Summary As proposed, the Cloud and AI Development Act (CADA) extends its sovereignty framework to private sector entities operating critical infrastructure, explicitly including water and waste utility operators listed in Annex I of the NIS2 Directive. Under Article 31, these entities are permittedβ€”but not currently mandatedβ€”to conduct impact assessments mirroring the public sector's risk assessments to determine appropriate "Union assurance levels" for their cloud services. This voluntary mechanism allows utilities to proactively mitigate risks of third-country data access and service disruption. While immediate migration is not required, the proposal empowers the Commission to potentially mandate these assessments via delegated acts if specific criticality thresholds are met, making early preparation essential for operators of essential services.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (1 to 4). While the mandatory procurement obligations in Article 30 strictly bind public sector bodies and Union entities, the proposal explicitly acknowledges the critical role of the private sector in maintaining the Union's resilience.

Water supply and waste management utilities are classified as "essential entities" under Annex I of the Directive on the security of network and information systems (NIS2 Directive). Consequently, they fall squarely within the scope of CADA's private-sector provisions, specifically Article 31.

Article 31: The Voluntary Impact Assessment Mechanism

Article 31 of the CADA proposal is the primary instrument governing private sector engagement with the sovereignty framework. It targets "entities referred to in Annex I of Directive (EU) 2022/2555 [NIS2] who are not public sector bodies." This definition encompasses water and waste utility operators.

The core provision, Article 31(1), states that these entities "may carry out similar assessments as those set out in Article 29." This is a critical distinction:

  • Public Sector (Article 29): Mandatory risk assessments to determine if activities contribute to "public order," triggering binding procurement rules under Article 30.
  • Private Sector (Article 31): Voluntary impact assessments. The use of "may" indicates that water and waste operators are not currently legally required to perform these assessments or to procure only at specific assurance levels.

However, the "similar assessments" reference is substantive. If a utility chooses to conduct an assessment, it must evaluate:

  1. Data Sensitivity: The sensitivity, criticality, and magnitude of personal and non-personal data processed.
  2. Third-Country Risks: The risk of unlawful access by a third country or legal entity established in a third country.
  3. Service Continuity: The risk of service disruption and its potential impact on public order.

Critical Infrastructure Framing and the "High Criticality" Trigger

The inclusion of water and waste utilities is not accidental; it is framed around the concept of "high criticality." The proposal's explanatory memorandum links CADA to the Preparedness Union Strategy, which identifies dependence on critical digital infrastructure as a systemic risk. Water and waste management are foundational to public health and safety; a disruption caused by a third-country actor (e.g., via a cyberattack or extraterritorial legal order) could undermine public order.

Article 31(3) introduces a potential escalation mechanism. It empowers the Commission to adopt delegated acts to supplement the Regulation if it concludes, "in consultation with the Member States," that entities operating in sectors of high criticality require such impact assessments.

  • This means that while the current text is voluntary, the Commission retains the power to make these assessments mandatory for specific high-criticality sub-sectors (potentially including water utilities) if it deems the risk profile sufficient.
  • The Commission may also specify "risk mitigation measures" that these entities must take.

Assurance-Level Expectations for Utilities

Although Article 31 does not impose a mandatory procurement floor like Article 30, the "impact assessment" is designed to align private operators with the Union assurance levels defined in Annex II.

If a water utility conducts an assessment under Article 31, it will likely conclude that its operationsβ€”given their critical natureβ€”warrant higher assurance levels than the baseline (Level 1).

  • Level 1: Requires establishment in the Union and data remaining in the Union. This is the baseline for all public procurement but may be insufficient for critical infrastructure.
  • Levels 2–4: Introduce stricter criteria, including:
    • Personnel: For Level 3 and 4, personnel involved in the service must be Union citizens (conditional at Level 2 if the public body requires it).
    • Third-Country Control: Levels 3 and 4 generally prohibit control by third countries, unless a specific derogation under Article 18 is granted.
    • Cybersecurity: Level 2 requires a "substantial" cybersecurity certificate; Level 4 requires a "high" certificate.
    • AI Training: Data generated by the service cannot be used to train AI models operated by third countries.

For water utilities, the expectation is that a robust impact assessment would identify the need for at least Level 2 or Level 3 assurance to mitigate the risk of service disruption or unauthorized data access, even if not strictly mandated by the current text.

What this means for you

For legal counsel, compliance officers, and CTOs at water and waste utility operators, the CADA proposal signals a convergence of cybersecurity (NIS2) and sovereignty (CADA) requirements. Here is your strategic roadmap:

1. Conduct a Voluntary "Article 31" Assessment Now

Do not wait for a delegated act to make this mandatory. Proactively conduct an impact assessment similar to Article 29.

  • Map Data Flows: Identify where operational data (e.g., SCADA system logs, customer billing data) resides.
  • Assess Provider Control: Determine if your cloud provider is subject to control by a third country (e.g., US-based hyperscalers).
  • Evaluate Risks: Document the potential impact of service disruption on public order. This documentation will be vital if the Commission later mandates these assessments.

2. Monitor Commission Guidance and Delegated Acts

Article 31(2) mandates that the Commission issue guidance on the methodology for these assessments.

  • Action: Subscribe to Commission updates regarding CADA implementation.
  • Action: Prepare to adopt the Commission's methodology once published. Early alignment demonstrates due diligence and reduces the risk of future non-compliance if the rules become mandatory.

3. Review Cloud Contracts for Sovereignty Clauses

Current contracts may lack provisions for the specific criteria in Annex II.

  • Data Access: Ensure contracts explicitly prohibit third-country authorities from accessing data without your consent, addressing risks under laws like the US CLOUD Act.
  • Audit Rights: Verify if you have the right to audit the software supply chain (SBOM) and source code, a requirement for higher assurance levels.
  • Migration Plans: Check for clauses that facilitate migration to alternative providers if a third country imposes restrictions, a requirement for Level 2 and 3.

4. Prepare for Potential Mandatory Migration

While Article 31 is currently voluntary, the "high criticality" framing suggests that water utilities are prime candidates for future mandatory requirements.

  • Strategy: Begin evaluating "sovereign cloud" providers that can meet Union assurance levels 2 or 3.
  • Strategy: Consider multi-cloud architectures to avoid single points of failure and to distribute risk across providers with different sovereignty profiles.

5. Engage with Industry Bodies

The Commission must consult Member States before adopting delegated acts under Article 31(3).

  • Action: Participate in industry working groups to provide feedback on the feasibility of sovereignty requirements for water and waste management. Your input on the operational realities of critical infrastructure can shape the final delegated acts.

Common misconceptions

Misconception 1: "CADA does not apply to private water utilities." Correction: While CADA's mandatory procurement rules (Article 30) apply to public bodies, Article 31 explicitly targets private entities in Annex I of NIS2, which includes water and waste operators. The proposal creates a specific legal pathway for these entities to assess and mitigate sovereignty risks.

Misconception 2: "We are safe if we are NIS2 compliant." Correction: NIS2 focuses on technical cybersecurity risk management. CADA addresses sovereignty risks, such as the extraterritorial reach of third-country laws and the ownership structure of cloud providers. A provider can be NIS2-compliant but fail to meet CADA's Union assurance levels due to third-country control or data access laws.

Misconception 3: "We can ignore CADA until it becomes mandatory." Correction: The Commission has the power to adopt delegated acts under Article 31(3) to make assessments mandatory for "high criticality" sectors. Given the critical nature of water and waste management, these utilities are high-risk candidates for such a mandate. Waiting until the last minute could result in rushed migrations and service disruptions.

Misconception 4: "Data localization is enough for sovereignty." Correction: Union assurance levels 2, 3, and 4 require more than just data staying in the EU. They require restrictions on third-country control, specific personnel citizenship requirements, and bans on using customer data to train third-country AI models. Simply hosting data in an EU data center does not guarantee compliance with higher assurance levels.

Related

This is general information about a draft EU regulation, not legal advice.