Summary Under the proposed Cloud and AI Development Act (CADA), the EuroCloud Federation is designed to operate within the existing EU cybersecurity framework, using the NIS2 Directive as a foundational baseline. Article 35(2) of the CADA proposal mandates that any "sharing entity" (a public sector body or Union entity sharing services) must put in place "appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services." While CADA focuses on sovereignty and public-sector cooperation, the specific cybersecurity measures required for EuroCloud members are expected to align with the high common level of cybersecurity risk management established by NIS2. The precise details of these measures will not be in the primary regulation itself but will be specified later through implementing acts under Article 35(6).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes the EuroCloud Federation to facilitate the sharing of data centre and cloud computing services between Union entities and public sector bodies. For technical leaders, a critical question is how this new sovereign sharing mechanism interacts with existing cybersecurity obligations, particularly the Directive on Security of Network and Information Systems (NIS2).

The Legal Foundation: Article 35 and the NIS2 Baseline

The core obligation for cybersecurity within the EuroCloud Federation is explicitly set out in Article 35(2) of the CADA proposal. It states that a "sharing entity shall put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

The proposal's explanatory memorandum clarifies the relationship between CADA and the broader EU cybersecurity acquis. It notes that the proposal complements the NIS2 Directive, which already "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU." However, the memorandum draws a sharp distinction: NIS2 is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

CADA is designed to fill the gap regarding sovereignty and non-technical risksβ€”such as operational autonomy, protection against third-country interference, and supply-chain resilienceβ€”while relying on NIS2 for the baseline of technical cyber resilience. Therefore, the EuroCloud framework does not reinvent the wheel for cybersecurity; instead, it assumes a baseline of NIS2 compliance and layers sovereign sharing rules on top of it.

The Role of Implementing Acts (Article 35(6))

While Article 35(2) sets the high-level requirement for "appropriate" measures, the CADA text does not list these measures in exhaustive detail within the primary legislation. This is a deliberate legislative choice to allow for technical agility. Instead, the proposal defers to secondary legislation.

Article 35(6) explicitly empowers the Commission to adopt implementing acts to "specify the technical, operational and organisational measures referred to in paragraph 2."

For practitioners, this means the exact compliance checklist is not yet final. The specific requirements for incident handling, risk analysis, business continuity, and access control within the EuroCloud context will be defined in these future implementing acts. However, given the explicit reference to NIS2 in the proposal's consistency analysis, it is highly probable that these measures will mirror or exceed the requirements found in NIS2. Before a sharing entity can participate, it must demonstrate to the Commission that it fulfills these conditions.

Impact on Public Sector Bodies and Sharing Entities

The EuroCloud Federation is exclusively for public entities (Union entities and public sector bodies). Many of these entities, particularly those in the "essential" and "important" sectors defined by NIS2, are already subject to strict NIS2 obligations.

The CADA proposal does not replace NIS2; rather, it adds a layer of sovereign assurance and cooperative sharing rules. For a public sector body acting as a "sharing entity," the following applies:

  1. NIS2 Compliance is a Prerequisite: If the entity falls within the scope of NIS2, it must already be compliant.
  2. Enhanced Scrutiny for Sharing: The CADA adds the requirement that these existing cybersecurity measures must be sufficient to guarantee the security of the shared resources. This implies a rigorous review of current NIS2 compliance to ensure it meets the specific demands of inter-organizational data sharing within the EuroCloud framework.
  3. Demonstration of Compliance: The sharing entity must demonstrate to the Commission that it fulfills the conditions of Article 35(2) and (3) before it is allowed to share services. This demonstration will likely rely heavily on evidence of NIS2 compliance, augmented by specific measures for the federation.

Sovereignty vs. Cybersecurity: Two Distinct Pillars

It is crucial to distinguish between the two pillars of the CADA's security approach, as they serve different purposes:

  1. Cybersecurity (NIS2-aligned): This pillar protects against technical attacks, data breaches, service disruptions, and operational failures. Article 35(2) leans heavily on this aspect, ensuring that the shared infrastructure is technically robust.
  2. Sovereignty (CADA-specific): This pillar protects against extraterritorial access, vendor lock-in, and operational dependency on third-country actors. This is addressed through the Union assurance levels (Levels 1–4) defined in Annex II of CADA and the risk assessments required under Article 29.

A sharing entity must satisfy both pillars to participate effectively. It must be NIS2-compliant (cybersecurity) and CADA-recognized (sovereignty assurance). Article 35 focuses on the secure provision of services, ensuring that the technical foundation is solid, while the broader EuroCloud framework ensures that the entities sharing these services also meet strict criteria regarding data localization, control, and third-country influence.

What this means for you

For CTOs, architects, and compliance officers in the public sector or in SMEs providing services to the public sector, the intersection of EuroCloud and NIS2 has three practical implications:

  1. Audit Your NIS2 Compliance as a Baseline: If your organization plans to be a "sharing entity" in the EuroCloud Federation, your current NIS2 compliance program is your starting point, not your finish line. Ensure your risk analysis, incident handling policies, and business continuity plans are robust, as these will form the core of the "technical, operational and organisational measures" required by Article 35(2).
  2. Prepare for Specific Implementing Acts: Monitor the Commission's upcoming implementing acts under Article 35(6). These will specify the exact measures required. While they will likely align with NIS2, they may introduce additional requirements specific to the federated sharing model, such as enhanced identity management, mutual authentication tools, or cross-border incident reporting protocols tailored to the EuroCloud platform.
  3. Document Sovereignty and Security Separately: When applying to join the EuroCloud Federation, be prepared to demonstrate two distinct things: your technical cybersecurity posture (aligned with NIS2 and Article 35) and your sovereignty posture (aligned with CADA's assurance levels). Do not conflate the two in your documentation, as the Commission will assess them against different criteria. The security measures ensure the service works; the sovereignty measures ensure the service is trusted.

Common misconceptions

  • Misconception: EuroCloud replaces NIS2 obligations for cloud providers. Reality: No. NIS2 remains the primary law for cybersecurity risk management. CADA adds sovereignty requirements and specific rules for public sector sharing. You must comply with both if you are in scope for both.
  • Misconception: Any NIS2-compliant entity can automatically join EuroCloud. Reality: No. While NIS2 compliance is likely a prerequisite for the cybersecurity measures, EuroCloud participation is restricted to Union entities and public sector bodies. Private entities cannot directly participate as sharing entities in the EuroCloud Federation, though they may provide services to those that do.
  • Misconception: The specific cybersecurity measures for EuroCloud are already fully defined in the CADA text. Reality: No. Article 35(2) sets the principle, but Article 35(6) delegates the specific technical, operational and organisational measures to future implementing acts. The exact checklist is not yet final and will be published later.

Related

This is general information about a draft EU regulation, not legal advice.