Summary As proposed, the Cloud and AI Development Act (CADA) does not replace the cybersecurity obligations energy operators face under the NIS2 Directive (Directive (EU) 2022/2555); instead, it adds a distinct sovereignty layer to their cloud procurement and risk management. While NIS2 mandates technical security and resilience for "essential entities" in the energy sector, CADA would require these entities to conduct impact assessments to determine if their cloud dependencies pose strategic risks to public order. Consequently, energy operators must comply with NIS2's cybersecurity rules while simultaneously navigating CADA's new framework for Union assurance levels, potentially restricting them from using non-compliant third-country providers for critical infrastructure functions.

Detail

To understand the interaction between the proposed Cloud and AI Development Act (CADA) and the Network and Information Security Directive 2 (NIS2), one must distinguish between cybersecurity and sovereignty. NIS2 establishes a harmonized framework for cybersecurity risk management across the EU. CADA, currently a proposal (COM(2026) 502 final), aims to reduce dependencies on non-European cloud providers and establish a sovereignty framework for cloud computing services. For energy operators, classified as "essential entities" under NIS2, these two regimes overlap significantly but address fundamentally different risks.

Energy Operators as Essential Entities under NIS2

Under NIS2, the energy sector is explicitly listed as an essential sector in Annex I of the Directive. This classification imposes strict cybersecurity risk management obligations on energy operators, including requirements for incident reporting, supply chain security, and the implementation of appropriate technical and organizational measures. NIS2 focuses on ensuring the resilience of network and information systems against cyber threats.

The CADA explanatory memorandum explicitly acknowledges this existing framework. It states that the Directive on Security of Network and Information Systems (NIS2) "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust." However, the memorandum immediately clarifies the limitation of NIS2 in the context of geopolitical risk: NIS2 "is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

This distinction is the cornerstone of the interaction. NIS2 ensures that an energy operator's systems are secure from hackers, malware, and technical failures. It does not, however, address the risk that a cloud provider subject to third-country jurisdiction might be compelled by foreign laws (such as the US CLOUD Act) to access data, or that a third-country actor could disrupt services for political reasons—a risk CADA explicitly targets.

CADA's Sovereignty Layer: Article 31 and Impact Assessments

CADA introduces a new dimension for energy operators through its demand-side measures, specifically Article 31. While public sector bodies are mandated to conduct risk assessments under Article 29 of CADA, Article 31 addresses private sector entities, including those in the energy sector.

Article 31(1) states: "Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29." This provision explicitly recognizes energy operators (as entities listed in NIS2 Annex I) as potentially needing to assess their cloud dependencies for sovereignty risks.

Furthermore, Article 31(2) allows the Commission to issue guidance on the methodology for carrying out these impact assessments. More significantly, Article 31(3) provides that where specific circumstances justify it, the Commission may adopt delegated acts requiring these private sector entities to conduct impact assessments and implement risk mitigation measures. Although this provision is discretionary and subject to future delegated acts, it signals a clear legislative intent to extend sovereignty risk management beyond the public sector to critical private infrastructure like energy grids.

The CADA explanatory memorandum reinforces this by noting that the proposal "complements EU's broader policy framework on cybersecurity and digital resilience." It highlights that while NIS2 addresses technical risks, the sovereignty framework established by CADA, and in particular the risk assessment mechanism in Article 29 (and by extension Article 31 for private entities), "contributes directly to the digital preparedness dimension" of the Preparedness Union Strategy.

The Interaction: Complementary, Not Contradictory

The CADA explanatory memorandum explicitly states that the proposal "complements EU's broader policy framework on cybersecurity and digital resilience." The interaction can be summarized as follows:

  1. NIS2 (Cybersecurity): Energy operators must implement technical and organizational measures to manage cybersecurity risks. This includes securing their cloud environments against unauthorized access, data breaches, and operational disruptions caused by cyber attacks.
  2. CADA (Sovereignty): Energy operators must assess whether their cloud providers offer sufficient "Union assurance levels" to protect against geopolitical risks, such as extraterritorial data access, service disruption by third-country actors, or the inability to operate autonomously.

If an energy operator uses a cloud provider that does not meet CADA's sovereignty criteria (e.g., a provider subject to third-country control without adequate safeguards), they may face operational and compliance risks under CADA, even if that provider is fully compliant with NIS2 cybersecurity standards. CADA's framework of four Union assurance levels (Article 16) provides the criteria for this assessment.

For entities identified as having public order relevance through risk assessments, CADA would require the use of services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). While Article 30 primarily targets public procurement, the spillover effect and the explicit mention of NIS2 Annex I entities in Article 31 suggest that energy operators will face market pressure and potential regulatory requirements to migrate to sovereign cloud solutions. The memorandum notes that "public procurement frequently serves as a primary signal of market direction," and requirements imposed by public authorities "tend to be mirrored by private-sector entities operating in regulated industries."

Deadlines and Penalties

Under NIS2, compliance is already mandatory, with penalties determined by Member States. CADA, as a proposal, would introduce new timelines and enforcement mechanisms.

  • Risk Assessments: Article 29 requires Member States and Union entities to carry out risk assessments within one year of CADA's entry into force. For private entities like energy operators, the timeline for mandatory impact assessments under Article 31(3) depends on future delegated acts.
  • Penalties: Article 24 sets out the penalties and compensation rules applicable to infringement by cloud computing service providers. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." While Article 24 focuses on provider infringements, the framework creates a liability environment where non-compliant providers may be excluded from the market, indirectly penalizing operators who rely on them for critical functions.

What this means for you

For in-house counsel and compliance officers in the energy sector, the convergence of NIS2 and the proposed CADA creates a dual-compliance landscape. You must ensure that your cloud providers not only meet NIS2's cybersecurity standards but also align with CADA's emerging sovereignty requirements.

Actionable Steps:

  1. Audit Current Cloud Providers: Review your cloud contracts against NIS2 cybersecurity requirements. Simultaneously, assess your providers against CADA's Union assurance levels (Annex II of CADA). Determine if your provider is subject to third-country control and whether they can demonstrate compliance with Union assurance levels 2, 3, or 4.
  2. Prepare for Impact Assessments: Although Article 31(3) relies on future delegated acts, you should proactively conduct impact assessments similar to those required for public sector bodies under Article 29. Document the sensitivity of your data and the criticality of your operations to public order.
  3. Monitor Delegated Acts: Watch for Commission delegated acts under Article 31(3) that may mandate impact assessments for energy operators. Early compliance will mitigate future disruption.
  4. Engage with Competent Authorities: As CADA requires Member States to designate national competent authorities (Article 25), engage with them to understand how sovereignty risk assessments will be integrated with existing NIS2 supervision.

Common misconceptions

Misconception 1: CADA replaces NIS2 cybersecurity obligations. This is incorrect. CADA explicitly complements NIS2. NIS2 remains the primary law for cybersecurity risk management. CADA adds a sovereignty layer, focusing on control, data localization, and protection against third-country interference. You must comply with both.

Misconception 2: Article 31 only applies to the public sector. This is incorrect. Article 31 explicitly references "Entities referred to in Annex I of Directive (EU) 2022/2555," which includes private energy operators. While the mandatory nature of the assessment depends on future delegated acts, the legal basis for assessing private critical infrastructure is firmly established in CADA.

Misconception 3: If my cloud provider is NIS2-compliant, it is CADA-compliant. This is incorrect. NIS2 compliance ensures technical security. CADA compliance ensures sovereignty. A provider can be secure (NIS2-compliant) but still subject to third-country laws that allow data access or service disruption (CADA non-compliant). CADA's assurance levels require specific measures regarding data location, personnel citizenship, and absence of third-country control, which go beyond NIS2.

Misconception 4: CADA only affects public procurement. This is incorrect. While Article 30 mandates procurement standards for public bodies, Article 31 extends the sovereignty assessment logic to private entities in the NIS2 Annex I sectors. The memorandum notes that private sector entities in regulated industries often mirror public procurement requirements, creating a de facto market standard for sovereign cloud.

Related

This is general information about a draft EU regulation, not legal advice.