How does CADA's sovereignty framework relate to NIS2 and DORA?

Summary As proposed, the Cloud and AI Development Act (CADA) would introduce a sovereignty framework that operates alongside, but distinct from, the cybersecurity obligations of NIS2 and DORA. NIS2 and DORA mandate technical resilience and security risk management; CADA's Union cloud computing sovereignty framework (Article 16) addresses geopolitical, operational, and data-access risks tied to third-country control. Public sector bodies would conduct sovereignty risk assessments under Article 29 to determine the required assurance level, complementing rather than replacing existing cybersecurity compliance. CADA is a proposal and is not yet in force.

Detail

The proposed CADA would establish a framework to strengthen the EU's cloud and AI ecosystem, with the Union cloud computing sovereignty framework as a central pillar. To understand how it interacts with the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554), it helps to distinguish cybersecurity from sovereignty.

Distinct objectives: cybersecurity vs. sovereignty

NIS2 and DORA focus primarily on technical cybersecurity and operational resilience. NIS2 improves the cybersecurity risk management of cloud providers and data centres, increasing trust in their technical integrity. As the CADA explanatory memorandum frames it, however, that existing law is focused on technical cybersecurity rather than broader sovereignty considerations, and does not boost the uptake of sovereign services or address the extraterritorial application of third-country laws.

DORA shapes ICT risk-management and resilience-testing obligations for the financial sector, including oversight of critical ICT third-party service providers. It is sector-specific and does not address the broader strategic dependencies or the risk of unilateral decisions by third-country actors disrupting service provision on geopolitical grounds.

CADA would fill this gap with a harmonised, auditable set of criteria for different levels of sovereignty. The proposal's position is that cybersecurity certification can address technical criteria but is not suited to sovereignty concerns that go beyond those technical elements. CADA's framework is therefore designed to complement NIS2 and DORA by addressing non-technical risks, such as foreign-authority access to data or service degradation driven by third-country legal mandates.

The Union cloud computing sovereignty framework

Under Article 16, the framework would comprise four Union assurance levels (1 to 4), with cumulative criteria in Annex II that go beyond technical security to include:

• The location of infrastructure, assets, and personnel.
• The legal jurisdiction of the provider and its subcontractors.
• The absence of third-country control that could compel data access or service disruption.
• Software supply chain measures to prevent remote tampering.

For example, Union assurance level 2 requires that the audited provider and subcontractors are established in the Union, that infrastructure, assets, and personnel are located in the Union, and that the service holds a European cybersecurity certificate of at least assurance level "substantial." Higher levels (3 and 4) add stricter requirements, such as Union citizenship for personnel and a higher cybersecurity assurance level.

Sovereignty risk assessments complementing NIS2 and DORA

The operational bridge between the framework and public-sector procurement is the risk assessment. Article 29 would oblige Member States and Union entities to carry out risk assessments to identify public sector activities contributing to public order in sectors falling under Annex I or II of NIS2 and in areas such as national security, internal security, external border management, defence, justice, and law enforcement, and to determine which Union assurance level (2, 3, or 4) is appropriate. The assessment must consider at least:

• The sensitivity, criticality, and magnitude of the data processed (personal and non-personal).
• The risk and impact on public order of unlawful access by a third country.
• The risk and impact on public order of possible service disruption.

This complements NIS2 and DORA: those instruments require management of cybersecurity and operational-resilience risk, while CADA's Article 29 requires assessment of sovereignty risk. A service might be technically secure yet still pose a sovereignty risk if controlled by a third-country entity subject to laws allowing foreign access. Where the assessment identifies public-order relevance, Article 30 requires procuring only services recognised at Union assurance level 2, 3, or 4.

Systemic infrastructure risk and public order

The CADA explanatory memorandum links these measures to wider Union preparedness objectives, identifying dependence on critical digital infrastructure as a systemic risk. Recital 62 highlights that the risk assessment should determine which Union assurance level is appropriate for activities, due to their importance in preserving public order in sectors falling under NIS2. This creates a layered model:

1. Technical compliance: meet cybersecurity and operational-resilience standards under NIS2/DORA.
2. Sovereignty assessment: conduct risk assessments under CADA Article 29.
3. Procurement compliance: procure services meeting the corresponding Union assurance level (Article 30).

Implications for private sector entities

CADA's mandatory procurement rules apply to public sector bodies. Article 31 allows entities referred to in Annex I of NIS2 that are not public sector bodies to carry out similar assessments. These are not mandatory by default, but the Commission may issue guidance on methodology and, under Article 31(3), may adopt delegated acts requiring such impact assessments for entities operating in sectors of high criticality. This suggests a spillover where critical-sector entities may adopt CADA's sovereignty criteria to align with public-sector partners.

What this means for you

For in-house counsel and compliance officers, the relationship between CADA, NIS2, and DORA suggests a dual-track strategy.

1. Separate risk registers: Don't conflate cybersecurity risk with sovereignty risk. Your NIS2/DORA programme addresses technical vulnerabilities, incident response, and supply-chain security from a cyber perspective; CADA would add an assessment of geopolitical and legal risks such as foreign-government access or sanctions-driven disruption.
2. Risk-assessment deadlines: As proposed, Member States and Union entities must carry out the first risk assessments under Article 29 within one year of entry into force, and thereafter every two years. These dictate the minimum assurance level for procurement.
3. Procurement strategy: Public sector bodies would align procurement with their Article 29 assessments. Activities contributing to public order in NIS2 sectors may require only services at Union assurance level 2, 3, or 4 — potentially narrowing the vendor pool, particularly providers under third-country control.
4. Vendor due diligence: Verify not only technical certifications but also sovereignty recognition. Providers apply to national competent authorities under Article 17; monitor the central repository under Article 22.
5. Private-sector preparation: If you operate in a sector listed in Annex I of NIS2, prepare for possible impact assessments under Article 31. They are voluntary by default, but the Commission may require them for high-criticality sectors (Article 31(3)).

Common misconceptions

• "NIS2 compliance is enough for sovereignty." Incorrect. NIS2 focuses on technical cybersecurity. A service can be technically secure yet pose a sovereignty risk if subject to third-country laws allowing data access. CADA addresses that gap.
• "CADA replaces DORA for financial services." Incorrect. DORA remains the primary regulation for digital operational resilience in the financial sector. CADA would add a sovereignty layer rather than replace DORA.
• "Sovereignty risk assessments are optional for the public sector." Incorrect. Article 29 would require Member States and Union entities to carry out risk assessments determining the required assurance level. This is a binding obligation under the proposal.
• "Only EU-based providers can qualify." Incorrect. EU establishment is a key criterion, but Article 18 lets the Commission identify "associated third countries" whose providers may be audited against Union assurance level 3, subject to cumulative criteria. The default still expects EU-based control and infrastructure.

Related

• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty
• What was Schrems II and how does it relate to cloud sovereignty under CADA?
• What is Gaia-X and how does it relate to CADA sovereignty?
• How does sovereignty relate to AI model and compute access?
• Why is cloud sovereignty important for critical infrastructure? CADA

This is general information about a draft EU regulation, not legal advice.