Summary No, compliance with the Digital Operational Resilience Act (DORA) does not automatically satisfy the requirements of the proposed Cloud and AI Development Act (CADA). While DORA mandates ICT risk management and operational resilience specifically for the financial sector, CADA introduces a distinct "Union cloud computing sovereignty framework" with four assurance levels that address data confidentiality, operational autonomy, and protection against third-country extraterritorial laws across all sectors. Cloud providers serving financial entities must comply with both regimes, as the obligations stack rather than replace one another. DORA ensures the system stays running; CADA ensures the system is sovereign.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem by reducing dependencies on non-European providers. A critical question for cloud service providers, particularly those serving the financial sector, is whether existing compliance with the Digital Operational Resilience Act (DORA) suffices for CADA compliance. The definitive answer is no. The two instruments pursue fundamentally different policy objectives, regulate distinct aspects of cloud service provision, and impose cumulative obligations that cannot be satisfied by a single compliance regime.

Distinct Objectives: Operational Resilience vs. Technological Sovereignty

DORA, Regulation (EU) 2023/2554, is a sector-specific regulation focused on the operational resilience of the financial sector. It requires financial entities and their critical ICT third-party service providers to implement robust ICT risk management frameworks, incident reporting mechanisms, and digital operational resilience testing. Its primary goal is to ensure that the financial sector can withstand, respond to, and recover from ICT-related disruptions. As the CADA explanatory memorandum explicitly states, DORA "shapes compliance obligations for cloud computing service providers" indirectly if they provide services to specified financial entities, but it has a "sectoral scope and is specific to the financial sector." It is fully focused on "technical cybersecurity as opposed to broader sovereignty considerations."

In contrast, CADA addresses broader concerns of technological sovereignty, data confidentiality, and operational autonomy across all sectors, not just finance. CADA establishes a "Union cloud computing sovereignty framework" consisting of four assurance levels (Union assurance levels 1 to 4). These levels are designed to mitigate risks associated with dependence on third-country providers, including the risk of unauthorized access to Union data due to extraterritorial laws (such as the US CLOUD Act) and the risk of service disruption. The CADA proposal notes that while DORA improves trust through cybersecurity risk management, it "does not contain measures to boost the uptake and use of such services" and is insufficient for addressing "sovereignty concerns that go beyond these technical elements."

The CADA Sovereignty Framework: Four Assurance Levels

CADA Article 16 establishes the Union cloud computing sovereignty framework, comprising four assurance levels with cumulative criteria set out in Annex II. These levels dictate the degree of control, localisation, and personnel requirements for cloud services, creating a tiered structure that DORA does not replicate:

  • Union Assurance Level 1: Requires the provider to be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide transparency around subcontractors.
  • Union Assurance Level 2: Adds stricter requirements, including that subcontractors involved in the service provision must also be established in the Union. It requires a European cybersecurity certificate of at least "substantial" assurance level under a scheme established under Regulation (EU) 2019/881. Crucially, data generated by the service cannot be used to train AI systems operated by third countries.
  • Union Assurance Level 3: Mandates that personnel involved in service provision are Union citizens (conditional at L2, mandatory at L3/L4). It requires strict separation between Union parent companies and third-country subsidiaries. Providers must demonstrate that third-country control does not restrict service delivery or allow unauthorized data access. A derogation exists under Article 18 for third countries with specific safeguards, but this is a specific CADA mechanism, not a DORA equivalent.
  • Union Assurance Level 4: The highest level, requiring that the provider and its subcontractors are not subject to the control of a third country. It demands a European cybersecurity certificate of at least "high" assurance level and ensures that third countries do not hold effective control over software components.

DORA does not establish such a tiered sovereignty framework. While DORA requires cloud providers to manage ICT risks and undergo testing, it does not mandate specific data localisation, personnel citizenship, or protection against extraterritorial data access laws in the manner CADA does.

Stacking Obligations for Financial Sector Providers

For cloud providers serving financial entities, the obligations under DORA and CADA stack. DORA requires financial entities to conduct due diligence on their cloud providers and ensures these providers have adequate ICT risk management. CADA, however, introduces demand-side measures for public sector bodies and, by extension, influences the broader market.

CADA Article 29 requires Member States and Union entities to conduct risk assessments to determine which Union assurance level (2, 3, or 4) is appropriate for public sector activities contributing to the preservation of public order. Article 30 then mandates that contracting authorities whose activities are identified as having public order relevance must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4.

While DORA applies to financial entities, CADA's sovereignty framework applies to cloud providers seeking to serve public sector bodies and, increasingly, private sector entities in critical sectors. CADA Article 31 allows private sector entities listed in Annex I of the NIS2 Directive to carry out impact assessments similar to those in Article 29. The Commission may also adopt delegated acts requiring impact assessments for private companies in high-criticality sectors. Therefore, a cloud provider serving a bank (subject to DORA) that also serves a public hospital or a government agency (subject to CADA) must meet both DORA's ICT resilience standards and CADA's sovereignty criteria for the relevant assurance level.

The CADA explanatory memorandum clarifies this interaction: "The proposal complements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations... Meanwhile, the European Union Agency for Cybersecurity (ENISA) has been working on developing a European Cybersecurity Certification Scheme for Cloud Services (EUCS)... When finalised, it could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards." This indicates that technical cybersecurity (addressed by DORA and EUCS) is a prerequisite, but sovereignty (addressed by CADA) is an additional, distinct layer.

No Mutual Recognition or Equivalence

The CADA proposal does not provide for mutual recognition between DORA compliance and CADA assurance levels. DORA's focus on ICT risk management does not address the sovereignty concerns of data localisation, personnel nationality, or protection against third-country legal mandates. Conversely, CADA's sovereignty framework does not replace the need for robust ICT risk management and operational resilience testing required by DORA.

As the explanatory memorandum notes, "The proposal complements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations. Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Similarly, DORA's ICT risk management framework is not suited for addressing the broader sovereignty and geopolitical risks that CADA targets. The two regimes are complementary by design, filling different gaps in the regulatory landscape.

What this means for you

If you are a cloud service provider or data centre operator, you must treat DORA and CADA as separate, parallel compliance regimes.

  1. Assess Your Customer Base: Identify which of your customers are financial entities (subject to DORA) and which are public sector bodies or critical private sector entities (subject to CADA). A single customer, such as a bank with public-sector functions, may trigger both.
  2. Map to Assurance Levels: Determine which Union assurance level (1–4) your services meet under CADA Annex II. This involves reviewing your data localisation policies, personnel structures, subcontractor chains, and exposure to third-country laws. Note that L2 and L3 require "substantial" cybersecurity certification, while L4 requires "high" certification.
  3. Prepare for Audits: CADA requires independent third-party audits for assurance levels 2, 3, and 4 (Article 20). Ensure your auditing organisations are independent and meet the criteria set out in CADA Article 20(4). DORA's testing requirements do not substitute for these CADA-specific audits.
  4. Update Contracts: Review your contracts with financial entities to ensure DORA compliance, and update contracts with public sector and critical private sector customers to reflect CADA's sovereignty requirements and transparency obligations.
  5. Monitor Regulatory Developments: CADA is a proposal and may change during the legislative procedure. Stay informed about the final text, particularly regarding the specific criteria for each assurance level and the timeline for implementation.

Common misconceptions

"DORA compliance covers CADA sovereignty requirements." This is incorrect. DORA focuses on ICT risk management and operational resilience within the financial sector, while CADA focuses on data sovereignty, localisation, and protection against third-country extraterritorial laws across all sectors. DORA ensures the system stays running; CADA ensures the system is sovereign.

"If I am compliant with DORA, I am automatically compliant with CADA." No. DORA does not establish a tiered sovereignty framework with Union assurance levels. It does not mandate personnel citizenship, specific data localisation for non-financial sectors, or protection against third-country legal mandates in the manner CADA does.

"CADA only applies to public sector bodies." While CADA imposes specific procurement obligations on public sector bodies (Article 30), its sovereignty framework and assurance levels apply to cloud providers generally. Private sector entities in critical sectors (Annex I of NIS2) may also be required to conduct impact assessments (Article 31), and the market will increasingly demand CADA-compliant services.

"I only need to comply with the highest assurance level." CADA requires a risk-based approach. Public sector bodies must determine the appropriate assurance level based on risk assessments (Article 29). Not all services require Level 4; however, providers must be able to demonstrate compliance with the level required by their customers.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.