition period, which "shall not exceed 12 months," taking into account technical feasibility and data portability.

Overlap and Distinction with NIS2 Supply-Chain Security

The NIS2 Directive imposes broad cybersecurity risk-management obligations on entities in essential and important sectors. These include implementing appropriate technical and organizational measures to manage risks posed by the ICT supply chain. The overlap between the two regimes is significant but functionally distinct:

1. Scope of Risk: NIS2 focuses primarily on technical cybersecurity risks—such as malware, unauthorized access, system availability, and the integrity of the supply chain. CADA's Article 29 focuses on sovereignty and public order risks. Specifically, it addresses the threat of extraterritorial legal access to data (e.g., via laws like the US CLOUD Act) and the risk of service degradation or disruption due to third-country political or economic coercion. As noted in the CADA explanatory memorandum, existing cybersecurity frameworks "do not contain measures to boost the uptake and use of such services" in a way that addresses "sovereignty considerations."
2. Supply-Chain Focus: NIS2 requires entities to assess the security of their ICT supply chain, focusing on the reliability and security of vendors. CADA goes further for public sector procurement by requiring an assessment of the legal jurisdiction and control structures of cloud providers. For instance, under CADA's Union Assurance Level 2 and above, providers must demonstrate that third-country control does not enable remote tampering, data access, or the enforcement of restrictive measures (sanctions/embargoes) that conflict with Union law.
3. Complementary Nature: The CADA proposal explicitly states that it "complements" the NIS2 Directive. Recital 66 of the proposal notes that public procurement requirements for cloud services often mirror private-sector practices in regulated industries. The CADA risk assessment provides a standardized methodology for public bodies to evaluate these specific sovereignty risks, which can inform the broader NIS2 compliance strategies of entities operating in those sectors. The proposal clarifies that while NIS2 addresses "technical cybersecurity," it is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Private Sector Impact Assessments

While Article 29 applies mandatorily to public sector bodies, Article 31 of CADA addresses the private sector. It allows entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 sectors) to carry out similar impact assessments.

Although not mandatory for all private entities under the current proposal, Article 31(3) empowers the Commission to adopt delegated acts requiring such impact assessments for private entities operating in sectors of "high criticality" if specific circumstances arise. This mechanism ensures that the private sector's NIS2-driven security posture can be aligned with the sovereignty standards defined in CADA, creating a cohesive resilience framework across the Union.

What this means for you

For in-house counsel, compliance officers, and risk managers, particularly in sectors listed in NIS2 Annex I and II, the following actions are required to navigate the interaction between these two regimes:

1. Map Activities to NIS2 Sectors: Identify which of your organization's activities fall under the sectors defined in NIS2 Annex I or II. These are the activities that will trigger the CADA risk assessment requirement under Article 29(1)(a) if you are a public sector body or Union entity.
2. Conduct Dual-Layer Assessments:
   • NIS2 Compliance: Continue to fulfill NIS2 obligations regarding ICT risk management, incident reporting, and supply-chain security. This covers the technical integrity of your systems.
   • CADA Sovereignty Assessment: For public sector entities, conduct the Article 29 risk assessment to determine the required Union Assurance Level. For private entities in critical sectors, prepare for potential mandatory impact assessments under Article 31 if the Commission adopts delegated acts for your specific sector.
3. Evaluate Cloud Providers Against Sovereignty Criteria: Assess your current cloud computing service providers against the CADA Union Assurance Levels in Annex II. If your activities require Level 2, 3, or 4, verify that your providers meet the strict criteria regarding:
   • Data localization (exclusively within the Union).
   • Personnel screening (Union citizenship where required).
   • Absence of third-country control (no extraterritorial access or coercion).
4. Plan for Migration: If your current providers do not meet the required assurance level, begin planning migration strategies immediately. Article 29(6) allows a maximum 12-month transition period for migration after a risk assessment dictates a change. This timeline is strict and must be factored into procurement planning.
5. Monitor Penalties and Liability: Member States must lay down rules on penalties for infringements of the CADA sovereignty framework under Article 24. These penalties must be "effective, proportionate and dissuasive." Non-compliance with the risk assessment obligations or failure to migrate to compliant services when required could result in significant fines. Additionally, Article 24(3) grants recipients the right to seek compensation for damage suffered due to a provider's infringement.

Common misconceptions

"CADA replaces NIS2." Incorrect. CADA and NIS2 are complementary. NIS2 addresses technical cybersecurity and the resilience of the supply chain against cyber threats. CADA addresses sovereignty, operational autonomy, and public-order risks related to cloud computing, specifically the risk of third-country interference. The CADA proposal explicitly states that NIS2 "does not contain measures to boost the uptake and use of such services" in a way that addresses sovereignty.

"Risk assessments are only for the public sector." While Article 29 mandates assessments for public bodies, Article 31 extends the possibility (and potential future obligation) to private entities in NIS2 critical sectors. The Commission may require impact assessments for private entities operating in sectors of high criticality via delegated acts.

"NIS2 supply-chain security is sufficient for CADA compliance." No. NIS2 focuses on technical security measures and the reliability of vendors. CADA requires additional scrutiny of legal jurisdiction, third-country control, and data sovereignty, which are not fully covered by standard NIS2 ICT risk management measures. A provider can be NIS2-compliant (technically secure) but fail CADA's sovereignty criteria (e.g., if subject to a third country's extraterritorial laws).

"CADA only applies to data stored in the EU." While data localization is a key criterion, CADA's risk assessment under Article 29 also evaluates the control of the provider. Even if data is stored in the EU, if the provider is subject to the control of a third country that can compel access or disrupt service, the activity may require a higher assurance level or a different provider.

Related

• How does a CADA risk assessment treat subcontractors and the cloud supply chain?
• CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels
• CADA Article 29: Purpose, Risk Assessment & Public Order
• CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules
• CADA Risk Assessment vs. Impact Assessment: Article 29 vs. Article 31

This is general information about a draft EU regulation, not legal advice.