Summary As proposed, the Cloud and AI Development Act (CADA) does not impose direct, mandatory sovereignty procurement obligations on banks and financial institutions in the same way it does for public sector bodies. However, Article 31 explicitly enables private sector entities listed in Annex I of the NIS2 Directiveβ€”including most credit institutions and payment firmsβ€”to voluntarily conduct impact assessments mirroring the public sector's risk assessments. Furthermore, CADA's strict public procurement rules for sovereign cloud services will create a powerful market signal; as public bodies migrate to higher Union assurance levels, private regulated entities are expected to mirror these standards to maintain trust and operational resilience. While CADA complements the Digital Operational Resilience Act (DORA) by addressing sovereignty gaps, it currently leaves the decision to adopt these standards to the private sector, pending potential future delegated acts.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with a primary focus on reducing dependencies on third-country providers and safeguarding the Union's public order. While the core "sovereignty framework" (Title IV, Chapter I) and the mandatory procurement rules (Article 30) are legally binding only for Union entities and public sector bodies, the financial sector faces significant indirect exposure through voluntary alignment mechanisms and market dynamics.

Article 31: The Voluntary Impact Assessment Mechanism

The most critical provision for the financial sector is Article 31, titled "Impact assessments." This article specifically addresses private sector entities that are not public sector bodies but are listed in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive). This list encompasses critical and important entities in the financial sector, including credit institutions, payment institutions, and investment firms.

Under Article 31(1), these entities "may carry out similar assessments as those set out in Article 29." Article 29 mandates that Member States and Union entities conduct risk assessments to determine which Union assurance level (1, 2, 3, or 4) is appropriate for their cloud computing services. These assessments evaluate the sensitivity of data, the risk of third-country access, and the potential impact on public order.

By invoking Article 31, a bank can voluntarily adopt this harmonized EU methodology to evaluate its own cloud dependencies. This is not a current mandatory obligation in the same strict sense as it is for a ministry of defense or a tax authority. However, it provides a structured, EU-endorsed framework for financial institutions to benchmark their sovereignty risks against the same criteria used by the public sector.

Crucially, Article 31(3) grants the Commission the power to adopt delegated acts to supplement the Regulation. This provision allows the Commission to specify the need for such impact assessments and the risk mitigation measures that private entities "shall take" if it concludes that entities in sectors of high criticality require them. Given the systemic importance of the financial sector, this clause acts as a legislative "trigger," keeping the door open for future mandatory requirements should the Commission determine that voluntary alignment is insufficient to protect the Union's strategic autonomy.

Additionally, Article 31(2) empowers the Commission to issue guidance on the methodology for these impact assessments and possible mitigation measures. This guidance will likely provide the technical and operational details banks need to implement these assessments effectively.

The DORA Overlap: Complementary, Not Redundant

Banks already operate under a rigorous regulatory regime for digital resilience, most notably the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). The CADA proposal explicitly acknowledges this overlap and positions itself as a complement rather than a replacement.

The Explanatory Memorandum to the proposal states that CADA "supports the objectives of the Digital Operational Resilience Act (DORA)." It notes that DORA shapes compliance obligations for cloud computing service providers, particularly when they provide services to specified financial entities or play a significant role in operational resilience. Under DORA, financial institutions must carry out due diligence on their cloud providers, focusing on ICT risk management, incident response, and testing.

However, the proposal clarifies that DORA has a sectoral scope specific to the financial sector and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." While DORA ensures that a provider is technically robust and resilient to cyberattacks, it does not address the geopolitical risks of third-country control, extraterritorial access laws (such as the US CLOUD Act), or the risk of service disruption due to political coercion.

CADA fills this gap by introducing a sovereignty dimension. It focuses on operational autonomy, data confidentiality against third-country access, and the risk of service disruption due to geopolitical factors. Consequently, banks will likely need to integrate CADA's sovereignty criteria (such as those in Annex II for Union assurance levels) into their existing DORA-compliant due diligence processes. This creates a dual-layer compliance requirement: technical resilience under DORA and strategic autonomy under CADA.

Public Procurement as a Market Signal

Although banks are private entities and not "contracting authorities" under Article 30, CADA's impact on them is heavily influenced by its rules on public procurement. Article 30 mandates that contracting authorities must procure cloud services recognized as offering at least Union assurance level 1. For activities identified as contributing to the preservation of public order (which can include critical infrastructure support), they must procure services at Union assurance levels 2, 3, or 4.

This creates a powerful market signal. As public sector bodies migrate to sovereign, EU-assured cloud providers, these providers will grow in scale, capability, and market share. Banks, which often rely on the same hyperscalers as the public sector, will face a shifting landscape. The "EU added value" criteria introduced in Article 32 for public procurementβ€”which reward the use of software and hardware designed or manufactured in the Unionβ€”will likely influence private sector procurement strategies as well.

Recital 66 of the CADA proposal explicitly states: "Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This recital confirms the legislative intent: while banks are not legally forced by CADA to use Level 3 or 4 clouds, market dynamics, counterparty risk assessments, and the desire to align with public sector standards will increasingly favor providers that meet these higher sovereignty standards. Banks that fail to align may face reputational risks or difficulties in partnering with public entities that are bound by CADA's procurement rules.

Sovereign Cloud Criteria and Financial Data

For banks, the most relevant sovereignty criteria will likely be Union assurance level 2 or 3. Annex II of the CADA proposal outlines strict requirements for these levels, which align closely with the risk profiles of financial institutions:

  • Data Localization: Customer data must remain exclusively within the Union (Annex II, 2.1(c) and 3.1(c)).
  • No Third-Country Control: Providers and subcontractors must not be subject to the control of a third country, unless specific derogations apply (Annex II, 2.1(g) and 3.1(g)).
  • Personnel Screening: For Level 3, personnel must be Union citizens (Annex II, 3.1(d)).
  • Cybersecurity Certification: Services must obtain a European cybersecurity certificate of at least "substantial" assurance level (Annex II, 2.1(e) and 3.1(e)).

Banks processing large volumes of sensitive financial data will find these criteria aligned with their own risk management needs, particularly regarding data privacy (GDPR) and operational continuity. The "substantial" cybersecurity certification requirement for Levels 2 and 3 is a key differentiator from Level 1, which only requires compliance with state-of-the-art standards.

What this means for you

For in-house counsel, compliance officers, and CIOs in the banking and financial sector, CADA introduces several actionable items that require immediate attention:

  1. Monitor Article 31 Developments: Stay alert for Commission guidance and delegated acts under Article 31(2) and 31(3). While impact assessments are currently voluntary, the Commission may make them mandatory for certain high-criticality financial activities. Begin preparing internal methodologies for assessing cloud provider sovereignty risks now, using the Article 29 framework as a template.
  2. Integrate Sovereignty into DORA Due Diligence: Update your cloud provider due diligence processes to include CADA's sovereignty criteria. When evaluating providers under DORA, ask not just about their cybersecurity certifications, but also about their Union assurance level status. Can they provide evidence of compliance with Annex II criteria? Specifically, verify their ability to demonstrate the absence of third-country control and data localization.
  3. Assess Market Shifts: Recognize that the public sector's move toward sovereign clouds will reshape the vendor landscape. Evaluate your current cloud providers' strategies for achieving Union assurance levels. If your primary provider cannot meet Level 2 or 3 standards, assess the long-term risk of vendor lock-in or reduced service quality as the market pivots.
  4. Prepare for Potential Mandatory Assessments: Although Article 31(1) currently uses "may," the legislative intent is clear: high-criticality sectors like finance are expected to align with public sector resilience standards. Conduct a pilot impact assessment using the Article 29 methodology to understand your current exposure to third-country dependencies.
  5. Review Contractual Clauses: Ensure that contracts with cloud providers include clauses that allow for auditing of sovereignty criteria (e.g., data localization, personnel location, third-country control). Article 20 of CADA outlines independent audit requirements for Union assurance levels 2-4; your contracts should facilitate this level of transparency and cooperation with auditing organizations.

Common misconceptions

Misconception 1: CADA mandates banks to use only EU-based cloud providers.

  • Correction: CADA does not directly mandate private sector banks to use only EU providers. However, it creates a framework where the most trusted, audited providers will likely be those meeting Union assurance levels, which heavily favor EU establishment and control. The pressure is market-driven and regulatory-adjacent, not a direct ban on non-EU providers for private banks.

Misconception 2: DORA covers all sovereignty risks, so CADA is redundant for banks.

  • Correction: DORA focuses on technical cybersecurity and incident response. CADA addresses strategic autonomy, including risks from extraterritorial laws (like the US CLOUD Act) and operational disruption due to geopolitical coercion. These are distinct risks that DORA does not fully address. CADA complements DORA by adding a sovereignty layer.

Misconception 3: Article 31 is purely optional and will remain so.

  • Correction: While Article 31(1) uses "may," Article 31(3) explicitly allows the Commission to adopt delegated acts making impact assessments mandatory for entities in sectors of high criticality. Given the systemic importance of the financial sector, it is likely that mandatory requirements will be introduced via secondary legislation.

Misconception 4: Banks are exempt from CADA because they are private entities.

  • Correction: While banks are not "contracting authorities" under Article 30, they are explicitly mentioned in Recital 66 as entities that will mirror public sector requirements. Furthermore, if a bank acts as a critical infrastructure operator under NIS2, it is directly in scope for Article 31's impact assessment framework.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.