Summary The proposed Cloud and AI Development Act (CADA) does not replace the Digital Operational Resilience Act (DORA) for financial entities; instead, it overlays a distinct sovereignty and public-order framework onto existing ICT risk management duties. While banks must continue to fulfill DORA obligations regarding third-party risk registers and operational resilience, CADA introduces a tiered procurement regime based on "Union assurance levels." Public financial bodies (e.g., central banks) will face mandatory risk assessments under Article 29 and strict procurement mandates under Article 30. Private banks, while not subject to mandatory procurement tiers, are encouraged to conduct voluntary impact assessments under Article 31 to mitigate geopolitical and sovereignty risks that DORA does not cover.

Detail

To navigate the intersection of CADA and DORA, financial institutions must distinguish between the operational resilience required by DORA and the strategic sovereignty required by CADA. DORA (Regulation (EU) 2022/2554) focuses on ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions. It mandates rigorous third-party risk management, incident reporting, and testing. CADA, as proposed in COM(2026) 502 final, addresses a different gap: the EU's dependence on non-European cloud providers and the need to safeguard public order through sovereign infrastructure.

The Public Sector Mandate: Articles 29 and 30

For public financial bodiesβ€”such as central banks, public development banks, or Union entitiesβ€”CADA imposes strict, mandatory obligations that go beyond DORA's technical requirements.

Under Article 29, Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. The text explicitly includes sectors falling under the NIS2 Directive (which covers the financial sector) and areas such as national security, defense, and justice. These assessments must be conducted by [date of entry into force plus 1 year] and updated every two years. The assessment evaluates the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption.

If a risk assessment under Article 29 determines that a public financial entity's activities are critical to public order, Article 30(3) triggers a mandatory procurement obligation. Such entities must procure only cloud computing services recognized as offering Union assurance levels 2, 3, or 4. These levels, defined in Annex II, require stringent criteria including:

  • Data Localization: Customer data must remain exclusively within the Union.
  • Personnel: For levels 3 and 4, personnel involved in service provision must be Union citizens (conditional at Level 2 if the public body requires it).
  • Third-Country Control: Providers must not be subject to control by a third country that could compromise service continuity or data access, unless a specific derogation is granted by the Commission.

Conversely, Article 30(2) establishes Union assurance level 1 as the minimum baseline for all public sector procurement where no public order relevance is identified. This level requires establishment in the Union and data localization but does not mandate the higher cybersecurity certification or personnel citizenship requirements of the upper tiers.

The Private Sector Approach: Article 31

For private banks and financial entities that are not public sector bodies, CADA adopts a more flexible, voluntary approach, though with a mechanism for future escalation.

Article 31(1) explicitly allows entities within the meaning of the NIS2 Directive (which includes most significant financial institutions) to carry out impact assessments similar to those required for public bodies. While these are not currently mandatory for private entities, Article 31(2) empowers the Commission to issue guidance on the methodology for these assessments and potential mitigation measures.

Crucially, Article 31(3) provides a "safety valve" for the Commission. If specific circumstances arise where the Commission concludes that entities in sectors of high criticality (potentially including systemic private banks) require an impact assessment, it may adopt delegated acts to supplement the Regulation. These acts would specify the need for such assessments and the mandatory risk mitigation measures those entities must take. This means private banks must monitor for potential delegated acts that could transform voluntary assessments into binding requirements.

The Dual-Compliance Reality

The overlap creates a dual-compliance landscape. A cloud provider might be fully compliant with DORA's operational resilience standards (e.g., robust incident response, high availability) but fail to meet CADA's sovereignty criteria (e.g., subject to extraterritorial third-country laws or lacking Union citizen personnel).

For a public financial body, DORA compliance is necessary but insufficient; they must also secure a provider with the appropriate Union assurance level. For a private bank, while DORA remains the primary regulatory driver, ignoring CADA's sovereignty framework could expose the institution to geopolitical risks, supply chain disruptions, or future regulatory mandates under Article 31(3).

What this means for you

For Chief Risk Officers, Procurement Heads, and Compliance Teams in the financial sector, the interaction between CADA and DORA requires a strategic shift in vendor management.

1. Map Your Entity Status and Obligations

First, determine if your institution is classified as a "public sector body" or a "Union entity" under CADA.

  • If Public: You are subject to Article 29. You must conduct a risk assessment within one year of CADA's entry into force and every two years thereafter. Based on this assessment, you must procure only from providers recognized at Union assurance level 1 (baseline) or levels 2–4 (if public order relevance is identified).
  • If Private: You are currently under Article 31. You are not mandated to procure at specific levels, but you should conduct voluntary impact assessments to align with the Commission's future guidance and prepare for potential delegated acts.

2. Separate DORA and CADA Due Diligence

Do not conflate DORA's third-party risk management with CADA's sovereignty checks.

  • DORA Check: Focus on operational resilience, incident response capabilities, exit strategies, and financial stability of the provider.
  • CADA Check: Focus on Annex II criteria. Ask: Where is the infrastructure located? Who are the personnel (citizenship)? Is the provider subject to third-country control? Can they guarantee data never leaves the Union?
  • Action: Update your vendor questionnaires to include specific CADA assurance level questions. Request the provider's EU statement of conformity (for Level 1) or their audit report and positive audit opinion (for Levels 2–4) from an independent auditing organization.

3. Prepare for Tiered Procurement

If your institution is a public body, your procurement strategy must be tiered.

  • Baseline: For non-critical administrative functions, Union assurance level 1 is the minimum.
  • Critical Functions: For core banking operations, payment systems, or data processing relevant to public order, you must target levels 2, 3, or 4.
  • Verification: Ensure your contracts include clauses requiring the provider to maintain their recognized status and notify you immediately of any material changes that could affect their assurance level (as required by Article 23).

4. Monitor for Delegated Acts (Private Banks)

Private banks must stay alert to Article 31(3). The Commission may adopt delegated acts if it deems certain private entities in high-criticality sectors require mandatory impact assessments.

  • Strategy: Proactively conduct voluntary assessments now using the methodology expected under Article 31(2) guidance. This positions you ahead of any future binding requirements and demonstrates to regulators that you are managing sovereignty risks alongside operational risks.

5. Leverage the "Union Added Value" in Procurement

Under Article 32, contracting authorities (including public financial bodies) must include non-price award criteria that evaluate a tenderer's contribution to the European cloud and AI ecosystem. This includes using hardware designed in the Union or integrating Union technologies. Private banks participating in joint procurement or public-private partnerships should also consider these criteria to align with the broader EU strategy.

Common misconceptions

"CADA replaces DORA for financial entities." No. DORA and CADA are complementary. DORA ensures you can recover from a cyberattack or outage; CADA ensures the cloud infrastructure itself is not subject to foreign interference that could cause such an outage or data breach. You must comply with both.

"Private banks are completely exempt from CADA." Not entirely. While private banks are not subject to the mandatory procurement tiers of Article 30, they are covered by Article 31. They can (and should) conduct voluntary assessments, and the Commission retains the power to mandate assessments via delegated acts under Article 31(3) for sectors of high criticality.

"Union assurance level 1 is enough for all cloud services." Incorrect. Article 30(2) sets Level 1 as the baseline for public entities without public order relevance. However, if a risk assessment under Article 29 identifies an activity as critical to public order (e.g., core payment infrastructure), Article 30(3) mandates procurement at levels 2, 3, or 4. Assuming Level 1 is sufficient for all services could lead to non-compliance for critical functions.

"CADA only applies to EU-based providers." CADA aims to reduce dependency on non-EU providers, but it does not ban them. A provider subject to third-country control can still qualify for Union assurance level 3 if the Commission has adopted an implementing act under Article 18 (Associated third countries) confirming that the third country provides sufficient safeguards. However, the criteria are stringent, and the burden of proof lies with the provider.

"The AI Act covers the same ground as CADA." No. The AI Act (Regulation (EU) 2024/1689) regulates the AI systems themselves (safety, fundamental rights). CADA regulates the cloud infrastructure beneath them (sovereignty, data location, provider control). As the CADA explanatory memorandum states, the AI Act "does not cover aspects of sovereignty."

Official sources

Related

This is general information about a draft EU regulation, not legal advice.