How does CADA relate to the Cybersecurity Act and EUCS?

Summary As proposed, the Cloud and AI Development Act (CADA) complements the Cybersecurity Act (CSA) by adding a sovereignty layer on top of technical cybersecurity. The CSA and its planned revision focus on the security and supply-chain trustworthiness of ICT; CADA's four-tier "Union assurance level" framework addresses operational autonomy and the risk of third-country control. The European Cybersecurity Certification Scheme for Cloud Services (EUCS), to be developed under the CSA, would feed into CADA's higher assurance levels: as set out in Annex II, levels 2 and 3 require a European cybersecurity certificate of at least "substantial", and level 4 requires "high".

Detail

CADA (COM(2026) 502 final) does not replace cybersecurity law; it builds on it to address risks that technical security alone cannot — chiefly geopolitical dependency and operational continuity.

CADA adds sovereignty on top of technical cybersecurity

CADA's explanatory memorandum distinguishes the two. It states that certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."

The CSA focuses on technical cybersecurity; the proposed CSA revision (referred to in the memorandum as the "Cybersecurity Act (CSA2) revision") "addresses supply chain risks" and "reinforces the trustworthiness of the hardware and software ICT supply chain." CADA, by contrast, targets non-technical risks such as unilateral decisions by third-country actors disrupting service, or extraterritorial laws compelling data access. The memorandum frames them as complementary: together, the proposal and the CSA2 "fill long-standing gaps in sovereignty and non-technical risks."

CADA establishes its "Union cloud computing sovereignty framework" comprising four assurance levels, with criteria set out in Annex II (Article 16). Where the CSA helps ensure a service is technically secure, CADA's framework aims to ensure the provider and infrastructure are not subject to controls that could undermine the Union's operational autonomy.

The role of EUCS in CADA assurance levels

EUCS is a certification scheme being developed by ENISA under the Cybersecurity Act (Regulation (EU) 2019/881). Per the memorandum, the EUCS "has not yet been adopted," and "work will resume" on it; when finalised, it "could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards."

This dependency is most visible in CADA's higher levels. According to Annex II:

• Union assurance levels 2 and 3: the audited service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881 — i.e. EUCS — provided such a scheme has been established and is available. Until then, national cybersecurity certification schemes apply where they exist.
• Union assurance level 4: the audited service must obtain a certificate of at least assurance level "high" under such a scheme, on the same conditional basis.

For all of these, where no Union or national scheme exists, the provider must demonstrate that the service complies with the highest cybersecurity standards under applicable Union law. The practical effect: once EUCS is established, achieving CADA's higher sovereignty levels will likely require successful EUCS certification.

Procurement and risk assessments

Under CADA, Member States and Union entities must conduct risk assessments (Article 29) considering, among other things, the sensitivity and criticality of data, the risk of unlawful third-country access, and the risk of service disruption. Where activities are identified as contributing to public order, contracting authorities must procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)). Because those levels embed cybersecurity-certification criteria, technical security (CSA/EUCS) is effectively a prerequisite for sovereignty recognition (CADA).

What this means for you

For in-house counsel and compliance officers, especially in the public sector or critical infrastructure:

1. Dual compliance. Prepare for both technical cybersecurity standards (CSA/EUCS) and CADA's sovereignty criteria. A provider can be technically secure yet fail CADA's tests if subject to third-country control.
2. EUCS as a likely gate. While national certifications may apply until EUCS is established, EUCS will likely become the benchmark for tenders requiring levels 2–4 under Annex II. Begin aligning evaluations with EUCS profiles.
3. Risk-assessment methodology. Article 29 assessments must weigh non-technical sovereignty risks — third-country access and service disruption — not just data sensitivity. Build these into your internal frameworks.
4. Supply-chain due diligence. With the CSA revision focusing on supply chain and CADA on provider control, you need end-to-end visibility across subcontractors and underlying infrastructure.
5. Procurement discipline. For public bodies, Article 30 sets mandatory procurement rules tied to the risk-assessment outcome; procuring outside the recognised set could breach CADA obligations.

Common misconceptions

"CADA replaces the CSA or EUCS." No. As proposed, the CSA remains the instrument for technical cybersecurity certification; CADA adds a sovereignty layer. EUCS, developed under the CSA, feeds the CADA framework rather than competing with it.

"Cybersecurity certification alone is enough for public-sector procurement." No. A service can be CSA/EUCS-certified yet fail CADA's sovereignty criteria if controlled by a third country. Public procurement at levels 2–4 requires both.

"EUCS is already mandatory for all cloud services." No. The memorandum notes EUCS has not yet been adopted. Under CADA's Annex II it would become, in effect, a requirement for serving the public sector at levels 2–4 once established; until then national certifications apply where they exist.

"Sovereignty is only about data location." No. CADA's Annex II criteria go beyond residency to provider control, personnel, freedom from third-country laws that could compel access, and service continuity.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and the Chips Act 2.0: how the two relate
• How does CADA relate to the Data Act?
• How does CADA relate to the AI Act?
• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?

This is general information about a draft EU regulation, not legal advice.