Summary Under the proposed Cloud and AI Development Act (CADA), insurance companies classified as entities of high criticality under the NIS2 Directive are not strictly mandated to conduct sovereignty risk assessments, but they are explicitly permitted to carry out impact assessments similar to those required of public sector bodies. As proposed, Article 31 of CADA allows these regulated insurers to voluntarily assess their cloud dependencies and adopt mitigation measures to protect against third-country risks. While CADA does not impose direct procurement bans on private insurers, it establishes a sovereignty framework that will likely influence market standards, encouraging the adoption of cloud services recognised at higher Union assurance levels to ensure operational resilience and data confidentiality.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a legislative instrument designed to strengthen Europe's cloud and AI ecosystem by reducing dependence on non-European providers and ensuring the security of critical digital infrastructure. For insurance companies, the impact of CADA is primarily indirect but significant, mediated through their existing regulatory obligations under the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA).

The Role of Article 31: Voluntary Impact Assessments for Critical Entities

The most direct provision in CADA affecting insurance companies is Article 31, titled "Impact assessments." This article specifically addresses private sector entities that are not public sector bodies but are referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive). Insurance undertakings are explicitly listed as entities of high criticality in the NIS2 Directive, meaning they fall squarely within the scope of Article 31.

As proposed, Article 31(1) states that these entities "may carry out similar assessments as those set out in Article 29." Article 29 requires Member States and Union entities to conduct risk assessments to determine the required level of conformity against Union assurance levels for public sector activities. By extension, Article 31 allows insurance companies to voluntarily conduct impact assessments to evaluate their reliance on cloud computing services and identify potential sovereignty risks.

Article 31(2) further empowers the Commission to issue guidance on the methodology for carrying out these impact assessments and possible mitigation measures for private sector entities operating in sectors of high criticality. Additionally, Article 31(3) grants the Commission the power to adopt delegated acts to supplement the Regulation, specifying the need for such impact assessments and the risk mitigation measures these entities must take, if the Commission concludes that specific circumstances require it. This creates a flexible framework where the EU can mandate stricter assessment requirements for insurers in the future if systemic risks are identified.

Intersection with NIS2 and DORA

To understand CADA's impact on insurers, one must view it alongside existing financial and cybersecurity regulations. The NIS2 Directive imposes strict cybersecurity risk management obligations on insurance entities, requiring them to implement appropriate technical and organizational measures to manage risks arising from threats to the security of network and information systems. CADA complements this by focusing on the sovereignty and supply chain risks of the cloud services that underpin these systems.

Similarly, the Digital Operational Resilience Act (DORA) shapes compliance obligations for cloud computing service providers that serve financial entities, including insurers. DORA requires financial entities to conduct due diligence on their cloud providers and manage ICT risks. CADA adds a layer of sovereignty scrutiny to this due diligence. While DORA focuses on operational resilience and technical cybersecurity, CADA's sovereignty framework addresses the risk of extraterritorial access by third-country governments and the potential for service disruption due to geopolitical factors.

Sovereign Cloud Assurance Expectations

Although CADA does not impose a blanket obligation on private insurers to procure only from sovereign cloud providers, the regulation establishes a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). Public sector bodies are required to procure services meeting specific assurance levels based on risk assessments. This creates a powerful market signal. As public sector demand shifts toward providers recognised at Union Assurance Levels 2, 3, or 4, the market for cloud services will increasingly favor providers who can demonstrate compliance with these rigorous sovereignty criteria.

Insurance companies, particularly those handling sensitive personal data and critical financial infrastructure, may face pressure from regulators, clients, and partners to adopt cloud services that meet these higher assurance standards. The criteria for these levels, set out in Annex II of CADA, include requirements such as:

  • Data Localisation: Customer data must remain exclusively within the Union (unless explicitly required otherwise).
  • Personnel: For higher levels, personnel involved in the provision of the service must be Union citizens.
  • Third-Country Control: The provider must not be subject to control by a third country or a legal entity established in a third country (with specific derogations possible for Level 3 under Article 18).
  • Cybersecurity Certification: Providers must obtain a European cybersecurity certificate of at least assurance level 'substantial' (for Levels 2 and 3) or 'high' (for Level 4).

What this means for you

For in-house counsel and compliance officers at insurance companies, CADA introduces a new dimension to cloud governance and vendor risk management.

1. Evaluate the Option for Voluntary Impact Assessments

Under Article 31, you have the option to conduct impact assessments similar to those performed by public authorities. While not currently mandatory, conducting these assessments proactively can demonstrate robust governance and prepare your organization for potential future delegated acts that may make such assessments compulsory. These assessments should evaluate the sensitivity of data processed in the cloud, the criticality of the services, and the risks associated with third-country access or service disruption.

2. Review Cloud Vendor Due Diligence Processes

Integrate CADA's sovereignty criteria into your existing due diligence frameworks required by DORA and NIS2. When evaluating cloud providers, consider their status within the CADA framework. Are they seeking or have they achieved recognition at a specific Union assurance level? Does their provider offer transparency regarding subcontractors, data localization, and third-country control? The Article 31(2) guidance from the Commission will be a key resource for standardizing these checks.

3. Monitor Commission Guidance and Delegated Acts

The Commission is empowered under Article 31(3) to specify requirements for impact assessments and risk mitigation measures for entities in sectors of high criticality. Compliance teams must monitor the publication of any delegated acts or guidance documents that may tighten these requirements. Early adoption of the methodologies outlined in future guidance will ensure smoother compliance.

4. Prepare for Market Shifts

As the public sector increasingly procures from providers recognised at higher Union assurance levels, the pool of compliant vendors may narrow. Insurance companies should assess their current cloud contracts for exit clauses and migration plans to ensure they can switch to providers that meet emerging sovereignty standards if necessary. The EuroCloud Federation (established under Article 34) may also offer new avenues for sharing capacity among public and private entities in the future.

5. Engage with Regulatory Bodies

Stay informed about how national competent authorities and sectoral regulators (such as EIOPA) interpret the interplay between CADA, NIS2, and DORA. National authorities may provide specific guidance on how insurance companies should conduct the optional impact assessments under Article 31.

Common misconceptions

Misconception 1: CADA mandates insurance companies to use only European cloud providers. This is incorrect. CADA imposes mandatory procurement rules on public sector bodies and Union entities (Article 30). For private sector entities like insurance companies, Article 31 provides an option to carry out impact assessments but does not mandate the use of specific assurance levels. However, market forces and regulatory expectations may drive this choice.

Misconception 2: CADA replaces DORA or NIS2 for insurance companies. CADA does not replace existing regulations. It complements them by addressing sovereignty and supply chain risks that are not fully covered by the technical cybersecurity focus of NIS2 or the operational resilience focus of DORA. Insurance companies must comply with all three frameworks simultaneously.

Misconception 3: Impact assessments under Article 31 are mandatory for all insurers. Currently, Article 31(1) states that entities "may" carry out similar assessments. While the Commission can mandate these assessments via delegated acts under Article 31(3) if it determines that specific circumstances require it, there is no immediate blanket obligation for all insurance companies to conduct them. However, given the critical nature of the insurance sector, this could change.

Misconception 4: CADA's sovereignty framework is only for government agencies. While the mandatory procurement rules target the public sector, the sovereignty framework and assurance levels are designed to create a trusted market standard. Private sector entities, including insurers, are expected to benefit from the increased transparency and trustworthiness of providers who achieve recognition under this framework.

Related

This is general information about a draft EU regulation, not legal advice.