How does CADA interact with the NIS2 Directive?

Summary The proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) and the NIS2 Directive (Directive (EU) 2022/2555) are complementary frameworks. NIS2 governs technical cybersecurity risk management for essential and important entities; CADA, as proposed, would add a sovereignty framework to reduce dependence on third-country cloud providers. The two are tightly stitched together by definitions and scope: CADA borrows NIS2's definitions of "cloud computing service" (Article 2(1)) and "data centre service" (Article 2(12)), and it pegs its public-order risk assessments to the sectors of NIS2 Annexes I and II (Article 29). But NIS2 compliance would not satisfy CADA — the explanatory memorandum says NIS2 "is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Detail

NIS2 and CADA overlap on subject-matter — cloud computing and data centres — but view it through different lenses: cybersecurity versus technological sovereignty. Understanding where they align (definitions, scope) and where they diverge (obligations) is essential.

Definitional alignment: CADA borrows from NIS2

To preserve legal certainty, CADA reuses NIS2's core definitions. Article 2(1) defines "cloud computing service" by reference to Article 6, point (30), of Directive (EU) 2022/2555, and Article 2(12) defines "data centre service" by reference to Article 6, point (31), of the same Directive. Recital 10 restates the NIS2 cloud definition as "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources." (CADA's other infrastructure terms come from elsewhere — for instance "data centre" itself is defined via Regulation (EC) No 1099/2008 and "data centre operator" via Delegated Regulation (EU) 2024/1364.)

The point of borrowing is practical: an entity that already identifies as a cloud or data-centre service provider under NIS2 will recognise its status under CADA. The definitions are shared even though the obligations they trigger are not.

Divergent objectives: technical cybersecurity vs. sovereignty

The memorandum draws the boundary cleanly. NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust. However, it does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

CADA would fill that gap with the Union cloud computing sovereignty framework (Article 16): four assurance levels with cumulative criteria in Annex II covering matters such as Union establishment, data and infrastructure location, and mitigation of third-country control — criteria distinct from NIS2's technical cybersecurity standards. A provider can fully meet NIS2 yet fail CADA's level 3 or 4 if, for example, it is subject to third-country control that is not adequately mitigated. (Cybersecurity certification still features in CADA: Annex II expects, from level 2, a European cybersecurity certificate at assurance level "substantial" once such a scheme exists, with national schemes or the highest applicable standards in the interim.)

Overlapping scope: NIS2 sectors and CADA risk assessments

The interaction is densest for entities in the NIS2 sectors. Article 29(1) requires Member States and Union entities to identify public-sector activities contributing to the preservation of public order "in sectors falling under Annex I or II of Directive (EU) 2022/2555" and in national security, internal security, external border management, defence, justice or law enforcement — then to determine which assurance level (2, 3 or 4) is appropriate. The sectors NIS2 marks as critical for cybersecurity thus become the primary focus for CADA sovereignty assessments.

For private entities, Article 31 provides that entities "referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29" — voluntary in principle, with the Commission able to issue guidance and, in duly justified circumstances and by delegated act, to require impact assessments for entities operating in sectors of high criticality.

Enforcement and penalties

The two have separate enforcement and penalty tracks. NIS2 requires Member States to provide for administrative fines and sanctions that are effective, proportionate and dissuasive. CADA would set up its own framework in Article 24, requiring Member States to lay down penalties for infringements by cloud providers (with non-exhaustive criteria in Article 24(2), including the nature, gravity, scale and duration of the infringement and the provider's Union turnover). Notably, Article 24(3) would give recipients of cloud services a right to seek compensation from providers for damage caused by infringements of CADA — a private remedy that NIS2 does not provide in the same form. National competent authorities would hold investigative and enforcement powers under Article 26.

A different compliance act: recognition, not incident reporting

The mechanics differ as much as the objectives. NIS2 compliance is demonstrated through ongoing risk management, supervisory engagement and incident notification to national CSIRTs or competent authorities. CADA recognition, by contrast, is a one-time-then-maintained status: under Article 17 a provider applies to the national competent authority of establishment, which (for levels 2–4) assesses the audit report and "positive" audit opinion, prepares a draft recognition decision, and notifies the other Member States' authorities for a review period during which they may raise reasoned objections. Absent objection, the service is recognised "throughout the Union" at the relevant level; disputes can be referred to the Commission for a binding decision. So a NIS2-regulated provider would not simply "extend" its NIS2 programme into CADA — it would enter a distinct recognition pipeline with its own evidence base (Annex III) and cross-border procedure.

Sitting alongside DORA and the Cybersecurity Act

NIS2 is not the only neighbouring instrument. The memorandum notes that CADA also supports the objectives of the Digital Operational Resilience Act (DORA), which "shapes compliance obligations for cloud computing service providers" but "has a sectoral scope and is specific to the financial sector," and that it supplements the Cybersecurity Act, whose certification "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns." A provider serving financial entities could therefore face NIS2, DORA and CADA layers at once — technical resilience, financial-sector operational resilience, and sovereignty respectively.

Timelines

NIS2 is in force, with a transposition deadline of 17 October 2024. CADA is a proposal: under Article 48 it would apply one year after entry into force. Entities should expect a period of dual compliance and should not assume NIS2 documentation will suffice for CADA — separate processes for sovereignty risk assessments, assurance-level evaluations and procurement adjustments would be needed.

What this means for you

Run cybersecurity and sovereignty as two pillars, not one.

1. Map NIS2 status to CADA. If you are an essential or important entity under NIS2, you are squarely within CADA's demand-side focus. Review Article 31 for the right (and possible future obligation) to assess providers' sovereignty.
2. Keep separate registers. NIS2 tracks technical vulnerabilities and incident reporting; CADA would track legal jurisdiction, data localisation and third-country control. A provider can be technically secure yet sovereignty-exposed.
3. Adjust procurement. Under Article 30, public bodies whose activities contribute to public order must procure level 2, 3 or 4 services; tenders will need sovereignty criteria alongside cybersecurity requirements.
4. Deepen vendor due diligence. Beyond ISO 27001 or NIS2 evidence, probe data localisation, subcontractor locations and third-country-control structures — central to CADA, peripheral to NIS2.
5. Watch the secondary legislation. CADA would rely on implementing acts for the risk-assessment methodology (Article 29(3)) and on delegated/implementing acts around audits; these will set the operational detail.

Common misconceptions

"NIS2 compliance equals CADA compliance." No. NIS2 addresses technical cybersecurity; CADA would address sovereignty, data localisation and operational autonomy. A NIS2-compliant provider can still fail CADA's level 3 or 4.

"CADA replaces NIS2 for cloud providers." No. The memorandum frames CADA as complementing NIS2; both apply. NIS2 remains the cybersecurity framework; CADA would add sovereignty assurance and procurement rules.

"Only public bodies are affected by CADA's sovereignty framework." No. Article 30 binds public buyers, but Article 31 lets NIS2 Annex I private entities run similar assessments, and public demand would shape the wider market.

"CADA's definitions are brand new." No. CADA deliberately reuses NIS2's definitions of "cloud computing service" and "data centre service." The difference lies in what covered entities must do, not in who is covered.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA definitions come from the NIS2 Directive?
• How do NIS2 supply-chain duties interact with CADA dependency reduction?
• Which CADA obligations stack with NIS2 obligations?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies
• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?

This is general information about a draft EU regulation, not legal advice.