Summary No. Compliance with the Financial Information Data Access (FIDA) framework does not automatically ensure compliance with the proposed Cloud and AI Development Act (CADA). While FIDA governs financial data portability and access, CADA establishes a distinct Union cloud computing sovereignty framework with four assurance levels and strict public procurement obligations. As proposed, CADA targets operational autonomy, data localization, and third-country control risksβ€”factors entirely outside FIDA's scope. Financial providers must therefore meet separate, cumulative requirements: FIDA for data access, DORA for operational resilience, and CADA for sovereign cloud recognition to serve public-sector or critical-infrastructure clients.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by reducing dependence on third-country providers and ensuring the resilience of public sector digital infrastructure. It is crucial to understand that CADA operates independently of sector-specific data governance frameworks like FIDA. While both regimes touch upon data handling, their objectives, scope, and compliance mechanisms are fundamentally different.

FIDA vs. CADA: Distinct Regulatory Pillars

FIDA-style regulations primarily focus on enabling data portability and access for financial services, ensuring that customers can switch providers and that data is shared securely between financial entities. Compliance with these rules demonstrates adherence to standards for data sharing, privacy, and interoperability within the financial sector. However, these standards do not address the broader sovereignty concerns central to CADA.

CADA, as proposed, introduces a Union cloud computing sovereignty framework consisting of four assurance levels (Union assurance levels 1, 2, 3, and 4), with criteria detailed in Annex II of the proposal. These levels assess factors that FIDA ignores:

  • Establishment and Control: Whether the provider is established in the Union and free from third-country control that could compromise operational autonomy.
  • Data Localization: Requirements for customer data, including metadata and telemetry, to remain exclusively within the Union unless explicitly required otherwise by the public sector body.
  • Personnel and Infrastructure: Criteria regarding the location of infrastructure, assets, and personnel, including potential Union citizenship requirements for higher assurance levels.
  • Cybersecurity and Supply Chain: Adherence to European cybersecurity certification schemes (e.g., "substantial" or "high" assurance) and software supply chain transparency measures.

Meeting FIDA requirements does not satisfy these sovereignty criteria. For instance, a provider may fully comply with financial data access rules while still having infrastructure located outside the EU or being subject to third-country laws that allow for data access, which would disqualify them from higher CADA assurance levels.

CADA's Procurement and Risk Assessment Obligations

A key component of CADA is its impact on public procurement. Under Article 29, Member States and Union entities are required to conduct risk assessments to determine which Union assurance level is appropriate for their public sector activities. These assessments consider the sensitivity of data, the criticality of the service, and the risk of third-country access or service disruption.

  • Article 29(1) mandates that risk assessments identify public sector activities that contribute to the preservation of public order, particularly in sectors falling under the NIS2 Directive and areas such as national security, defense, and justice.
  • Article 30 then stipulates that contracting authorities whose activities are identified as contributing to the preservation of public order must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4.

This means that even if a cloud provider is fully compliant with FIDA and other financial regulations, they cannot serve these critical public sector contracts unless they also obtain recognition under the CADA sovereignty framework. The CADA framework adds a layer of "sovereignty compliance" that sits on top of existing sectoral regulations.

Interaction with DORA

For financial institutions, the Digital Operational Resilience Act (DORA) is also relevant. DORA imposes ICT risk management requirements on financial entities, including due diligence on cloud service providers. CADA complements DORA by providing a standardized sovereignty assessment. While DORA focuses on operational resilience and incident reporting, CADA focuses on strategic autonomy and data sovereignty.

A financial cloud provider must therefore navigate both: ensuring operational resilience under DORA while meeting sovereignty criteria under CADA to access the broader EU market, particularly the public sector. The CADA proposal explicitly notes that it complements existing cybersecurity and digital resilience frameworks, ensuring that contracting authorities can use sovereign cloud computing services alongside technical cybersecurity standards.

What this means for you

If you are a cloud service provider or data centre operator, you cannot rely on existing financial compliance certifications (like FIDA) or operational resilience certifications (like DORA) as a blanket pass for CADA. You must take proactive steps to address CADA's specific requirements:

  1. Conduct a Sovereignty Gap Analysis: Assess your current operations against the criteria in Annex II of the CADA proposal. Identify gaps in data localization, third-country control, and personnel location. FIDA compliance does not cover these areas.
  2. Prepare for Assurance Level Recognition: If you aim to serve EU public sector clients, you will need to apply for recognition under Article 17. This involves submitting evidence to the national competent authority of your establishment, including audit reports for levels 2–4. For Level 1, a self-assessment is required.
  3. Align with National Risk Assessments: Monitor the risk assessments conducted by Member States under Article 29. These assessments will dictate which assurance levels are mandatory for specific sectors. Being recognized at Union assurance level 1 may be insufficient for many critical public sector contracts, which may require Level 2, 3, or 4.
  4. Coordinate with DORA Compliance: Ensure your ICT risk management processes under DORA are aligned with the sovereignty and transparency requirements of CADA. This may involve enhancing your software bill of materials (SBOM) and demonstrating effective legal and technical separation from third-country entities.

Common misconceptions

  • "FIDA or GDPR compliance is enough for CADA." This is incorrect. While GDPR ensures data protection and FIDA ensures financial data portability, neither addresses the geopolitical and operational sovereignty risks that CADA targets, such as extraterritorial access by third-country governments or the location of infrastructure.
  • "CADA only applies to public sector clouds." While the procurement rules heavily target the public sector, the sovereignty framework and assurance levels apply to any cloud provider seeking to be recognized as offering Union assurance levels. This recognition is often a prerequisite for high-value contracts, including those with critical private-sector entities under NIS2.
  • "CADA replaces DORA for financial clouds." No, they are complementary. DORA governs operational resilience and risk management, while CADA governs sovereignty and strategic autonomy. Financial cloud providers must comply with both to operate effectively in the EU.
  • "CADA is just about data location." CADA goes beyond data localization to include personnel citizenship (conditional at L2, mandatory at L3/L4), third-country control, and supply chain transparency.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.