If I already comply with NIS2, do I comply with CADA?

Summary No. Complying with the NIS2 Directive would not satisfy the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final). NIS2 governs technical cybersecurity risk management; CADA, as proposed, would add a distinct sovereignty framework addressing data confidentiality, operational autonomy and public order. A cloud computing service provider or data centre operator would have to comply with both: NIS2 for technical resilience, and CADA for sovereignty assurance levels and public-procurement eligibility. The two overlap in who they regulate but diverge in what they require.

Detail

CADA's explanatory memorandum sets NIS2 apart from the sovereignty agenda. NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust." But it "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." There is significant overlap in the entities covered — cloud and data-centre providers — but the policy objectives differ.

Different objectives: cybersecurity vs. sovereignty

CADA, as proposed, would aim to mitigate risks from dependence on third-country providers. Article 16 would establish the "Union cloud computing sovereignty framework" of four assurance levels, with criteria in Annex II directed at data confidentiality, operational autonomy and the prevention of harm to public order. The memorandum notes that "[c]ertification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." So a provider may have robust, NIS2-compliant security yet fail the sovereignty criteria for CADA's higher levels — for instance where third-country control is not adequately mitigated, or where data does not remain within the Union.

Stacking obligations

For providers and data-centre operators, CADA and NIS2 stack rather than substitute.

1. NIS2. As essential or important entities, providers must implement technical and organisational measures to manage cybersecurity risk — incident handling, business continuity, supply-chain security, network and information-system security.
2. CADA. A provider wishing to serve Union entities or public sector bodies would seek recognition at a given assurance level (Article 17):
   • Level 1 rests on a conformity self-assessment (Article 19). Annex II criteria include being established in the Union and keeping infrastructure and assets in the Union (subject to limited exceptions where the public sector body explicitly requires otherwise).
   • Levels 2–4 require an independent third-party audit (Article 20). The higher levels add stricter Annex II criteria — for example keeping customer data exclusively within the Union, a European cybersecurity certificate (from level 2, once a scheme exists), and safeguards against third-country control being exercised to restrict the service or expose data. Personnel screening and Union-citizenship requirements are not blanket rules; under Annex II they apply where the public sector body determines they are necessary.

CADA would also add demand-side pressure. Article 29 requires Member States and Union entities to run risk assessments to set the appropriate level; Article 30 requires level 1 for activities not contributing to public order and levels 2, 3 or 4 for those that do. That creates a market incentive to obtain CADA recognition — separate from NIS2 status.

Data centre operators

For data-centre operators, CADA's Title III adds deployment provisions distinct from NIS2's cybersecurity focus. Article 10 would require Member States to designate data centre acceleration zones; Article 13 would streamline permit-granting. These are administrative and strategic measures, not cybersecurity ones.

Why a strong NIS2 programme still leaves gaps

The two regimes share vocabulary around "risk management" and "supply chain," which can mask how little transfers. NIS2 supply-chain security asks whether your suppliers introduce cybersecurity risk — vulnerable components, weak patching, insecure dependencies. CADA's Annex II supply-chain criteria ask something different: whether software components are owned or licensed by a third-country entity, whether controls block remote features that could tamper with or disrupt systems, whether security-relevant third-country components undergo source-code audits and have documented migration plans, and whether a complete software bill of materials is available to the auditor. A provider with an excellent NIS2 supply-chain posture can still lack the jurisdictional evidence CADA demands. The same is true of personnel: NIS2 cares about competence and access control; CADA, where a public sector body requires it, cares about screening and Union citizenship. These are adjacent concerns, not the same one.

Interplay with other laws

The memorandum also frames the Data Act and DMA. The Data Act facilitates switching and interoperability but "does not build the road towards a more sovereign and trusted EU cloud computing sector"; the DMA regulates gatekeepers for fairness but "does not contain measures that would actively promote the uptake of sovereign cloud computing services." CADA would fill that gap with a harmonised sovereignty framework.

What this means for you

Treat NIS2 and CADA as parallel tracks.

For cloud service providers

• Audit your sovereignty posture. NIS2 evidences technical resilience; CADA would evidence sovereignty. Assess your service against Annex II — you might meet NIS2 yet fall short of level 2 if subcontractors are not established in the Union, or where a public sector body's screening requirements are not met.
• Prepare for recognition. To reach the public-sector market, apply for recognition under Article 17 by submitting evidence to the national competent authority of establishment. For levels 2–4, engage an auditing organisation for an independent audit (Article 20).
• Manage third-country exposure. CADA's higher levels turn on mitigating third-country control. Review ownership, governance and subcontractor chains against the Annex II conditions.

For data centre operators

• Use acceleration zones. Familiarise yourself with the zones designated in your Member State (Article 10) and their streamlined permitting.
• Consider strategic-project status. Innovative, sustainable or capacity-critical projects may qualify as strategic projects under Article 14, which can facilitate deployment.
• Meet sustainability requirements. For data centres in acceleration zones, Article 11 ties sustainability to the KPIs in Delegated Regulation (EU) 2024/1364.

Action plan

1. Document your NIS2 measures.
2. Run a gap analysis against the Annex II assurance-level criteria; flag sovereignty gaps such as third-country subcontractors.
3. For levels 2–4, engage an auditing organisation early to understand the evidence required (the evidence framework is set out in Annex III).
4. Track national implementation — the designation of national competent authorities (Article 25) and the central repository of recognised services (Article 22).

Common misconceptions

"NIS2 certification equals CADA assurance." No. NIS2 is technical cybersecurity. CADA's levels include a cybersecurity element but add legal, operational and sovereignty criteria — data localisation, third-country-control safeguards and, where required, personnel screening. A NIS2-compliant provider can fail CADA on sovereignty grounds.

"CADA only applies to the public sector." No. The demand-side procurement rules target public bodies, but the supply-side recognition obligations bind providers wanting to serve them, and Article 31 lets NIS2 Annex I private entities run similar assessments.

"Data localisation is only a GDPR issue." No. Under Annex II, keeping customer data — including metadata and telemetry — within the Union is a core sovereignty criterion (subject to limited exceptions where the public sector body explicitly requires otherwise). That goes beyond the GDPR's transfer mechanisms.

"CADA replaces the Cybersecurity Act." No. CADA would complement it. The memorandum says that together, the proposal and the Cybersecurity Act revision (CSA2) "fill long-standing gaps in sovereignty and non-technical risks," and notes that the EUCS cloud-certification scheme "has not yet been adopted" but, once finalised, could be leveraged within CADA's framework.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• If I already comply with the GDPR, do I comply with CADA?
• If I already comply with the Data Act, do I comply with CADA?
• Which CADA obligations stack with NIS2 obligations?
• Which CADA definitions come from the NIS2 Directive?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies

This is general information about a draft EU regulation, not legal advice.