Summary For fintechs operating on cloud infrastructure, the proposed Cloud and AI Development Act (CADA) creates a new sovereignty layer atop the existing resilience and data-sharing frameworks of DORA and FIDA. While the Digital Operational Resilience Act (DORA) mandates technical cybersecurity and the Financial Information Data Access Act (FIDA) governs fair data access, CADA addresses the geopolitical risk of third-country control over cloud providers. Crucially, while CADA's mandatory procurement rules apply to public bodies, Article 31 explicitly enables private entities in high-criticality sectorsβ€”such as financeβ€”to conduct voluntary impact assessments. A fintech may therefore face a "triple burden": ensuring technical resilience (DORA), enabling data portability (FIDA), and demonstrating that its cloud infrastructure is free from third-country interference (CADA), particularly if it serves public-sector clients or handles critical financial data.

Detail

The regulatory environment for financial technology in the European Union is evolving from a focus on technical security and market access to a comprehensive framework that includes strategic autonomy. Fintechs must now navigate the intersection of three distinct legislative instruments, each governing a different layer of the digital stack.

DORA: The Resilience Baseline

The Digital Operational Resilience Act (DORA) establishes the foundational requirements for digital operational resilience in the financial sector. It mandates that financial entities, including fintechs, implement robust ICT risk management frameworks, conduct regular testing, and manage third-party risks effectively. DORA focuses heavily on technical cybersecurity, incident reporting, and the operational continuity of financial services.

For cloud service providers, DORA imposes specific obligations if they are designated as critical third-party providers to the financial sector. It ensures that the financial sector can withstand cyber-attacks, operational disruptions, and ICT-related incidents. However, DORA's scope is primarily technical and operational. It addresses how systems function and recover but does not explicitly address the geopolitical or sovereignty risks associated with the jurisdictional control of cloud providers. A provider can be fully DORA-compliant regarding its incident response and backup systems while still being subject to the extraterritorial laws of a third country.

FIDA: Data Access and Sharing

The Financial Information Data Access Act (FIDA) complements this by governing how financial data is accessed and shared. It aims to create a single market for financial data services, ensuring that customers can share their data with third-party providers securely. FIDA focuses on data portability, consent mechanisms, and the technical standards for secure data exchange.

For fintechs, FIDA is crucial for business models based on open banking, data aggregation, and personalized financial advice. It ensures that data flows are legally sound and technically secure. Like DORA, FIDA focuses on the content and flow of data rather than the sovereignty of the infrastructure hosting it. It does not deeply address whether the underlying cloud infrastructure is controlled by a third country or whether the provider is subject to foreign laws that could compromise data confidentiality.

CADA: The Sovereignty Layer

The proposed Cloud and AI Development Act (CADA) addresses the gaps left by DORA and FIDA regarding technological sovereignty. As proposed in COM(2026) 502 final, CADA establishes a "Union cloud computing sovereignty framework" to mitigate risks stemming from dependence on third-country cloud providers. This is particularly relevant for fintechs because financial data is sensitive, and the financial sector is critical to public order.

CADA introduces a four-tier "Union assurance level" system for cloud services. While these levels are primarily mandatory for public sector procurement, CADA extends its reach to the private sector through specific provisions, creating a voluntary but strategic compliance path for high-criticality entities.

Article 29: Risk Assessments for Public Sector

Article 29 of CADA obliges Member States and Union entities to conduct risk assessments to determine which public sector activities require higher levels of cloud sovereignty. If a fintech provides services to public authorities or processes data that intersects with public order (such as in critical infrastructure, law enforcement support, or tax administration), the cloud services used may need to meet Union assurance levels 2, 3, or 4.

This creates a "downstream" effect for fintechs. Even if a fintech is a private entity, its cloud infrastructure choices may be constrained by the sovereignty requirements of its public-sector clients. If a public body identifies an activity as contributing to the preservation of public order, it must procure only cloud services recognised at Union assurance level 2, 3, or 4. Consequently, fintechs serving these bodies must ensure their providers meet these higher assurance levels.

Article 31: Voluntary Assessments for Private Entities

Crucially for fintechs, Article 31 of CADA allows private sector entities, specifically those listed in Annex I of the NIS2 Directive (which includes financial market infrastructures and certain financial institutions), to carry out "similar assessments" to those required for the public sector.

This is a voluntary mechanism, but it is designed to help private entities in high-criticality sectors manage their own sovereignty risks. By conducting an impact assessment under Article 31, a fintech can proactively evaluate its exposure to third-country control over its cloud services. This assessment can help identify vulnerabilities related to data access, service disruption, or political coercion by third countries.

The Commission is empowered to issue guidance on the methodology for these impact assessments. Furthermore, under Article 31(3), where specific circumstances arise, the Commission may adopt delegated acts to require such impact assessments and risk mitigation measures for private entities operating in sectors of high criticality. This means that while currently voluntary for many, the requirement could become mandatory for specific fintech sub-sectors in the future.

The Intersection for Fintechs

A fintech operating on cloud infrastructure faces a convergence of these rules. DORA requires the fintech to ensure its cloud provider is resilient and secure. FIDA requires that any data shared via the cloud is done so securely and with proper consent. CADA adds the requirement that the cloud provider's jurisdictional control and sovereignty profile be assessed.

If a fintech uses a cloud provider controlled by a third country, it may face higher risks under CADA's framework. This could require mitigation measures or migration to a provider with a higher Union assurance level, especially if the fintech interacts with public sector data or is deemed high-criticality under NIS2. The combination creates a scenario where a fintech must not only prove its systems are secure (DORA) and its data flows are compliant (FIDA) but also that its infrastructure is sovereign (CADA).

What this means for you

As a cloud service provider, data centre operator, or fintech relying on cloud infrastructure, you must prepare for a regulatory environment where technical resilience (DORA) and data access (FIDA) are no longer sufficient; sovereignty (CADA) is becoming a key procurement and compliance criterion.

1. Prepare for Sovereignty Assessments

Fintechs, particularly those classified as high-criticality under NIS2, may use Article 31 of CADA to conduct voluntary impact assessments. They will evaluate your service's exposure to third-country control. Ensure your documentation is ready to demonstrate compliance with Union assurance levels. This includes detailed evidence on:

  • Data Localisation: Proof that customer data remains exclusively within the Union.
  • Personnel: Evidence that personnel involved in the provision of the service are Union citizens (mandatory for levels 3 and 4) or that screening requirements can be met.
  • Third-Country Control: Documentation demonstrating the absence of third-country control over your infrastructure, assets, and software supply chain.

2. Understand Your Client's Public Sector Exposure

If your fintech clients serve public authorities, their cloud services may need to meet higher Union assurance levels due to Article 29 risk assessments. You should be able to provide evidence of your sovereignty level (e.g., Union assurance level 1, 2, 3, or 4) to help your clients comply with their procurement obligations. If your client is a public body procuring for public-order-relevant activities, they must procure services recognised at levels 2, 3, or 4.

3. Enhance Transparency and Audit Readiness

CADA requires independent audits for Union assurance levels 2, 3, and 4. Ensure your internal controls, subcontractor oversight, and software supply chain management are audit-ready. Fintechs will increasingly demand proof of sovereignty as part of their DORA third-party risk management processes. The audit report must include a "positive" opinion from an independent auditing organisation to be recognised.

4. Monitor Commission Guidance

The Commission is empowered to issue guidance on Article 31 impact assessments and may eventually require them for certain private entities. Stay informed about these developments to advise your fintech clients proactively. The Commission may also adopt delegated acts specifying the need for such assessments for private entities in sectors of high criticality, which could include specific fintech sub-sectors.

Common misconceptions

"CADA only applies to the public sector." While mandatory procurement rules in CADA target public authorities, Article 31 explicitly allows private entities in high-criticality sectors (including finance) to conduct voluntary sovereignty assessments. Furthermore, the Commission can require such assessments for private entities in specific circumstances via delegated acts. Fintechs should not ignore CADA.

"DORA covers all cloud risks for fintechs." DORA focuses on technical cybersecurity and operational resilience. It does not address the geopolitical risks of third-country control over cloud infrastructure, which is the core focus of CADA. A cloud provider can be DORA-compliant regarding incident response and backup systems but still pose sovereignty risks under CADA if it is subject to the control of a third country.

"FIDA and CADA are redundant." FIDA governs the access and sharing of financial data, focusing on consumer rights, consent, and data portability. CADA governs the sovereignty and trustworthiness of the cloud infrastructure hosting that data. They address different layers of the stack and must be complied with simultaneously. FIDA ensures the data can be shared; CADA ensures the infrastructure is sovereign.

"Voluntary assessments under Article 31 are optional and irrelevant." While currently voluntary for most private entities, these assessments are a key tool for fintechs to manage their own risk profiles. As regulatory pressure increases, having a documented sovereignty assessment may become a competitive advantage or a de facto requirement for doing business with other regulated entities. Moreover, the Commission has the power to make these mandatory for specific high-criticality sectors.

"CADA replaces DORA." No. CADA complements DORA. DORA ensures the system works and recovers; CADA ensures the system is not controlled by a foreign power. A fintech must comply with both.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.