How does CADA affect payment service providers?

Summary Under the proposed Cloud and AI Development Act (CADA), payment service providers (PSPs) classified as entities of high criticality under the NIS2 Directive are not currently subject to mandatory sovereign cloud procurement rules. Instead, Article 31 of the proposal establishes a framework for these private-sector entities to conduct voluntary impact assessments regarding their cloud resilience and sovereignty. While PSPs are not forced to migrate to "Union assurance" cloud services today, the Commission retains the power to mandate specific impact assessments and mitigation measures via delegated acts if justified by specific circumstances. PSPs must navigate a dual-compliance landscape where CADA's sovereignty framework complements, rather than replaces, existing ICT risk management obligations under the Digital Operational Resilience Act (DORA).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is primarily designed to harmonise public-sector procurement and reduce the EU's reliance on third-country cloud providers. However, its provisions create significant indirect effects for the private sector, particularly for entities operating in critical infrastructure sectors such as financial services. For payment service providers (PSPs), the regulatory impact is defined by their classification under the Directive on Security of Network and Information Systems (NIS2) and their existing obligations under the Digital Operational Resilience Act (DORA).

Article 31: Voluntary Assessments for Critical Private Entities

The core provision affecting PSPs is Article 31 of the CADA proposal, titled "Impact assessments." This article creates a specific mechanism for private-sector entities to evaluate their cloud dependencies, mirroring the mandatory risk assessments required of public authorities under Article 29.

Article 31(1) explicitly states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Most payment service providers, including payment institutions and electronic money institutions, fall under the scope of Annex I of the NIS2 Directive (Directive (EU) 2022/2555). Consequently, CADA explicitly permits these entities to conduct risk assessments regarding the sovereignty and resilience of their cloud computing services. Under the current text of Article 31(1), these assessments are voluntary.

However, the proposal reserves the right for the European Commission to escalate these voluntary measures into mandatory ones. Article 31(2) allows the Commission to issue guidance on the methodology for these impact assessments and potential mitigation measures. More significantly, Article 31(3) empowers the Commission to adopt delegated acts to make impact assessments mandatory for entities in sectors of high criticality if specific circumstances justify it. The text reads:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This establishes a regulatory pathway: while PSPs are not currently forced to migrate to sovereign cloud services, the framework allows the Commission to intervene if market failures or systemic risks require stricter controls.

Overlap with DORA and NIS2

PSPs must reconcile CADA's sovereignty focus with their existing obligations under DORA. DORA already imposes strict ICT risk management requirements on financial entities, including obligations to manage third-party risks, such as those arising from cloud service providers.

The CADA explanatory memorandum acknowledges this overlap, noting that CADA supports the objectives of DORA. While DORA focuses on technical cybersecurity and operational resilience (e.g., incident response testing, ICT risk management frameworks, and critical third-party provider oversight), CADA addresses broader sovereignty concerns, such as data access by third-country authorities and operational autonomy.

For PSPs, this creates a dual-compliance landscape:

1. DORA Compliance: PSPs must ensure their cloud providers meet strict ICT risk management standards, including security, continuity, and incident reporting. DORA focuses on the technical and operational resilience of the service.
2. CADA Sovereignty Assessment: Under Article 31, PSPs may voluntarily assess whether their current cloud providers meet the "Union assurance levels" defined in CADA (Levels 1–4). This assessment focuses on geopolitical risks, such as the risk of unauthorized data access by third-country governments or service disruption due to extraterritorial laws (e.g., the US CLOUD Act).

The CADA proposal distinguishes itself from DORA by introducing a harmonised "Union cloud computing sovereignty framework" (Article 16). While DORA does not mandate the use of "sovereign" cloud services, CADA provides the criteria for what constitutes a trusted service. PSPs conducting an Article 31 assessment would evaluate their providers against these criteria, potentially influencing their vendor selection for future contracts.

Sovereign Cloud and Resilience Expectations

Although CADA does not impose a direct procurement mandate on PSPs, the proposal encourages the private sector to align with public-sector standards to foster market resilience. The explanatory memorandum notes that requirements imposed on public authorities often create "spillover effects" that lead to broader market realignment over time.

PSPs are expected to consider the following in their voluntary assessments:

• Data Sovereignty: Ensuring that customer data remains under EU jurisdiction and is not accessible by third-country authorities under laws like the US CLOUD Act. The US CLOUD Act (Section 2713) requires providers to disclose data regardless of location, creating a potential conflict with EU data protection and sovereignty goals.
• Operational Autonomy: Assessing the risk of service degradation or disruption by third-country actors, including the risk of sanctions or embargoes affecting service continuity.
• Supply Chain Security: Evaluating the software supply chain for dependencies on non-EU components that could pose security risks, aligning with the software supply chain measures outlined in Annex II of CADA.

By conducting these assessments, PSPs can demonstrate to regulators and customers that they are proactively managing geopolitical risks, which may become a competitive advantage or a future compliance requirement.

What this means for you

For in-house counsel and compliance officers at payment service providers, the immediate takeaway is that CADA introduces a new layer of risk assessment regarding cloud providers, even if it is not yet mandatory.

1. Conduct Voluntary Impact Assessments: Under Article 31(1), you should consider conducting an impact assessment of your current cloud infrastructure. Evaluate your providers against the Union assurance levels (Levels 1–4) outlined in CADA Annex II. This will help you identify vulnerabilities related to third-country control and data access.
2. Monitor Commission Guidance: Keep a close watch on any guidance issued by the Commission under Article 31(2). This guidance will provide the methodology for conducting these assessments and may signal the direction of future mandatory requirements.
3. Integrate with DORA Compliance: Align your CADA impact assessments with your existing DORA ICT third-party risk management processes. Use the CADA sovereignty criteria to enhance your vendor due diligence, particularly regarding geopolitical risks and data localisation.
4. Prepare for Potential Mandates: Be aware that the Commission has the power to make these assessments mandatory under Article 31(3). Ensure your internal processes are flexible enough to adapt to such a requirement without significant disruption.
5. Review Vendor Contracts: When negotiating new cloud contracts, consider including clauses that address sovereignty risks, such as guarantees against unauthorized third-country data access and commitments to operational continuity in the event of geopolitical tensions.

Common misconceptions

• Misconception: CADA mandates PSPs to use EU-only cloud providers.
  • Reality: CADA imposes mandatory procurement rules only on public-sector bodies (Article 30). For private entities like PSPs, the impact assessments under Article 31 are currently voluntary, though the Commission can make them mandatory in the future.
• Misconception: CADA replaces DORA requirements for financial entities.
  • Reality: CADA complements DORA. DORA focuses on technical cybersecurity and operational resilience, while CADA addresses sovereignty and geopolitical risks. PSPs must comply with both frameworks.
• Misconception: Only large banks are affected by CADA's private-sector provisions.
  • Reality: Article 31 applies to all entities in Annex I of NIS2, which includes a broad range of financial entities, including payment service providers and electronic money institutions, regardless of size, provided they are deemed of high criticality.

Related

• How does CADA interact with DORA for cloud service providers?
• How does CADA affect hospitals and healthcare providers?
• When do CADA provisions affect the automotive sector?
• How does CADA reduce research dependence on non-EU cloud providers?
• How does CADA interact with NIS2 for telecom providers?

This is general information about a draft EU regulation, not legal advice.