Summary The proposed Cloud and AI Development Act (CADA) is designed to complement, not replace, the Digital Operational Resilience Act (DORA). While DORA (Regulation (EU) 2022/2554) mandates ICT risk management and resilience specifically for financial entities and their critical third-party ICT providers, CADA introduces a cross-sector sovereignty framework to mitigate strategic dependencies on non-European cloud providers. As proposed, CADA would require Member States and Union entities to conduct risk assessments under Article 29 to determine necessary sovereignty levels, while private financial entities would currently fall under the voluntary Article 31 impact assessment regime, unless the Commission adopts future delegated acts. This creates a layered compliance landscape where financial entities must satisfy DORA's technical resilience requirements while navigating CADA's emerging sovereignty standards, particularly if they act as public contracting authorities or face market pressure to align with public-sector procurement rules.
Detail
The relationship between the proposed Cloud and AI Development Act (CADA) and the existing Digital Operational Resilience Act (DORA) is one of distinct but complementary regulatory pillars. DORA, which entered into force to ensure the financial sector's ability to withstand ICT-related disruptions, imposes strict obligations on financial entities to manage ICT risks, monitor incidents, and conduct rigorous testing. Crucially, DORA directly regulates critical third-party ICT service providers, subjecting them to oversight by the European Supervisory Authorities (ESAs) to safeguard financial stability.
CADA addresses a different dimension of risk: technological sovereignty and strategic autonomy. The explanatory memorandum of the CADA proposal explicitly states that it "supports the objectives of the Digital Operational Resilience Act (DORA)." However, the scope and focus differ fundamentally. DORA is sector-specific, targeting the financial sector and the ICT providers that serve it. CADA is cross-sectoral, aiming to strengthen the entire EU cloud and AI ecosystem to reduce dependence on third-country providers and safeguard public order.
Distinct Regulatory Pillars
1. Technical Resilience vs. Sovereign Autonomy DORA focuses on the technical ability of financial entities and their ICT providers to withstand, respond to, and recover from ICT-related disruptions. It ensures that financial services remain available, secure, and resilient. CADA, conversely, focuses on the "who" and "where" of the infrastructure. It establishes a Union cloud computing sovereignty framework comprising four assurance levels (Union assurance levels 1β4). This framework is designed to protect public order and ensure operational autonomy by mitigating risks such as unauthorized access to data by third-country authorities, service disruption due to geopolitical factors, or loss of control over critical infrastructure.
2. Sectoral vs. Horizontal Application DORA applies specifically to financial entities and critical ICT third parties. CADA applies to cloud computing service providers and their users across the economy. However, CADA's mandatory obligations are primarily directed at public sector bodies and Union entities. While DORA's rules for critical ICT third parties are binding on those specific providers, CADA's sovereignty framework creates a demand-side pull, encouraging the adoption of sovereign cloud services through public procurement mandates and risk assessment requirements.
3. Risk Assessment Mechanisms: A Critical Distinction A key intersection point is the risk assessment, but the obligations differ significantly between the two acts and between public and private actors.
- CADA Article 29 (Mandatory for Public/Union): This article mandates that Member States and Union entities carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (1, 2, 3, or 4) is appropriate for specific cloud computing services. This is distinct from DORA's ICT risk management framework.
- CADA Article 31 (Voluntary for Private Sector): Private entities, including financial institutions, are not subject to the mandatory risk assessment under Article 29. Instead, Article 31 states that entities referred to in Annex I of the NIS2 Directive (which includes financial entities) "may carry out similar assessments." This is currently voluntary. However, Article 31(3) empowers the Commission to adopt delegated acts requiring such impact assessments for private entities in sectors of high criticality if specific circumstances arise.
- DORA: Requires financial entities to identify and categorize ICT systems and assess associated risks as part of their ICT risk management framework, but does not assess geopolitical sovereignty or third-country control risks.
The Role of Public Procurement and Private Sector Impact
CADA introduces specific procurement rules for public sector bodies under Article 30. Contracting authorities must procure cloud computing services that meet at least Union assurance level 1. For activities identified as contributing to public order (such as those in sectors listed in Annex I or II of the NIS2 Directive, which includes certain financial sectors), they must procure services meeting Union assurance levels 2, 3, or 4.
While CADA's mandatory procurement rules primarily target public sector bodies, the proposal acknowledges a significant spillover effect on the private sector. The explanatory memorandum notes that "requirements imposed by or on public authorities to adopt specific assurance levels... tend to be mirrored by private-sector entities operating in regulated industries." Consequently, financial entities subject to DORA may face indirect pressure to adopt CADA-compliant sovereign cloud services to meet client expectations, align with broader EU strategic goals, or prepare for potential future delegated acts, even if DORA itself does not mandate a specific sovereignty level.
Compliance and Enforcement
DORA has its own enforcement mechanisms, with ESAs empowered to impose penalties on critical ICT third parties. CADA proposes a separate enforcement structure involving national competent authorities designated by Member States under Article 25. These authorities would oversee the recognition of cloud computing services under the Union assurance levels and enforce transparency and audit obligations. Financial entities would thus navigate two regulatory streams: DORA compliance for operational resilience and CADA compliance for sovereignty assurance, particularly when engaging with public sector contracts or when national risk assessments under CADA Article 29 dictate higher assurance levels for public-order-relevant activities.
What this means for you
For in-house counsel and compliance officers in the financial sector, the interaction between CADA and DORA means preparing for a dual-compliance landscape where technical resilience and strategic sovereignty must be managed in parallel.
1. Distinguish Mandatory vs. Voluntary Risk Assessments You must distinguish between the mandatory risk assessments required for public bodies under Article 29 and the voluntary impact assessments available to private entities under Article 31. As a financial entity, you are not currently required to conduct an Article 29 assessment. However, you should monitor national risk assessments conducted by Member States. If your entity acts as a "contracting authority" (e.g., a public bank or a body performing public functions), you may be subject to Article 30 procurement rules. For purely private entities, you should proactively consider conducting an Article 31 impact assessment to align with emerging sovereignty standards and prepare for potential future delegated acts under Article 31(3).
2. Enhanced Vendor Due Diligence Your due diligence processes for cloud providers must expand beyond DORA's operational resilience criteria. Under DORA, you assess providers for incident reporting, testing, and exit strategies. Under CADA, you will also need to verify their status in the central repository of recognized Union-assured cloud computing services (Article 22). You must confirm that a provider holds the appropriate Union assurance level (1β4) based on the sensitivity of the data and services involved. This adds a new criterion to your vendor selection, focusing on establishment in the Union, location of infrastructure, personnel citizenship, and absence of third-country control.
3. Contractual Alignment and Sovereignty Clauses Review existing and future cloud service agreements. Ensure they address both DORA's requirements for audit rights, incident reporting, and exit strategies, and CADA's requirements for sovereignty, data localization, and independence from third-country control. You may need to add clauses that require providers to maintain their Union assurance level status and notify you of any material changes that could affect this status. For public sector bodies, contracts must explicitly reference the required Union assurance level determined by the national risk assessment.
4. Monitoring National Implementation and Delegated Acts CADA requires Member States to designate national competent authorities and conduct risk assessments. As a financial entity, you should monitor your home Member State's risk assessment outcomes under Article 29. These assessments will determine which of your services or data processing activities (if you are acting in a public capacity) require Union assurance levels 2, 3, or 4. Furthermore, stay alert for potential delegated acts under Article 31(3) that could mandate impact assessments for private entities in high-criticality sectors, which would effectively make CADA compliance mandatory for the financial sector.
5. Preparation for Dual Audits Be prepared for audits from both DORA supervisors (ESAs) and CADA national competent authorities. While the focus will differβDORA on technical resilience and CADA on sovereigntyβthe underlying data and documentation regarding your cloud infrastructure will be scrutinized. Maintain clear records that demonstrate both technical resilience (DORA) and sovereign compliance (CADA), including evidence of the provider's Union assurance level recognition.
Common misconceptions
Misconception 1: CADA replaces DORA for financial entities. This is incorrect. CADA does not repeal or replace DORA. The proposal explicitly states that it "supports the objectives of the Digital Operational Resilience Act (DORA)." DORA remains the primary regulation for ICT resilience in the financial sector. CADA adds a sovereignty layer that operates alongside DORA's technical requirements.
Misconception 2: Compliance with DORA automatically ensures compliance with CADA. This is also incorrect. DORA focuses on operational resilience and incident management. It does not assess the geopolitical sovereignty or third-country control risks that CADA addresses. A cloud provider may be fully compliant with DORA's resilience standards but still fail to meet CADA's Union assurance level criteria due to ownership structures, data localization practices, or third-country control.
Misconception 3: CADA Article 29 risk assessments apply to all financial entities. This is a critical error. Article 29 explicitly mandates risk assessments for Member States and Union entities to identify public sector activities contributing to public order. Private financial entities are not subject to this mandatory assessment under the current text. They fall under Article 31, which allows them to "carry out similar assessments" voluntarily, unless the Commission adopts a delegated act requiring them to do so.
Misconception 4: CADA only applies to the public sector. While CADA's mandatory procurement and risk assessment rules (Article 29) primarily target public sector bodies and Union entities, the proposal recognizes the impact on the private sector. Financial entities, as critical users of cloud services, will be affected through supply chain requirements, market expectations, and potential future delegated acts that may extend impact assessment requirements to private entities in high-criticality sectors.
Misconception 5: The Union assurance levels are purely technical cybersecurity certifications. The Union assurance levels are not just technical cybersecurity certifications (like ISO 27001 or the EUCS). They include strict criteria regarding establishment in the Union, location of infrastructure and personnel, data localization, and absence of third-country control. They are sovereignty-focused, not just security-focused.
Official sources
Related
- CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?
- DORA vs CADA: Does financial compliance satisfy cloud sovereignty?
- CADA vs the Cyber Resilience Act (CRA): How the Sovereignty Stack Works
- CADA vs FIDA: How the Cloud Act interacts with Financial Data Access
- Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
This is general information about a draft EU regulation, not legal advice.