Summary The proposed Cloud and AI Development Act (CADA) does not replace the Financial Data Access (FIDA) framework; rather, it imposes a parallel layer of sovereign infrastructure requirements on the cloud services hosting financial data. While FIDA governs the access and sharing of customer financial data (open finance), CADA governs the sovereignty of the infrastructure processing that data. For financial entities, this creates a dual-compliance obligation: ensuring data flows comply with FIDA while ensuring the underlying cloud environment meets CADA's "Union assurance levels." This interaction overlaps significantly with the Digital Operational Resilience Act (DORA), as CADA addresses non-technical sovereignty risks (e.g., third-country control) that DORA does not fully cover. Financial institutions must therefore manage both open-banking data flows and sovereign hosting standards simultaneously.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For legal and compliance teams in the financial sector, the critical challenge is navigating the intersection of CADA with existing financial data regimes, specifically the Financial Data Access (FIDA) framework and the Digital Operational Resilience Act (DORA).

Distinct Regulatory Layers: Data Flow vs. Infrastructure

The fundamental distinction lies in the object of regulation. FIDA is designed to facilitate open finance by granting customers the right to share their financial data with third-party providers. It focuses on data portability, API standards, and the rights of data subjects. In contrast, CADA focuses on the infrastructure where that data resides. As proposed, CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). These levels define the criteria cloud computing service providers must meet to serve Union entities and public sector bodies, aiming to mitigate risks associated with dependence on third-country providers, including unauthorized data access and service disruption.

While FIDA mandates the availability of data, CADA mandates the sovereign status of the cloud environment processing it. This distinction is crucial for financial entities that act as data controllers or processors for public sector bodies, or those deemed critical infrastructure under the NIS2 Directive.

Article 29: The Risk Assessment Mechanism

Article 29 of CADA serves as the primary bridge between cloud sovereignty and specific sectoral activities. It obliges Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of "public order." This definition explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), which encompasses financial entities.

Under Article 29(1), these assessments must:

  1. Identify public sector activities using cloud computing services that contribute to public order in areas such as national security, internal security, external border management, defence, justice, or law enforcement.
  2. Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.

Crucially, Article 29(2) requires assessors to consider specific risk factors:

  • The sensitivity, criticality, and magnitude of non-personal and personal data processed.
  • The risk of unlawful access to such data by a third country or a legal entity established in a third country.
  • The risk of service disruption.

For financial institutions, this implies that even if FIDA mandates the sharing of data via APIs, CADA may require that the cloud infrastructure hosting that data meets specific sovereignty thresholds if the activity is deemed critical to public order.

Overlap and Complementarity with DORA

CADA is explicitly designed to complement, not replace, sector-specific regulations like DORA. The explanatory memorandum notes that DORA shapes compliance obligations for cloud computing service providers serving financial entities, focusing on ICT risk management and incident response testing. However, DORA has a sectoral scope specific to the financial sector and is primarily focused on technical cybersecurity and operational resilience.

CADA fills a specific gap by addressing broader sovereignty considerations, including data confidentiality, operational autonomy, and the reduction of third-country dependencies. The explanatory memorandum states that while DORA indirectly covers cloud providers if their role is significant for operational resilience, NIS2 "does not contain measures to boost the uptake and use of such services" and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Therefore, a financial institution must comply with DORA's operational resilience requirements and potentially CADA's sovereignty assurance levels if it procures cloud services for activities identified as critical in national risk assessments. DORA ensures the system is resilient; CADA ensures the system is sovereign.

Private Sector Impact Assessments (Article 31)

While Article 30 mandates that public contracting authorities procure cloud services at specific assurance levels (2, 3, or 4) for public-order-relevant activities, the impact on the private financial sector is driven by Article 31. This article allows private sector entities within the meaning of the NIS2 Directive (which includes financial entities) to carry out similar impact assessments.

The Commission may issue guidance on the methodology for these assessments. Furthermore, under Article 31(3), if the Commission concludes that private entities in sectors of high criticality require impact assessments, it may adopt delegated acts specifying the need for such assessments and the risk mitigation measures those entities must take. This suggests that while CADA's strict procurement mandates apply directly to public authorities, the regulatory guidance and market pressure will likely drive private financial entities to align with these sovereignty standards to maintain trust, ensure interoperability with public systems, and mitigate regulatory risk.

What this means for you

For in-house counsel and compliance officers in the financial sector, the interaction between CADA and FIDA requires a dual-track compliance strategy that integrates data access rights with infrastructure sovereignty.

1. Map Data Flows to Sovereignty Levels

You must map your financial data flows (governed by FIDA) to the cloud infrastructure used. If your institution processes data for public sector bodies or is classified as critical under NIS2, you must determine the appropriate Union assurance level. This may require migrating workloads to sovereign cloud providers recognized under CADA's framework. Note that Article 30(3) requires public authorities to procure only services recognised at Union assurance levels 2, 3, or 4 for activities contributing to public order.

2. Conduct Joint Risk Assessments

Leverage the risk assessment mechanisms in Article 29. Assess not just the cybersecurity risks (DORA) but also the sovereignty risks (CADA), such as the jurisdiction of the cloud provider and the potential for third-country data access. Article 29(2) explicitly requires considering the risk of unlawful access by a third country and the risk of service disruption.

3. Vendor Due Diligence

When selecting cloud providers for open banking infrastructure, ensure they can demonstrate compliance with the relevant Union assurance levels. For Level 1, this involves a self-assessment (Article 19); for Levels 2-4, it requires independent third-party audits (Article 20). Providers must submit an audit report and a "positive" audit opinion to the national competent authority for recognition.

4. Monitor National Implementations

Member States will designate national competent authorities and conduct their own risk assessments under Article 29. You must monitor these national assessments to determine if your specific financial activities are flagged as requiring higher assurance levels (2, 3, or 4). The Commission will provide guidance on the methodology, but the final determination of which activities contribute to public order lies with the Member States.

5. Prepare for Audit Evidence

If you aim for higher assurance levels, prepare for rigorous audit evidence requirements (Annex III of CADA). This includes detailed software bills of materials (SBOMs), proof of data localization, evidence of separation from third-country control, and verification that personnel are Union citizens (where required). For Level 3 and 4, the criteria are particularly strict regarding personnel citizenship and the absence of third-country control.

Common misconceptions

"Complying with FIDA means I am compliant with CADA." No. FIDA governs data access and sharing rights. CADA governs the sovereignty and security of the underlying cloud infrastructure. You can have FIDA-compliant data sharing on a non-sovereign cloud, which may violate CADA requirements for critical financial activities if those activities are deemed to contribute to public order.

"CADA replaces DORA for financial institutions." No. CADA complements DORA. DORA focuses on operational resilience and technical cybersecurity; CADA focuses on sovereignty, data confidentiality, and reducing third-country dependencies. Both apply simultaneously. The explanatory memorandum explicitly states that DORA "does not contain measures to boost the uptake and use of such services" and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

"Only public sector banks need to worry about CADA." Not necessarily. While Article 30 mandates procurement of sovereign clouds for public authorities, Article 31 allows private financial entities (NIS2 entities) to conduct similar impact assessments. Furthermore, market pressure and the need for interoperability with public sector systems will likely drive private adoption. The Commission may also adopt delegated acts requiring impact assessments for private entities in high-criticality sectors.

"Union Assurance Level 1 is sufficient for all financial data." No. Level 1 is the minimum baseline. If a risk assessment under Article 29 identifies your financial activities as contributing to public order or involving critical data, you may be required to use Level 2, 3, or 4 services. These higher levels have stricter requirements on personnel citizenship (conditional at L2, mandatory at L3/L4), data localization, and the absence of third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.