Summary Under the proposed Cloud and AI Development Act (CADA), private-sector entities classified as critical under the NIS2 Directive are not automatically required to conduct sovereignty impact assessments, but they are explicitly empowered to carry out assessments similar to those mandated for public bodies under Article 29. Article 31 of the CADA proposal establishes this voluntary pathway for entities listed in Annex I of Directive (EU) 2022/2555. Crucially, the European Commission retains the authority to transform this voluntary option into a mandatory obligation. Through a delegated act, the Commission may require entities in "high-criticality" sectors to perform these assessments and implement specific risk mitigation measures if justified by specific circumstances and after consulting Member States. This framework allows critical private operators to proactively align with public-sector sovereignty standards while preparing for potential future regulatory mandates.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is primarily designed to safeguard the Union's public order by ensuring that public-sector bodies procure cloud services that meet specific "Union assurance levels." However, the proposal recognises that the private sector, particularly operators of essential infrastructure, faces identical strategic dependencies and sovereignty risks. The mechanism for private-sector engagement with this sovereignty framework is codified in Article 31.

The Voluntary Nature of Private-Sector Assessments

The baseline rule for private entities is permissive, not mandatory. Article 31(1) of the CADA proposal explicitly states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This provision is pivotal for cloud service providers, data centre operators, and other critical infrastructure entities that qualify as "essential" or "important" under the NIS2 Directive (Directive (EU) 2022/2555). It creates a legal pathway for these private entities to voluntarily adopt the rigorous risk assessment methodology developed for the public sector.

The assessment referenced in Article 29 is a comprehensive exercise designed to determine the appropriate "Union assurance level" (ranging from 1 to 4) required for cloud computing services. This determination is based on the sensitivity of the data processed and the criticality of the service to the preservation of public order. By allowing private entities to conduct "similar assessments," CADA acknowledges that the risk profiles of critical private infrastructureβ€”such as energy grids, financial market infrastructures, or health systemsβ€”often mirror those of the public sector.

For example, a private data centre operator hosting critical financial transaction data may face risks regarding third-country access or service disruption that are functionally identical to those faced by a public authority managing tax records. The voluntary assessment allows these entities to map their specific risk exposure against the CADA sovereignty criteria, effectively "stress-testing" their supply chains against the same standards that public bodies must meet.

Commission Guidance and Methodology

While the assessment is voluntary, the proposal ensures it is not conducted in a regulatory vacuum. Article 31(2) provides that:

"The Commission may issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality."

This guidance is crucial for standardisation. It ensures that when a private entity chooses to conduct an assessment, the methodology is consistent with the broader CADA framework and the risk assessment templates used by Member States. The Commission's guidance is expected to detail how to evaluate specific factors, including:

  • The sensitivity, criticality, and magnitude of non-personal data processed.
  • The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

This harmonisation is vital for cloud providers. If a provider can demonstrate compliance with a Commission-guided assessment, it can market its services as "CADA-aligned" or "sovereignty-ready," offering a competitive advantage in a market increasingly sensitive to data sovereignty and supply chain resilience.

The Power to Mandate Assessments

Although the baseline rule in Article 31(1) is permissive, the proposal includes a significant safety valve for the Commission to intervene if market dynamics or security threats evolve. Article 31(3) states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This provision transforms the voluntary nature of the assessment into a potential obligation. The conditions for this mandate are strict and designed to prevent arbitrary overreach:

  1. Specific Circumstances: There must be a clear justification, likely driven by emerging geopolitical risks, identified systemic vulnerabilities, or a specific threat to the Union's strategic autonomy.
  2. High Criticality: The mandate would apply only to entities operating in sectors deemed "high criticality," ensuring the measure is proportionate.
  3. Consultation: The Commission must consult with Member States before adopting such measures, ensuring national perspectives are considered.
  4. Delegated Act: The mandate would be formalised through a delegated act, a legislative instrument that allows the Commission to supplement non-essential elements of the regulation without going through the full ordinary legislative procedure.

This mechanism ensures that the CADA framework remains dynamic and responsive. If the EU identifies a critical dependency in a specific private sector (e.g., healthcare data processing, industrial IoT, or critical financial infrastructure), it can swiftly require those entities to undergo rigorous sovereignty impact assessments and implement specific mitigation measures, such as migrating to higher assurance levels or adopting multi-cloud strategies.

Alignment with Public-Sector Standards

The reference to Article 29 in Article 31 implies that private entities should use the same risk assessment logic as public authorities. Under Article 29, public bodies must assess whether their activities contribute to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4) for their cloud services.

For a private critical entity, this means evaluating:

  • Data Sensitivity: Is the data processed comparable to data handled by public authorities in critical sectors?
  • Operational Criticality: Would a disruption in cloud services significantly impact the entity's ability to provide essential services or undermine public order?
  • Third-Country Risks: Are there risks of extraterritorial access to data by non-EU jurisdictions that could compromise operational autonomy?

By aligning with these standards, private entities can prepare for potential future mandates and demonstrate to clients and regulators that they are managing sovereignty risks proactively.

What this means for you

For cloud service providers, data centre operators, and critical infrastructure entities subject to NIS2, Article 31 presents both a strategic opportunity and a compliance horizon.

1. Proactive Risk Management

Even though the assessment is currently voluntary, conducting a CADA-style impact assessment can significantly strengthen your value proposition. Clients in critical sectors (energy, finance, health) are increasingly concerned about data sovereignty and supply chain resilience. By demonstrating that you have conducted a rigorous assessment aligned with Commission guidance, you can position your services as lower-risk and more trustworthy. This is particularly relevant if you are seeking to serve public-sector clients or other critical private entities that may soon be mandated to procure only "sovereign" services.

2. Preparation for Potential Mandates

The possibility of the Commission mandating assessments via delegated act means you should not treat this as a purely optional exercise. If your organisation operates in a sector of high criticality, you should begin mapping your current cloud architecture against the CADA Union assurance levels. Identify any dependencies on third-country providers or services that may not meet higher assurance levels (e.g., Level 3 or 4). Early identification of gaps allows for a smoother transition if a mandate is issued, avoiding rushed migrations or service disruptions.

3. Engagement with Commission Guidance

Monitor the European Commission for the issuance of guidance on the methodology for these assessments. As soon as this guidance is available, integrate it into your internal risk management processes. This will ensure that if you conduct a voluntary assessment, it is robust, defensible, and aligned with the Commission's expectations. Furthermore, engage with industry bodies to provide feedback on the guidance, ensuring that the methodology is practical for private-sector operations.

4. Contractual Implications

Consider updating your service level agreements (SLAs) and data processing agreements to reflect your commitment to sovereignty standards. You may need to include clauses that address the potential for future mandates and the steps you will take to comply, including any necessary migrations or architectural changes. This transparency can build trust with clients who are themselves preparing for CADA compliance.

Common misconceptions

Misconception 1: CADA mandates impact assessments for all private critical entities immediately. Correction: No. Article 31(1) explicitly states that entities may carry out similar assessments. The obligation is voluntary unless the Commission exercises its power under Article 31(3) to mandate assessments for specific high-criticality sectors via a delegated act.

Misconception 2: The assessment is identical to a NIS2 cybersecurity risk assessment. Correction: While there is overlap, the CADA assessment focuses specifically on sovereignty risks, such as third-country control, extraterritorial data access, and operational autonomy. NIS2 assessments focus primarily on technical cybersecurity and resilience. The CADA assessment uses the Union assurance levels (1-4) as a benchmark, which is a distinct framework from NIS2's risk management requirements.

Misconception 3: Only public sector bodies need to worry about Union assurance levels. Correction: While public procurement rules (Article 30) mandate the use of specific assurance levels for public bodies, private entities can and are encouraged to align with these levels through voluntary assessments. This alignment can be crucial for maintaining trust and competitiveness, especially in sectors where public and private infrastructures are interdependent.

Misconception 4: The Commission can mandate assessments at any time without justification. Correction: Article 31(3) requires that the Commission's decision to mandate assessments be "duly justified" and based on "specific circumstances." It also requires consultation with Member States. This is not an arbitrary power but a targeted response to identified systemic risks in high-criticality sectors.

Related

This is general information about a draft EU regulation, not legal advice.