Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission has the authority to issue non-binding guidance on the methodology for impact assessments and potential risk mitigation measures. As proposed in Article 31(2), this guidance specifically targets private sector entities operating in sectors of high criticality, such as those listed in the NIS2 Directive. The guidance is designed to help these entities replicate the sovereignty risk assessments required of public bodies under Article 29, fostering a standardized approach to cloud sovereignty before any mandatory requirements are potentially imposed via delegated acts.

Detail

The Cloud and AI Development Act (CADA) establishes a comprehensive framework for cloud computing sovereignty, with strict mandatory obligations for public sector bodies and Union entities. However, the proposal recognizes that private sector entities operating in critical infrastructure sectors face analogous sovereignty and operational continuity risks. To bridge the gap between mandatory public sector rules and private sector best practices, CADA introduces a mechanism for voluntary impact assessments, supported by specific Commission guidance.

The Scope of Article 31

Article 31, titled "Impact assessments," applies to entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) that are not public sector bodies. These include private operators in essential sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space.

While public sector bodies and Union entities are strictly required to conduct risk assessments under Article 29 to determine the appropriate Union Assurance Level (UAL) for their cloud services, private entities under Article 31 are not automatically subjected to the same mandatory regime. Instead, Article 31(1) states that these private entities "may carry out similar assessments as those set out in Article 29." This creates a voluntary pathway for private firms to evaluate their dependencies on third-country cloud providers and assess their exposure to extraterritorial legal risks, service disruption, and data access issues.

Commission Guidance on Methodology and Mitigation

To ensure that these voluntary assessments are robust, consistent, and aligned with the broader sovereignty objectives of the Regulation, Article 31(2) explicitly empowers the Commission to issue guidance. The text of the proposal states:

"The Commission may issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality."

This guidance serves several critical functions:

  1. Standardisation: It provides a common technical and strategic framework for private operators to map their cloud services against the sovereignty criteria defined in Annex II of CADA.
  2. Clarity: It helps private entities understand how to identify risks related to data access, service disruption, and third-country control, mirroring the rigor expected of public bodies.
  3. Preparation: It acts as a preparatory tool, allowing the market to adapt to new sovereignty standards and providing the Commission with data on industry practices.

Crucially, the guidance issued under Article 31(2) is non-binding. It provides methodology and mitigation recommendations but does not, in itself, impose legal obligations on private firms. It is an advisory instrument designed to facilitate voluntary compliance and standardise approaches to cloud sovereignty.

The Pathway to Mandatory Measures

The proposal includes a mechanism for escalation if voluntary measures prove insufficient. Article 31(3) outlines a potential shift from guidance to obligation. It states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This structure indicates that the initial guidance under Article 31(2) is a foundational step. It allows the market to mature and provides the Commission with evidence of industry readiness. If specific circumstances ariseβ€”such as a sudden increase in third-country interference or a systemic risk to critical infrastructureβ€”the Commission can use delegated acts to make impact assessments mandatory for specific high-criticality sectors, effectively transforming the voluntary guidance into binding requirements.

What this means for you

For cloud service providers, data centre operators, and private entities subject to the NIS2 Directive, the Commission's guidance on impact assessments under Article 31(2) is a critical signal of upcoming regulatory expectations.

  • Prepare for Standardised Methodologies: Even though the assessments are currently voluntary, the Commission's guidance will likely define what constitutes a "compliant" or "robust" assessment. You should begin aligning your internal risk management processes with the methodology outlined in the guidance to ensure you are ready if these assessments become mandatory under Article 31(3).
  • Document Mitigation Measures: The guidance will highlight specific mitigation measures for high-criticality sectors. Proactively implementing these measuresβ€”such as data localisation controls, independent auditing of supply chains, or contractual safeguards against third-country data accessβ€”will demonstrate due diligence and potentially exempt you from stricter future mandates.
  • Competitive Advantage: Early adoption of the Commission's recommended impact assessment methodology can serve as a competitive differentiator. Public sector bodies, which are mandated to procure services meeting specific Union Assurance Levels (UALs), will increasingly prefer vendors who can demonstrate rigorous, guidance-aligned sovereignty assessments.
  • Monitor for Delegated Acts: Keep a close watch on the Commission's adoption of delegated acts under Article 31(3). If the Commission determines that certain sectors require mandatory assessments, the guidance issued under Article 31(2) will likely form the basis of those mandatory requirements.

Common misconceptions

"Article 31 assessments are mandatory for all private cloud users." Incorrect. Article 31(1) states that NIS2 entities may carry out similar assessments. They are voluntary unless and until the Commission adopts delegated acts under Article 31(3) making them mandatory for specific high-criticality sectors.

"The Commission's guidance is legally binding." Incorrect. The guidance issued under Article 31(2) is advisory. It provides methodology and mitigation recommendations but does not itself impose legal obligations. Legal obligations would only arise from delegated acts adopted under Article 31(3).

"Impact assessments under Article 31 are identical to Article 29 risk assessments." Incorrect. While Article 31 assessments are "similar" to Article 29 risk assessments, they are tailored for the private sector. Article 29 is mandatory for public bodies and Union entities, focusing on the preservation of public order. Article 31 is initially voluntary for private entities, focusing on operational resilience and critical sector stability.

Related

This is general information about a draft EU regulation, not legal advice.