CADA for Cloud Providers

Summary If you are a cloud provider already compliant with NIS2, DORA, and the Data Act, the proposed Cloud and AI Development Act (CADA) does not replace these frameworks but adds a distinct, mandatory layer focused on sovereignty and public procurement eligibility. While NIS2 mandates technical cybersecurity, DORA enforces financial-sector operational resilience, and the Data Act governs switching and interoperability, CADA introduces a tiered "Union assurance" system (Levels 1–4) that determines whether your services can be procured by EU public authorities. Crucially, under CADA, you must actively seek formal recognition via national competent authorities to access critical public sector contracts. This recognition process—requiring self-assessment for Level 1 (with automatic recognition for SMEs) and independent third-party audits with a "positive" opinion for Levels 2–4—makes sovereignty compliance the new primary differentiator for EU market access.

Detail

The regulatory landscape for cloud providers in the EU is evolving from a fragmented set of sectoral and technical obligations into a unified ecosystem approach. As proposed in COM(2026) 502 final, CADA is designed to work in conjunction with existing laws rather than in isolation. For a provider already navigating NIS2, DORA, and the Data Act, understanding the distinct duties and the additive nature of CADA is critical for strategic planning.

1. The Baseline: NIS2, DORA, and the Data Act

To understand CADA's value add, one must first delineate the scope of the existing regimes, which CADA explicitly complements:

• NIS2 (Directive (EU) 2022/2555): This directive focuses on cybersecurity risk management. It imposes obligations on essential and important entities to implement appropriate technical and organizational cybersecurity measures. For cloud providers, this means maintaining robust security postures, reporting incidents, and managing supply chain risks. However, as the CADA explanatory memorandum notes, NIS2 "is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." It does not address data localization requirements or third-country control risks in the context of public order.
• DORA (Regulation (EU) 2022/2554): This regulation targets operational resilience specifically within the financial sector. If your cloud services are used by critical financial entities, DORA requires you to undergo rigorous ICT risk management, incident response testing, and third-party risk oversight. DORA is sector-specific; it ensures that financial institutions can withstand disruptions. It does not, however, provide a framework for assessing the geopolitical or sovereignty risks associated with the cloud provider's ultimate control or data residency beyond the financial context.
• The Data Act (Regulation (EU) 2023/2854): This regulation focuses on data access, switching, and interoperability. It aims to reduce vendor lock-in by ensuring users can switch providers and that data is portable. While it creates a level playing field for competition, it does not actively promote the uptake of sovereign cloud services or address the strategic dependencies on non-EU providers. The CADA proposal explicitly states that the Data Act is an "enabler" for CADA, but it lacks the mechanisms to build a sovereign EU cloud sector.

2. The CADA Add-On: Sovereignty and Assurance Levels

CADA introduces a Union cloud computing sovereignty framework consisting of four assurance levels (Union assurance levels 1 to 4). This is where CADA diverges from the existing trio. While NIS2, DORA, and the Data Act regulate how you operate and what you protect, CADA regulates who can use your services and under what conditions of trust.

• Distinct Duties: CADA imposes obligations related to data localization, personnel citizenship, absence of third-country control, and specific software supply chain measures. These are not covered by NIS2 or DORA. For instance, while NIS2 requires you to secure data, CADA's higher assurance levels (2–4) may require that data never leaves the Union and that personnel involved in service provision are Union citizens.
• The New Differentiator: The core innovation of CADA is the recognition mechanism. Under Article 17, cloud computing service providers must submit an application for recognition to the national competent authority of their establishment. This is not a self-declaration for levels 2–4; it requires independent third-party audits and formal recognition by national authorities. This recognition is the "passport" that allows public sector bodies to procure your services.

3. How the Four Regimes Stack: Distinct Duties Apply Simultaneously

For a large cloud provider, these four regimes apply simultaneously but address different risk dimensions. It is a common misconception that compliance with one implies compliance with the others.

1. Technical Security (NIS2): You must maintain a high level of cybersecurity hygiene.
2. Financial Resilience (DORA): If serving financial clients, you must demonstrate operational resilience and pass third-party assessments.
3. Market Access & Portability (Data Act): You must enable switching and ensure interoperability to remain competitive.
4. Sovereign Eligibility (CADA): You must achieve specific Union assurance levels to be eligible for public procurement.

The CADA proposal emphasizes that these measures are complementary. For example, certification under the Cybersecurity Act (linked to NIS2) can address technical criteria, but it is "not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, a provider can be NIS2-compliant and DORA-compliant but still fail to achieve Union assurance level 3 if they do not meet the stricter sovereignty criteria, such as restrictions on third-country control or data localization.

4. The Recognition Process: A Critical Distinction

The path to recognition varies significantly by assurance level, and providers must navigate these distinct procedures carefully:

• Union Assurance Level 1 (Baseline): This level relies on a conformity self-assessment by the provider, resulting in an EU statement of conformity under Article 19. However, the process is not uniform for all. Under Article 17(3), while most providers must submit an application to the national competent authority for recognition, SMEs benefit from a derogation: their EU statement of conformity is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. This is a key feature for smaller providers to enter the market quickly.
• Union Assurance Levels 2, 3, and 4 (High Sovereignty): These levels require independent third-party audits. Under Article 20, providers must undergo audits to obtain an audit report and, crucially, a "positive" audit opinion. A negative opinion or a report with limitations prevents recognition. The audit must verify compliance with cumulative criteria in Annex II, including infrastructure location, personnel citizenship, and absence of third-country control.
  • Level 3 Specifics: For Level 3, personnel must be Union citizens. While Annex II, Section 3.1(d) states personnel must be Union citizens "and where appropriate, the personnel must also have the necessary national security clearance," the citizenship requirement itself is a core criterion for this tier.
  • Third-Country Derogation: A critical nuance exists for providers subject to third-country control. Annex II, Section 3.1(g) allows for a derogation for Level 3 recognition if the Commission has adopted an implementing act under Article 18 identifying the third country as providing sufficient assurances. This is the correct legal basis; the draft text does not contain an inconsistency referring to Article 19 for this specific derogation.

5. The Procurement Implication

The most significant impact of CADA for providers is on public procurement. Under Article 30, contracting authorities must procure cloud computing services that have been recognized as offering at least Union assurance level 1. For activities contributing to the preservation of public order (e.g., national security, defense, justice), authorities must only procure services recognized as offering Union assurance levels 2, 3, or 4.

This creates a direct financial incentive for providers to pursue CADA recognition. Without it, you are effectively barred from a significant portion of the EU public sector market, regardless of your NIS2 or DORA compliance. The recognition process under Article 17 involves a rigorous evaluation by the national competent authority of establishment, including a review period where other Member States can raise objections. This creates a harmonized EU-wide trust signal that NIS2 and DORA do not provide.

Furthermore, the Commission is empowered under Article 20(9) to adopt delegated acts to supplement the Regulation by laying down detailed rules on the performance of audits, procedural steps, and templates. This ensures that the "rigorous evaluation" mentioned in the proposal is standardized across the Union.

What this means for you

For cloud service providers and data center operators, the convergence of these four regulations requires a strategic shift in compliance management.

• Integrate Sovereignty into Your Compliance Stack: Do not treat CADA as a separate project. Integrate sovereignty assessments into your existing NIS2 and DORA risk management frameworks. For example, when mapping data flows for DORA, simultaneously assess them against CADA's data localization requirements for different assurance levels.
• Prepare for Recognition Applications: Start preparing for the Article 17 recognition process.
  • For SMEs: Ensure your self-assessment under Article 19 is robust, as your recognition will be automatic.
  • For Larger Providers: Engage auditing organizations early. Remember that for Levels 2–4, you must secure a "positive" audit opinion; a negative opinion halts the process.
  • For Level 3/4: Review your personnel policies. Ensure you can demonstrate that personnel are Union citizens and, where appropriate, hold necessary security clearances.
• Differentiate Your Offerings: Use CADA assurance levels as a market differentiator. Public sector buyers will increasingly require specific assurance levels. Being able to demonstrate that your service is recognized at Level 3 or 4 will give you a competitive edge over providers who only meet technical cybersecurity standards.
• Monitor National Competent Authority Designations: Under Article 25, Member States must designate national competent authorities. Identify the authority in your country of establishment and engage with them early. They will be the gatekeepers for your recognition status.
• Review Subcontractor Chains: CADA's higher assurance levels impose strict requirements on subcontractors, including their establishment location and data access rights. Audit your supply chain not just for cybersecurity (NIS2) but for sovereignty (CADA). A subcontractor located outside the EU may be acceptable under NIS2 but disqualify you from Union assurance level 2 or higher.

Common misconceptions

• "NIS2 compliance is enough for sovereignty."
  • Correction: NIS2 addresses technical cybersecurity. CADA addresses sovereignty, which includes data localization, personnel citizenship, and freedom from third-country control. A provider can be fully NIS2-compliant but fail to meet CADA's sovereignty criteria for higher assurance levels.
• "DORA covers all critical infrastructure risks."
  • Correction: DORA is limited to the financial sector. CADA applies to a broader range of public sector activities, including healthcare, justice, and national security. Furthermore, DORA focuses on operational resilience, not the geopolitical risks of data access by third countries.
• "The Data Act replaces the need for sovereign cloud strategies."
  • Correction: The Data Act facilitates switching between providers but does not ensure that the providers themselves are sovereign or trusted. CADA builds the "road" towards a sovereign EU cloud sector by creating the trust framework that the Data Act's switching mechanisms rely on.
• "Recognition is automatic if I am NIS2-compliant."
  • Correction: Recognition under Article 17 is a separate administrative process. It requires submitting specific evidence, undergoing audits (for Levels 2–4), and receiving a decision from the national competent authority. It is not a derivative of NIS2 certification.
• "All Level 1 providers must go through a formal authority review."
  • Correction: While most providers must apply for recognition, SMEs benefit from a specific derogation under Article 17(3) where their self-assessment is automatically recognized across the Union without prior authority intervention.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• Why does CADA call the Data Act an 'enabler'?
• CADA, NIS2 & DORA: Overlaps on Critical Cloud Dependencies
• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?
• CADA vs NIS2: What Data Centre Operators Must Know

This is general information about a draft EU regulation, not legal advice.