How does CADA relate to DORA for financial-sector cloud?

Summary The proposed Cloud and AI Development Act (CADA) and the Digital Operational Resilience Act (DORA) operate in complementary but distinct spheres. DORA — already in force — imposes sector-specific ICT risk-management and incident-reporting obligations on financial entities and their critical third-party providers. CADA is a horizontal proposal that, among other things, would establish a Union cloud-computing sovereignty framework. The proposal states it "supports the objectives of the Digital Operational Resilience Act (DORA)" by addressing non-technical risks — extraterritorial data access and operational discontinuity — that DORA's technical-resilience focus does not reach. Financial entities would, in practice, navigate both: DORA for operational resilience, and CADA's assurance levels where their activities contribute to public order.

Detail

Technical resilience versus strategic sovereignty

DORA is a sector-specific regulation targeting the financial sector. It requires financial entities — and, through its oversight regime, cloud providers designated as "critical ICT third-party service providers" — to implement ICT risk-management frameworks, test operational resilience, and report significant ICT-related incidents. Its concern is the technical and operational continuity of financial services during cyberattacks or failures.

CADA, by contrast, is a horizontal proposal applying across the cloud and AI ecosystem, not just finance. The explanatory memorandum is explicit that CADA "supports the objectives of the Digital Operational Resilience Act (DORA)." It notes that DORA "indirectly covers cloud computing service providers if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience," that DORA "has a sectoral scope and is specific to the financial sector," and that under DORA providers "must implement ICT risk management and conduct regular incident response testing to comply with the requirements for critical third-party service providers." Crucially, the memorandum frames DORA as focused on operational resilience rather than the "broader sovereignty considerations" CADA targets.

The CADA sovereignty layer

CADA would establish a Union cloud-computing sovereignty framework of four Union assurance levels (Article 16), addressing data access, operational autonomy and public order. The same memorandum draws the line between cybersecurity and sovereignty directly: certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." CADA would fill that gap with harmonised, auditable sovereignty criteria.

For the financial sector this matters because it sits within both regimes. Under Article 29, Member States and Union entities would carry out risk assessments to identify public-sector activities contributing to the preservation of public order, and Article 30 would then require contracting authorities to procure at least Union assurance level 1, and levels 2, 3 or 4 for public-order activities. CADA's procurement rules bind public authorities directly, but the proposal anticipates spillover into regulated private sectors: requirements adopted by public authorities tend to be mirrored by private-sector entities managing comparable systemic risks.

Overlapping obligations

For in-house counsel and compliance officers in finance, the interplay means two parallel but related obligation sets:

1. ICT risk management (DORA): ensuring providers maintain ICT risk-management policies, incident reporting and third-party risk frameworks, with oversight of critical providers (including ESA inspection powers).
2. Sovereignty assurance (CADA, as proposed): where activities are deemed to contribute to public order, procuring cloud services recognised at the appropriate Union assurance level. Article 31 would let private entities within the scope of NIS2 carry out impact assessments similar to the Article 29 public-sector assessments.

CADA also introduces supporting structures such as the European public sector cloud federation ("EuroCloud Federation," Article 34) for sharing public-sector cloud and data-centre capacity. Though aimed at public entities, such sovereign infrastructure could indirectly reduce overall dependency on non-EU hyperscalers.

What this means for you

• Dual diligence. Verify that providers meet DORA's ICT risk-management standards and, where relevant, CADA's sovereignty criteria. For public-order-relevant operations this may mean requesting evidence of a recognised Union assurance level.
• Run the assessment. Article 29 risk assessments determine the appropriate assurance level for public-sector activities; NIS2-scope private entities can run analogous assessments under Article 31. Use these to identify which workloads would need higher assurance.
• Update contracts. Consider clauses addressing both DORA's operational-resilience requirements and CADA's sovereignty safeguards (e.g. protection against coercive third-country access and service disruption).
• Expect multi-authority oversight. DORA enforcement runs through financial supervisors; CADA enforcement would run through national competent authorities with investigative powers (Article 26), creating a potential multi-agency environment.

Common misconceptions

• "DORA already covers all cloud risks." DORA focuses on technical cybersecurity and operational continuity. It does not address sovereignty risks such as a third country compelling a provider to access EU data or disrupt service — the gap CADA is designed to fill.
• "CADA would replace DORA for financial entities." No. They are complementary. DORA remains the primary ICT risk-management regime for finance; CADA would add a horizontal sovereignty layer relevant to public-order activities.
• "Only the public sector is affected by CADA's sovereignty framework." While Article 30's procurement rules bind public authorities, the proposal expects private entities in regulated sectors to face mirrored demands, and Article 31 enables analogous private assessments.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Why does CADA focus so heavily on the public sector?
• How does CADA relate to the Digital Decade Policy Programme?
• CADA and the Chips Act 2.0: how the two relate
• What is the AI Continent Action Plan, and how does it relate to CADA?
• CADA Article 31: voluntary private-sector impact assessments explained

This is general information about a draft EU regulation, not legal advice.