Summary Under the proposed Cloud and AI Development Act (CADA), sectoral EU laws (such as DORA, NIS2, or GDPR) and CADA's sovereignty framework are cumulative, not mutually exclusive. If a sectoral law and CADA impose different requirements on a cloud provider, the most restrictive applicable requirement governs the procurement. Recital 63 explicitly mandates that sectoral duties be folded into the Article 29 risk assessment to determine the correct Union assurance level. A provider compliant with sectoral law is not automatically CADA-compliant; the entity must satisfy the highest bar set by any overlapping framework.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a horizontal framework for cloud sovereignty across the Union. However, it does not operate in a vacuum. It functions alongside a dense ecosystem of existing sector-specific legislation that already regulates cloud dependencies, cybersecurity, and operational resilience in critical industries. For legal counsel and compliance officers, the critical question is how CADA interacts with laws like the Digital Operational Resilience Act (DORA), the NIS2 Directive, or the GDPR when their requirements appear to diverge.

Cumulative Obligations, Not Overrides

CADA is designed to complement, not replace, existing sectoral legislation. The explanatory memorandum explicitly states that the proposal "complements" the Digital Operational Resilience Act (DORA), which shapes compliance for cloud providers serving financial entities, and "supplements" the NIS2 Directive regarding cybersecurity risk management.

The core legal principle governing these interactions is cumulative compliance. A public sector body, Union entity, or private entity in a regulated sector must satisfy both the specific obligations of their sectoral law and the general sovereignty requirements of CADA. Where requirements overlap or differ, the entity must adhere to the most restrictive of the applicable rules.

For example, if a sectoral law (like DORA) requires a specific level of operational resilience or a particular cybersecurity certification, and CADA's Union assurance framework requires a higher level of data localization, personnel screening, or third-country control, both sets of criteria must be met. CADA does not lower the bar set by sectoral laws; it adds a sovereignty layer on top of them.

The Role of Article 29 Risk Assessments

The mechanism for reconciling these overlapping frameworks is the risk assessment mandated by Article 29 of CADA. This article serves as the bridge between sectoral duties and the Union's sovereignty framework.

Article 29(1) requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (1, 2, 3, or 4) is appropriate for the cloud services used.

Crucially, Article 29(2) dictates the scope of these assessments. When performing the risk assessment, authorities must consider:

  • The sensitivity, criticality, and magnitude of the non-personal data processed.
  • The nature, scope, context, and purpose of processing personal data.
  • The risk of unlawful access by a third country.
  • The risk of service disruption.

This is where sectoral laws intersect with CADA. Recital 63 of the proposal explicitly states: "In their risk assessments, Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment. Such processing may include ordinary business information, commercially sensitive information, operationally critical data, personal data within the meaning of Regulation (EU) 2016/679, and data that is subject to sector-specific obligations under Union law, including Directive (EU) 2022/2555 [NIS2] and Regulation (EU) 2022/2554 [DORA]."

This recital confirms that sectoral duties are not separate from the CADA framework; they are inputs into the CADA risk assessment. If a sectoral law classifies certain data as "critical" or imposes strict localization rules, this elevates the sensitivity profile in the Article 29 assessment. Consequently, this may trigger a higher Union assurance level (e.g., moving from Level 1 to Level 2, 3, or 4) to ensure the procurement meets the most restrictive standard.

Determining the Applicable Assurance Level

The outcome of the Article 29 risk assessment dictates the procurement obligations under Article 30. The hierarchy is clear:

  1. Baseline Requirement (Article 30(2)): Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognized as having Union assurance level 1.
  2. Public Order Relevance (Article 30(3)): Contracting authorities whose activities are identified as contributing to the preservation of public order (including sectors falling under NIS2 Annex I/II, national security, defense, justice, etc.) must only procure cloud services recognized as having Union assurance level 2, 3, or 4.

If a sectoral law imposes a requirement that is stricter than the minimum CADA level, that stricter requirement stands. For instance, if a national implementation of DORA requires a specific level of operational resilience that aligns with CADA's Level 3 criteria (e.g., mandatory Union citizenship for personnel handling classified data), the procurement must meet Level 3 standards, even if a generic risk assessment might have suggested Level 2. The "most restrictive" principle ensures that no gap in protection exists between the sectoral rule and the sovereignty framework.

Penalties and Enforcement

Non-compliance with these cumulative obligations carries significant risk. Article 24 of CADA establishes penalties and compensation rules. Member States must lay down rules on penalties applicable to infringements by cloud service providers. These penalties must be "effective, proportionate and dissuasive."

For the contracting authority (the buyer), failure to procure a service at the correct assurance level as determined by the Article 29 risk assessment constitutes a breach of CADA. While CADA primarily penalizes providers for misrepresenting their assurance level, public procurement rules and sectoral regulators can sanction the procuring entity for failing to adhere to the mandated assurance levels. Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation from providers for damages suffered due to infringements, reinforcing the need for rigorous due diligence that aligns with both CADA and sectoral laws.

What this means for you

For in-house counsel and compliance officers, the interaction between CADA and sectoral laws requires a unified compliance strategy rather than siloed approaches.

  1. Integrate Sectoral Inputs into CADA Risk Assessments: Do not treat the Article 29 risk assessment as a standalone CADA exercise. When mapping your organization's activities, explicitly include data and processes governed by DORA, NIS2, GDPR, or other sectoral rules. As Recital 63 instructs, these sectoral obligations influence the sensitivity and criticality ratings that determine your required Union assurance level.
  2. Adopt the "Most Restrictive" Standard: When drafting tender specifications or evaluating providers, identify the highest bar set by any applicable law. If your sectoral law requires strict data residency and CADA Level 2 requires specific personnel screening, your procurement criteria must include both. Do not assume CADA replaces sectoral due diligence; it adds a sovereignty layer on top of it.
  3. Monitor Assurance Level Recognition: Ensure that any cloud provider you engage holds a valid recognition from a national competent authority for the specific Union assurance level required by your Article 29 assessment. Check the central repository (established under Article 22) to verify this status. A provider may be compliant with DORA but fail to meet CADA's Level 3 sovereignty criteria (e.g., regarding third-country control or software supply chain transparency), rendering them ineligible for your procurement.
  4. Prepare for Audits: Both sectoral regulators and CADA's national competent authorities will audit compliance. Maintain documentation showing how your risk assessment considered sectoral obligations and how your procurement decision aligned with the resulting assurance level. This documentation is your primary defense against penalties under Article 24 and sectoral fines.

Common misconceptions

"CADA replaces sectoral cloud rules." No. CADA complements sectoral laws. It does not repeal or override DORA, NIS2, or GDPR. You must comply with all applicable frameworks simultaneously. The proposal is explicitly designed to "supplement" and "complement" existing regimes.

"The CADA risk assessment ignores sectoral data classifications." Incorrect. Recital 63 explicitly requires the inclusion of data subject to sector-specific obligations in the Article 29 risk assessment. Sectoral classifications (e.g., "critical data" under NIS2) directly influence the CADA assurance level outcome by elevating the perceived risk.

"A provider compliant with sectoral laws is automatically CADA-compliant." False. Sectoral laws often focus on cybersecurity or operational resilience, while CADA focuses on sovereignty (data location, personnel citizenship, third-country control). A provider may be DORA-compliant but fail CADA Level 2 criteria if it is subject to third-country control or lacks the required software supply chain transparency. Compliance with one does not guarantee compliance with the other.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.