Summary Under Article 31 of the proposed Cloud and AI Development Act (CADA), private sector entities operating in critical infrastructure sectors (as listed in Annex I of the NIS2 Directive) may voluntarily carry out impact assessments similar to the mandatory risk assessments required for public authorities under Article 29. These assessments allow private firms to evaluate cloud sovereignty risks, such as third-country control and data access. While currently voluntary, the Commission retains the power to make these assessments mandatory for specific sectors of high criticality via delegated acts under Article 31(3), following consultation with Member States.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a robust framework for cloud sovereignty, primarily driven by mandatory risk assessments for public sector bodies. However, recognizing that critical infrastructure in the private sector faces similar geopolitical and operational risks, the proposal introduces a parallel mechanism for private entities in Article 31. This article creates a flexible, risk-based approach for the private sector, balancing voluntary adoption with the potential for future mandates in the most critical areas.

The Scope: Who is covered by Article 31?

Article 31(1) explicitly defines the scope of entities eligible to conduct these impact assessments. It applies to entities that:

  1. Are not public sector bodies; and
  2. Are listed in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive).

This includes operators of essential services in sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, and space. Unlike the general private market, these entities are deemed to operate in sectors where the continuity of service and data sovereignty have significant implications for the Union's security and public order.

The text of Article 31(1) states that these entities "may carry out similar assessments as those set out in Article 29." The use of the word "may" establishes that, under the current proposal, these assessments are voluntary by default. Private entities are not automatically compelled to perform them, distinguishing this regime from the mandatory obligations placed on contracting authorities and public bodies under Article 29.

Purpose and Methodology: Mirroring Article 29

The primary purpose of the impact assessments under Article 31 is to enable private entities to evaluate the risks associated with their reliance on cloud computing services, specifically regarding sovereignty, data confidentiality, and operational autonomy. By mirroring the risk assessments mandated for the public sector under Article 29, these private assessments aim to:

  • Identify the sensitivity, criticality, and magnitude of data processed.
  • Assess the risk of unlawful access by third countries or legal entities established outside the Union.
  • Evaluate the risk of service disruption or degradation.
  • Determine the appropriate Union Assurance Level (Levels 1–4) required for their specific operations.

While the public sector must follow strict timelines and reporting requirements under Article 29, the private sector's voluntary assessments under Article 31 offer flexibility. However, to ensure consistency and effectiveness, Article 31(2) empowers the Commission to issue guidance on the methodology for carrying out these assessments and on possible mitigation measures. This guidance would help private entities standardize their risk evaluation processes, ensuring that their assessments are robust and aligned with Union objectives.

The Path to Mandatory Assessments: Article 31(3)

Although the default position is voluntary, the proposal includes a mechanism to escalate these requirements if necessary. Article 31(3) grants the Commission the authority to adopt delegated acts to supplement the Regulation.

The Commission may exercise this power if it concludes, based on specific circumstances and after consultation with Member States, that entities operating in sectors of high criticality require an impact assessment. In such a scenario, the Commission could:

  1. Mandate the impact assessment for those specific entities or sectors.
  2. Specify the risk mitigation measures that those entities must take.

This provision ensures that the EU retains the flexibility to respond to emerging threats or specific vulnerabilities in critical infrastructure without needing to amend the primary legislation. It acts as a safety valve, allowing the Union to impose stricter obligations on the most critical private actors if the voluntary approach proves insufficient to safeguard public order and strategic autonomy.

Relationship with Union Assurance Levels

The impact assessments under Article 31 are intrinsically linked to the Union Assurance Levels defined in Article 16 and detailed in Annex II. These levels range from Level 1 (basic establishment in the Union) to Level 4 (strict requirements on personnel citizenship, data localization, and absence of third-country control).

By conducting an impact assessment, a private entity can determine which assurance level is appropriate for its operations. For instance, a financial institution handling highly sensitive data might determine that Level 3 or Level 4 is necessary to mitigate the risk of third-country access. This alignment allows private sector procurement decisions to contribute to the broader EU strategy of reducing dependencies on non-European cloud providers, even in the absence of a direct legal mandate.

What this means for you

For cloud service providers, data center operators, and private sector entities in critical infrastructure, Article 31 presents both an opportunity and a strategic imperative.

1. Strategic Voluntary Adoption

Even though Article 31(1) makes these assessments voluntary, private entities in critical sectors (e.g., energy, finance, health) are likely to adopt them proactively. Geopolitical instability and the risk of third-country interference make these assessments a valuable tool for risk management. As a provider, you should anticipate client requests for support in conducting these assessments. Be prepared to provide detailed evidence regarding your compliance with Union Assurance Levels, particularly concerning data localization, personnel controls, and legal safeguards against foreign access.

2. Prepare for Commission Guidance

Under Article 31(2), the Commission will issue guidance on the methodology for these assessments. This guidance will likely standardize how risks are evaluated and what mitigation measures are considered effective. Private entities should monitor these developments closely. Aligning your internal risk management frameworks with the Commission's guidance will make your services more attractive to risk-aware clients and prepare you for potential future mandates.

3. Monitor for Delegated Acts

The most significant risk for private entities is the potential for Article 31(3) to be triggered. If the Commission identifies a sector as being of high criticality, it can adopt a delegated act to make impact assessments mandatory. If your organization operates in a sector that could be designated as high-criticality (e.g., critical digital infrastructure or energy), you must be ready to transition from voluntary to mandatory compliance. Ensure your services are capable of meeting the highest Union Assurance Levels, as this will likely become a market or legal requirement.

4. Leverage Assessments for Competitive Advantage

For cloud providers, offering services that facilitate these assessments can be a competitive differentiator. By providing clear documentation on your sovereignty featuresβ€”such as EU-based infrastructure, EU-only personnel access, and robust legal barriers against third-country data accessβ€”you can help your clients easily satisfy the requirements of their impact assessments. This positions your services as the preferred choice for critical infrastructure operators.

5. Engage in the Consultation Process

The Commission is required to consult with Member States before adopting delegated acts under Article 31(3). Industry associations and private entities should actively participate in these consultations to ensure that any future mandates are practical, proportionate, and technically feasible. Your input can help shape the final requirements, ensuring they do not inadvertently stifle innovation or impose undue burdens.

Common misconceptions

Misconception 1: Impact assessments under Article 31 are mandatory for all private companies. Reality: Article 31(1) explicitly states that entities in NIS2 Annex I sectors "may" carry out these assessments. This makes them voluntary by default. They only become mandatory if the Commission adopts a delegated act under Article 31(3) for specific high-criticality sectors.

Misconception 2: Article 31 applies to all private sector entities. Reality: Article 31 is strictly limited to entities listed in Annex I of the NIS2 Directive. Small and medium-sized enterprises (SMEs) or entities in non-critical sectors are not directly addressed by this article, although they may still be influenced by market trends driven by public sector requirements.

Misconception 3: Impact assessments under Article 31 are identical to public sector risk assessments under Article 29. Reality: While Article 31(1) states that private entities may carry out "similar assessments," they are not legally bound by the same strict timelines, reporting obligations, or enforcement mechanisms as public authorities under Article 29. The methodology may also differ based on the guidance issued by the Commission under Article 31(2).

Misconception 4: The Commission has already made these assessments mandatory. Reality: As of the current proposal (COM(2026) 502 final), the assessments are voluntary. The Commission has the power to make them mandatory via delegated acts, but this power has not yet been exercised. Businesses should monitor for future legislative developments and Commission guidance.

Related

This is general information about a draft EU regulation, not legal advice.