Summary As proposed, the Cloud and AI Development Act (CADA) addresses concentration risk for financial cloud users by establishing a sovereignty framework that links public-order relevance to specific assurance levels. While mandatory risk assessments under Article 29 apply primarily to public-sector bodies and Union entities, Article 31 empowers the Commission to require similar impact assessments for private entities in sectors of high criticality, including finance. Crucially, Recital 65 explicitly states that to enhance resilience and limit dependency on a single provider, entities should consider multi-vendor or multi-cloud strategies based on context-specific risk assessments. This creates a regulatory environment where concentration risk is no longer just an operational resilience issue (as under DORA) but a sovereignty issue, potentially forcing financial institutions to diversify their cloud providers to meet Union assurance levels 3 or 4.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a novel regulatory layer for the European cloud ecosystem that directly intersects with the financial sector's existing obligations under the Digital Operational Resilience Act (DORA). While DORA focuses on the operational resilience of ICT third-party risk, CADA as proposed would introduce a "sovereignty" dimension to concentration risk, mandating that financial entities evaluate not just whether a provider can fail, but whether a provider could be compelled to fail or disclose data by a third country.

The Core Mechanism: Risk Assessments Driving Sovereignty Levels

The primary engine for addressing concentration risk in CADA is the risk assessment mechanism. Article 29 obliges Member States and Union entities to carry out risk assessments within one year of the Regulation's entry into force, and every two years thereafter. These assessments must identify public sector activities that contribute to the preservation of public order in sectors such as national security, internal security, and law enforcement.

For the financial sector, the definition of "public order" is critical. Article 29(1) explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), which encompasses financial market infrastructures and credit institutions. Article 29(2) mandates that these risk assessments consider:

  • The sensitivity, criticality, and magnitude of non-personal data processed.
  • The risk of unlawful access by a third country or legal entity established in a third country.
  • The risk of possible service disruption.

If a risk assessment determines that a financial entity's activities contribute to the preservation of public order, Article 30(3) would require that the entity procure only cloud services recognised as offering Union assurance levels 2, 3, or 4. These levels impose strict criteria regarding the location of infrastructure, the citizenship of personnel, and the absence of third-country control.

Multi-Vendor and Multi-Cloud Strategies as a Regulatory Expectation

CADA explicitly recognizes that reliance on a single cloud provider creates systemic vulnerability. Recital 65 of the proposal states: "To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate."

The recital further clarifies that the decision to adopt a multi-cloud architecture must be based on a context-specific risk assessment. This assessment must identify operational, regulatory, or resilience-related circumstances that support such a strategy. For financial institutions, this provides a clear regulatory signal: a single-vendor strategy may be insufficient to mitigate the concentration risks identified under CADA. The proposal does not mandate multi-cloud for all entities, but it establishes it as the expected mitigation measure for high-risk scenarios where a single provider's failure or coercion could undermine public order.

Alignment with DORA: From Operational to Sovereign Risk

The financial sector is already subject to DORA, which requires the management of ICT third-party risk, including the mitigation of concentration risks arising from critical ICT third-party providers. CADA would complement this by adding a sovereignty layer.

Article 31 extends the scope of CADA to the private sector. It states that entities referred to in Annex I of the NIS2 Directive (which includes financial entities) may carry out similar assessments to those in Article 29. More significantly, Article 31(3) empowers the Commission to adopt delegated acts requiring entities in sectors of high criticality to conduct impact assessments and implement risk mitigation measures if specific circumstances arise.

This creates a dual-layer compliance obligation:

  1. DORA: Focuses on the operational risk of vendor failure, ensuring business continuity and data integrity.
  2. CADA (as proposed): Focuses on the sovereignty risk of vendor control, ensuring that the provider is not subject to extraterritorial laws (such as the US CLOUD Act) that could compel data access or service disruption.

A financial institution relying on a single non-EU hyperscaler might satisfy DORA's operational resilience tests but fail CADA's sovereignty risk assessment if that provider is subject to third-country control. Consequently, the "concentration risk" under CADA is broader: it includes the risk of geopolitical coercion, extraterritorial data access, and operational disruption due to third-country influence.

The Sovereignty Framework and Vendor Pool Constraints

The CADA sovereignty framework, detailed in Articles 16-24, establishes four Union assurance levels. The criteria for these levels, set out in Annex II, are stringent. For instance:

  • Union Assurance Level 3 requires that the provider and subcontractors are not subject to the control of a third country, unless the Commission has adopted an implementing act identifying the third country as providing sufficient assurances (under Article 18).
  • Union Assurance Level 4 adds requirements for Union citizenship of personnel and a "high" level of cybersecurity certification.

These criteria may significantly limit the pool of eligible providers. If only one or two EU-based providers can meet the standards for Level 3 or 4, a financial institution might face a new form of concentration risk: a lack of sovereign alternatives. In this scenario, the multi-cloud strategy encouraged by Recital 65 becomes essential not just for redundancy, but for accessing a diverse set of sovereign-compliant providers. Financial institutions may need to distribute their critical workloads across multiple sovereign providers to ensure that no single vendor holds a monopoly over critical financial infrastructure.

Private Sector Impact and Future Delegated Acts

While Article 29 and Article 30 primarily target public sector bodies, the impact on the private financial sector is profound. Article 31 allows the Commission to issue guidance on the methodology for impact assessments for private entities. Furthermore, the Commission may adopt delegated acts requiring these entities to conduct impact assessments and implement risk mitigation measures.

This means that financial institutions should not wait for mandatory delegated acts to begin aligning their strategies with CADA. The market pressure from public sector procurement, which will be restricted to sovereign providers, will likely drive private sector vendors to adopt sovereign-compliant services. Financial institutions that proactively conduct risk assessments and adopt multi-cloud strategies will be better positioned to meet future regulatory requirements and ensure operational continuity.

What this means for you

For CTOs, risk officers, and architects in the financial sector, the proposed CADA provisions necessitate a fundamental re-evaluation of cloud strategy through the lens of sovereignty and concentration risk.

  1. Conduct Proactive Sovereignty Risk Assessments: Do not wait for delegated acts. Begin conducting risk assessments similar to those described in Article 29. Evaluate your cloud providers not just on technical performance and cost, but on their exposure to third-country laws, their operational continuity guarantees, and their compliance with EU sovereignty standards. Ask: "If this provider is compelled by a third country, can we continue to operate?"
  2. Justify Multi-Cloud Architectures: Use the guidance in Recital 65 to justify investments in multi-cloud or multi-vendor strategies. Document how these architectures mitigate both operational resilience risks (DORA) and sovereignty risks (CADA). This documentation will be crucial for regulatory compliance and internal governance, demonstrating that you have considered the context-specific circumstances that support a multi-cloud approach.
  3. Review Vendor Contracts and Data Flows: Ensure your contracts with cloud providers include clauses that address data sovereignty and operational autonomy. Verify that your providers can demonstrate compliance with the criteria for Union assurance levels, particularly regarding data localization, personnel citizenship, and the absence of third-country control over infrastructure and personnel.
  4. Monitor Delegated Acts under Article 31: Stay informed about the Commission's guidance on impact assessments for private sector entities. As the CADA proposal progresses, specific delegated acts may impose mandatory requirements on financial institutions, making early adaptation a competitive advantage.
  5. Engage with Sovereign Providers: Explore partnerships with EU-based cloud providers that are pursuing recognition under the CADA sovereignty framework. Early engagement can help you influence the development of these services and ensure they meet your specific financial sector needs. Be aware that the pool of Level 3/4 providers may be limited, making diversification critical.

Common misconceptions

"CADA only applies to the public sector." While the mandatory risk assessments and procurement rules in Articles 29-30 target public sector bodies, CADA's sovereignty framework and the potential for delegated acts under Article 31 have significant implications for private financial entities. The market pressure from public sector procurement will also drive private sector vendors to adopt sovereign-compliant services, indirectly affecting private financial users.

"Multi-cloud is mandatory for all financial institutions." CADA does not mandate a multi-cloud strategy for all entities. Recital 65 states that entities should consider whether a multi-vendor or multi-cloud strategy may be appropriate, based on a context-specific risk assessment. The decision depends on the criticality of the services and the level of assurance required. However, for high-risk activities identified in the risk assessment, a multi-cloud strategy may be the only viable mitigation.

"Cybersecurity certification is sufficient for sovereignty." CADA distinguishes between cybersecurity and sovereignty. While Annex II requires cybersecurity certifications for higher assurance levels (e.g., "substantial" for Level 2/3 and "high" for Level 4), it also imposes additional requirements regarding data localization, personnel citizenship, and the absence of third-country control. A provider may be cybersecure but still fail to meet sovereignty criteria if it is subject to third-country laws that allow data access or service disruption.

"Concentration risk is only about vendor failure." Under CADA, concentration risk includes the risk of geopolitical coercion, extraterritorial data access, and operational disruption due to third-country influence. This broader definition requires a more comprehensive risk assessment that goes beyond traditional business continuity planning. A single-provider strategy may satisfy DORA's operational resilience tests but fail CADA's sovereignty risk assessments.

Related

This is general information about a draft EU regulation, not legal advice.