Summary Under the proposed Cloud and AI Development Act (CADA), "sectors of high criticality" are not defined by a new list but are explicitly mapped to the "essential entities" listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555). While public sector bodies are legally required to conduct risk assessments under Article 29, private entities operating in these high-criticality sectors are currently permitted to voluntarily conduct similar impact assessments under Article 31. Crucially, Article 31(2) empowers the Commission to issue guidance on methodology, and Article 31(3) grants the power to adopt delegated acts that could make these assessments mandatory for private firms if specific circumstances warrant it, ensuring they implement necessary risk mitigation measures to safeguard public order.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dual-track approach to cloud sovereignty. While the public sector is bound by strict procurement rules tied to Union assurance levels, the private sector operates under a more flexible, yet potentially evolving, regime. The concept of "sectors of high criticality" is the pivot point where private sector flexibility could transition into mandatory compliance.

The Legal Definition: Mapping to NIS2 Annex I

CADA does not invent a new taxonomy for critical infrastructure. Instead, it leverages the existing, robust framework of the NIS2 Directive to identify which private entities face the highest sovereignty risks.

Article 31(1) explicitly states: "Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

This reference is decisive. It limits the scope of "high criticality" under CADA to the "essential entities" defined in NIS2 Annex I. These sectors are deemed to have higher systemic importance than the "important entities" listed in NIS2 Annex II. The sectors included are:

  • Energy: Electricity, district heating, oil, gas, and hydrogen.
  • Transport: Air, rail, water, and road transport.
  • Banking and Financial Market Infrastructure.
  • Health: Hospitals, clinics, and manufacturers of critical medical devices.
  • Drinking Water and Waste Water.
  • Digital Infrastructure: Including IXPs, DNS providers, data centres, cloud computing service providers, and content delivery networks.
  • ICT Service Management.
  • Public Administration.
  • Space.

By anchoring the definition to NIS2 Annex I, CADA ensures that the "high criticality" designation aligns with the EU's broader digital resilience strategy. These sectors are prioritized because a disruption in their cloud infrastructureβ€”whether through service degradation, data exfiltration, or third-country coercionβ€”could trigger catastrophic cascading effects on the economy, public order, and safety.

The Mechanism: From Voluntary to Mandatory

The current text of the proposal establishes a "voluntary-by-default, mandatory-by-delegation" framework for private entities in these sectors.

1. Voluntary Participation (Article 31(1)) Currently, private entities in NIS2 Annex I sectors are allowed to conduct impact assessments. These assessments mirror the risk assessments required of public bodies under Article 29. A private energy provider, for instance, could voluntarily assess its cloud dependencies to determine if it requires a Union assurance level 2, 3, or 4 service. This allows proactive alignment with sovereignty standards before any legal obligation arises.

2. Commission Guidance (Article 31(2)) To ensure that voluntary assessments are robust and comparable, Article 31(2) empowers the Commission to issue guidance. This guidance would cover:

  • The methodology for carrying out the impact assessments.
  • Possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality.

This creates a standardized framework, preventing a fragmented approach where different companies use incompatible risk models.

3. The Power to Mandate (Article 31(3)) The most significant provision for private firms is Article 31(3). It grants the Commission the authority to adopt delegated acts to supplement the Regulation. The trigger for this power is specific:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment..."

If this threshold is met, the Commission can specify:

  1. The need for such an impact assessment: Effectively making it mandatory for the identified entities.
  2. The risk mitigation measures: Defining exactly what actions these entities must take to address the identified risks.

This mechanism ensures that the EU can react swiftly to emerging sovereignty threats without needing to pass a new legislative act. If a specific geopolitical event or technological vulnerability threatens the resilience of the energy or financial sectors, the Commission can immediately mandate impact assessments and specific mitigation strategies for private operators in those sectors.

Why These Sectors Get Special Attention

The focus on NIS2 Annex I sectors is driven by the CADA's core objective: protecting public order and ensuring operational autonomy.

As outlined in the CADA recitals, the EU's dependence on non-European cloud providers exposes critical infrastructure to risks such as:

  • Unauthorized Access: Third-country laws (such as the US CLOUD Act) compelling data disclosure.
  • Service Disruption: Unilateral decisions by third-country actors to degrade or cut off services.
  • Political Coercion: The use of vendor lock-ins or sanctions to influence EU policy.

Sectors like energy, health, and finance are foundational to societal stability. If a cloud provider serving these sectors is subject to extraterritorial control, the consequences extend far beyond commercial loss; they threaten national security and public safety. Therefore, CADA aims to align private sector practices in these critical areas with public sector standards. By allowingβ€”and potentially requiringβ€”impact assessments, the Regulation ensures that critical infrastructure operators do not inadvertently rely on cloud services that lack sufficient sovereignty safeguards.

What this means for you

For cloud service providers, data centre operators, and private entities in critical sectors, Article 31 represents a significant strategic horizon.

  1. Prepare for Mandatory Compliance: Even if impact assessments are currently voluntary for private firms in energy, finance, or health, the legal architecture of Article 31(3) means this could change overnight via a delegated act. You should not wait for a mandate to begin assessing your cloud stack against Union assurance levels.
  2. Map Your Client Base to NIS2 Annex I: Identify which of your clients fall under the NIS2 Annex I definition. These are your "high criticality" clients. They will likely be the first to demand sovereign cloud guarantees and may soon be legally required to procure only services at assurance levels 2, 3, or 4.
  3. Develop Mitigation Strategies Proactively: Article 31(2) indicates that the Commission will issue guidance on mitigation measures. Proactively developing robust supply chain transparency, data localization controls, and third-country control safeguards will position you as a trusted partner for these critical sectors.
  4. Monitor Delegated Acts Closely: Keep a close watch on the Commission's adoption of delegated acts under Article 31(3). If adopted, these acts will specify exactly which private entities must conduct assessments and what measures they must implement, effectively creating a new compliance baseline for critical infrastructure cloud consumers.

Common misconceptions

Misconception 1: All private companies must conduct impact assessments. Correction: No. Article 31(1) currently allows entities in NIS2 Annex I sectors to carry out similar assessments. It does not mandate them for all private entities. Only public sector bodies are strictly required to conduct risk assessments under Article 29. However, the Commission can mandate them for high-criticality private firms via delegated acts under Article 31(3).

Misconception 2: "High criticality" includes all digital businesses. Correction: "High criticality" under Article 31 is strictly limited to the sectors listed in Annex I of the NIS2 Directive. While other sectors (listed in NIS2 Annex II) are "important," they are not the primary focus of Article 31's high-criticality provisions. Retail, general manufacturing, and agriculture (unless they are essential infrastructure providers) are not automatically classified as "high criticality" under this specific article.

Misconception 3: Impact assessments are the same as cybersecurity audits. Correction: While they overlap, CADA impact assessments focus specifically on sovereignty and public order risks, such as third-country control, data localization, and operational autonomy. They are distinct from general cybersecurity audits, though they may leverage cybersecurity certification schemes (like EUCS) as part of the evidence.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.