Summary Under the proposed Cloud and AI Development Act (CADA), private sector entities are not automatically required to conduct impact assessments. While public bodies face mandatory risk assessments under Article 29, private entities operating in sectors listed in Annex I of the NIS2 Directive currently have the option to carry out similar assessments under Article 31(1). However, the Commission holds a specific power to change this status. Under Article 31(3), the Commission may adopt a delegated act (pursuant to Article 45) to make these assessments mandatory. This power can only be exercised where "specific circumstances" exist, the action is "duly justified," and after "consultation with the Member States." Such an act would specify both the need for the assessment and the required risk mitigation measures for entities in "sectors of high criticality." Until such a delegated act is adopted, the obligation remains voluntary.

Detail

The Cloud and AI Development Act (CADA) establishes a dual-track approach to sovereignty risk management: a mandatory track for the public sector and a conditional, flexible track for the private sector. Understanding the mechanism that bridges these two tracks is essential for legal counsel advising entities in critical infrastructure.

The Default Position: Voluntary Assessments

The baseline for private sector obligations is set in Article 31(1). This provision states that entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) who are not public sector bodies may carry out assessments similar to those required for public bodies under Article 29.

The use of the word "may" is deliberate. It establishes that, as proposed, private entities in essential and important sectors (such as energy, transport, banking, health, and digital infrastructure) are not legally compelled to perform a CADA-specific impact assessment. Instead, they are encouraged to do so, particularly to align their cloud procurement and usage with the Union's sovereignty objectives. The Commission is also tasked under Article 31(2) to issue guidance on the methodology for these voluntary assessments and potential mitigation measures.

The Escalation Mechanism: Article 31(3) and Delegated Acts

The proposal includes a "safety valve" to address emerging risks that voluntary measures fail to mitigate. Article 31(3) provides the legal basis for the Commission to transform these voluntary assessments into mandatory obligations.

The text of Article 31(3) is precise and imposes strict conditions on the Commission's exercise of this power:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This provision creates a high threshold for mandatory application. The Commission cannot act on a whim or a general policy preference. Three cumulative conditions must be met:

  1. Specific Circumstances: There must be a concrete, identifiable situation or threat (e.g., a sudden shift in geopolitical risk, a specific vulnerability in a critical supply chain) that necessitates intervention.
  2. Duly Justified: The Commission must provide a robust legal and factual justification for why voluntary measures are insufficient and why a mandatory regime is proportionate.
  3. Consultation with Member States: The Commission must consult with national authorities before proceeding. This ensures that the mandate respects the subsidiarity principle and aligns with national security contexts.

Scope: "Sectors of High Criticality"

The delegated act would not apply to all private companies. It is strictly limited to entities operating in "sectors of high criticality." While Article 31 does not provide a standalone definition of this term, the context of Article 31(1) links it to entities in Annex I of the NIS2 Directive. In practice, this would likely target the most sensitive sub-sectors within the essential entity list, such as critical financial market infrastructures, high-security cloud providers, or entities handling classified or highly sensitive data.

Content of the Delegated Act

If the Commission exercises this power, the resulting delegated act would not merely impose a procedural duty to "assess." It would be a substantive instrument defining the scope of the obligation. As explicitly stated in Article 31(3), the act must specify:

  • The Need for the Assessment: The specific risks or circumstances triggering the requirement.
  • Required Risk Mitigation Measures: The concrete actions entities must take to address identified risks.

These mitigation measures would likely mirror the stringent criteria found in Annex II for Union Assurance Levels 2, 3, and 4. This could include requirements for data localization within the Union, restrictions on third-country control, mandatory personnel screening (Union citizenship), or specific software supply chain controls (e.g., SBOMs and source code audits).

Procedural Safeguards: Article 45

The adoption of such an act follows the standard delegated act procedure under Article 45. The power to adopt delegated acts is conferred on the Commission for an indeterminate period. However, this power is subject to significant legislative oversight:

  • Revocation: The European Parliament or the Council may revoke the delegation of power at any time.
  • Objection Period: A delegated act adopted under Article 31(3) enters into force only if neither the Parliament nor the Council expresses an objection within two months of notification (extendable by three months).

This ensures that making impact assessments mandatory for private firms is a significant political decision subject to democratic scrutiny, rather than a purely administrative adjustment.

What this means for you

For in-house counsel, compliance officers, and general counsel at private entities in high-risk sectors, the current status under the CADA proposal requires a proactive but measured approach.

1. Treat Voluntary Assessments as Strategic Preparation

Although Article 31(1) makes assessments voluntary, the existence of Article 31(3) signals that the Commission views this as a temporary state. Entities should conduct these assessments voluntarily now. Doing so allows you to:

  • Identify gaps in your cloud sovereignty posture before they become regulatory violations.
  • Familiarize your teams with the Article 29 methodology (risk assessment templates, data sensitivity mapping).
  • Demonstrate "due diligence" to regulators, potentially influencing the Commission's decision on whether a mandatory act is necessary.

2. Monitor for "Specific Circumstances"

The trigger for a delegated act is the emergence of "specific circumstances." Legal teams should monitor geopolitical developments, supply chain disruptions, and Commission communications regarding NIS2 Annex I entities. If the Commission launches a consultation or issues a guidance document highlighting a specific threat to a sector (e.g., "risks to financial market infrastructure"), prepare for the possibility of a delegated act following shortly.

3. Align with Union Assurance Levels

The "risk mitigation measures" specified in a future delegated act will almost certainly reference Annex II. You should audit your current cloud contracts and infrastructure against the criteria for Union Assurance Levels 2, 3, and 4. Key areas to review include:

  • Data Residency: Can you guarantee customer data remains exclusively in the Union?
  • Personnel: Can you ensure that staff with access to critical systems are Union citizens (a requirement for Levels 3 and 4)?
  • Control: Can you prove the absence of third-country control over your provider?
  • Supply Chain: Do you have a complete Software Bill of Materials (SBOM) and migration plans for third-country components?

4. Document Your Risk Posture

If you decide not to conduct an impact assessment currently, document the rationale. If the Commission later adopts a delegated act, having a record of your risk analysis and the reasons for your current posture will be crucial for demonstrating good faith and facilitating a smooth transition to mandatory compliance.

Common misconceptions

Misconception 1: Private companies in critical sectors must run CADA impact assessments immediately. Correction: No. Article 31(1) explicitly states that such entities may carry out assessments. They are currently voluntary. Mandatory obligations only arise if the Commission adopts a delegated act under Article 31(3).

Misconception 2: The Commission can mandate assessments unilaterally. Correction: The Commission cannot act alone. Article 31(3) requires the action to be "duly justified" and adopted "in consultation with the Member States." Furthermore, the resulting delegated act is subject to the scrutiny of the European Parliament and the Council under Article 45, who can object to its entry into force.

Misconception 3: "Sectors of high criticality" is a vague term with no legal basis. Correction: While not explicitly defined in Article 31, the term is contextually linked to entities in Annex I of the NIS2 Directive. It refers to the most critical sub-sectors within the essential and important entity categories. The Commission's guidance under Article 31(2) will further clarify the scope.

Misconception 4: A delegated act is the same as an implementing act. Correction: They are distinct. Article 31(3) specifically authorizes a delegated act under Article 45, which supplements the Regulation with new rules (like making assessments mandatory). Implementing acts (under Article 46) are used for uniform conditions of implementation and follow a committee procedure, lacking the same level of parliamentary veto power.

Related

This is general information about a draft EU regulation, not legal advice.