How does CADA relate to NIS2?

Summary The proposed Cloud and AI Development Act (CADA) and the NIS2 Directive (Directive (EU) 2022/2555) would operate as complementary pillars: NIS2 mandates technical cybersecurity risk management for cloud providers and data centres, while CADA — as proposed — would add a sovereignty framework to address strategic dependencies and protect public order. CADA reuses NIS2's definitions of "cloud computing service" and "data centre service" for consistency, and Article 31 would let private entities in NIS2-covered sectors carry out sovereignty-style assessments similar to those public bodies must conduct under Article 29.

Detail

Distinct but complementary mandates

NIS2 and CADA have different primary objectives. NIS2 improves the cybersecurity risk management of cloud-computing service providers and data centres across the EU, requiring appropriate technical and organisational measures to manage risks to network and information systems. As the CADA explanatory memorandum puts it, NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations" — for example, the risk of extraterritorial data access or operational disruption by third-country actors.

CADA, as proposed, would address that gap by introducing a harmonised EU-wide sovereignty framework (the Union assurance levels) that lets contracting authorities verify that cloud services meet specific autonomy and resilience criteria. The two instruments are designed to work in tandem: NIS2 keeps the service secure from cyber threats, while CADA would keep it resilient against geopolitical and operational dependencies.

Harmonised definitions

CADA aligns its core definitions with NIS2 for legal certainty. Article 2 of CADA provides:

• Cloud computing service: Article 2(1) defines it as "cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555" — a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources.
• Data centre service: Article 2(12) defines it as "data centre service as defined in Article 6, point (31), of Directive (EU) 2022/2555."

By anchoring these definitions in NIS2, CADA ensures that the entities subject to NIS2's cybersecurity obligations are clearly identifiable within its own framework, avoiding regulatory fragmentation.

Private-sector impact assessments under Article 31

A key intersection is CADA Article 31. While the mandatory procurement obligations (Article 30) apply to public-sector bodies and Union entities, Article 31 addresses private entities in NIS2-covered sectors.

Article 31(1) states: "Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29." Article 29 requires Member States and Union entities to conduct risk assessments to determine the required Union assurance level for public-sector activities. So private entities in NIS2 Annex I sectors (such as energy, transport, banking, and digital infrastructure) would be permitted — and encouraged — to conduct similar assessments of their exposure to third-country control and service-disruption risks.

Article 31(2) provides that the Commission may issue guidance on the methodology for such impact assessments and possible mitigation measures for entities in sectors of high criticality. Article 31(3) empowers the Commission, by delegated act and in duly justified circumstances (in consultation with Member States), to specify the need for such impact assessments and risk-mitigation measures for entities that are not public bodies operating in sectors of high criticality. This creates a bridge: NIS2 identifies the critical entities, and CADA would provide the sovereign risk-assessment toolkit they can apply.

Separate enforcement regimes

CADA and NIS2 would maintain distinct enforcement. NIS2 empowers national competent authorities to impose administrative fines for cybersecurity non-compliance. Under CADA Article 24, Member States would lay down effective, proportionate, and dissuasive penalties for infringements of the sovereignty framework (for example, supplying incorrect or misleading information in a recognition application). These are distinct violations with distinct penalties. A provider could be NIS2-compliant yet fail to meet CADA's Union assurance level 3 criteria due to third-country control — or vice versa.

What this means for you

For in-house counsel and compliance officers, CADA and NIS2 would call for a dual-track compliance strategy:

1. Map your NIS2 status. Identify whether your entity is an essential or important entity under NIS2 Annex I or II. If so, you would be eligible to conduct the assessments under CADA Article 31. Even where not mandatory, such assessments can demonstrate due diligence on supply-chain sovereignty.
2. Separate technical from sovereign audits. Distinguish NIS2 technical-cybersecurity controls (encryption, incident response) from CADA sovereignty criteria (personnel location/citizenship, absence of third-country control, data residency). NIS2 compliance does not, by itself, confer a Union assurance level.
3. Monitor Article 31 guidance. Watch for Commission guidance under Article 31(2) on methodology, and for any delegated act under Article 31(3) that could make impact assessments mandatory for high-criticality private entities.
4. Update contracts. Review vendor contracts to address both NIS2 cybersecurity obligations and CADA transparency requirements (such as disclosure of subcontractors and third-country control structures).

Common misconceptions

• "NIS2 compliance guarantees CADA sovereignty recognition." Incorrect. NIS2 covers technical security; CADA's higher assurance levels add criteria on personnel citizenship, data residency, and absence of third-country control that go beyond NIS2. A service can be NIS2-compliant yet fall short of Union assurance level 3 due to ownership structures.
• "Article 31 imposes mandatory impact assessments on all private companies." Not currently. Article 31(1) says NIS2 Annex I entities may carry out similar assessments. Mandatory requirements would require the Commission to act under Article 31(3), contingent on specific circumstances and high criticality.
• "CADA replaces NIS2 for cloud providers." No. CADA would not repeal NIS2; the explanatory memorandum frames CADA as supplementing it. Providers would need to comply with both — NIS2 for cybersecurity, CADA for sovereignty assurance if serving public-sector clients or seeking recognition.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How does CADA relate to the Digital Decade Policy Programme?
• CADA and the Chips Act 2.0: how the two relate
• How CADA Interacts With GDPR, the AI Act, NIS2 and EU Digital Law
• What is the AI Continent Action Plan, and how does it relate to CADA?
• How does the Draghi report relate to CADA?

This is general information about a draft EU regulation, not legal advice.