Summary As proposed in the Cloud and AI Development Act (CADA), Article 31 lets private-sector entities that fall under Annex I of the NIS2 Directive — but are not public sector bodies — carry out voluntary impact assessments modelled on the mandatory public-sector risk assessments in Article 29. The aim is to help these companies evaluate their exposure to third-country dependencies and unlawful data access, and align their cloud choices with the Union assurance levels. The assessment is voluntary as drafted, but the Commission could make it mandatory for high-criticality sectors through a future delegated act under Article 31(3).

Detail

Article 31 of the CADA proposal addresses sovereignty assurance for private-sector entities that operate in critical sectors but are not public authorities. Public bodies would be bound by mandatory risk assessments (Article 29) and procurement rules (Article 30). For the private sector, Article 31 instead offers a structured but voluntary pathway to assess and mitigate similar risks.

Who is in scope?

Article 31(1) applies to "[e]ntities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies." These are the essential and important entities listed in NIS2 Annex I — sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space. The provision applies to such entities only when they are not public sector bodies. Entities outside the NIS2 Annex I scope are not named in Article 31, though the broader CADA framework still affects them indirectly.

The voluntary impact assessment

Under Article 31(1), these entities "may carry out similar assessments as those set out in Article 29." Article 29 requires public authorities to consider at least three aspects:

  • the sensitivity, criticality, and magnitude of the non-personal data processed, plus the impact of personal-data processing on the rights and freedoms of data subjects;
  • the risk and impact on public order of unlawful access under Union law to that data by a third country or an entity established in a third country;
  • the risk and impact on public order of possible service disruption.

By mirroring this process, a private entity can systematically evaluate its exposure to extraterritorial data-access laws (such as the US CLOUD Act) and to operational disruption, and map specific workloads to the Union assurance levels (1–4) whose criteria are set out in Annex II of CADA.

Commission guidance and a mandatory backstop

Article 31(2) provides that the Commission may issue guidance on the methodology for these impact assessments and on possible mitigation measures for private entities operating in sectors of high criticality.

Article 31(3) is the legislative backstop. Where, because of specific circumstances and where duly justified, and in consultation with the Member States, the Commission concludes that non-public-sector entities in sectors of high criticality require an impact assessment, it may adopt delegated acts (under Article 45) specifying the need for such an assessment and the risk-mitigation measures those entities would have to take. In other words, the assessment is framed as voluntary as proposed, but the EU would retain the power to make it mandatory for specific high-risk cases through secondary legislation.

Relation to public procurement

The drafters expect spillover from the public sector: regulated private industries often mirror public-sector standards to maintain market access. Article 31 gives such entities a defined way to demonstrate their sovereignty posture, which could ease compliance if the rules later tighten.

What this means for you

For CTOs, architects, and legal leads at SMEs and larger enterprises in NIS2-scope sectors, Article 31 would present both an operational consideration and a strategic opportunity.

1. Proactive risk mapping You could begin mapping cloud dependencies against the Article 29 criteria even before you are legally compelled to. Identify which workloads involve sensitive or critical data, and where infrastructure relies on providers subject to third-country laws with extraterritorial reach. A voluntary assessment now would prepare you for any mandatory delegated act under Article 31(3).

2. Vendor selection criteria Use the assessment to inform vendor selection. If a workload would warrant Union assurance level 2, 3, or 4, you could filter cloud options against the central repository of recognised services (Article 22), reducing the risk of costly migration later.

3. SME considerations SMEs in NIS2-scope sectors often lack dedicated compliance teams. The Commission's guidance under Article 31(2), if issued, would be the practical reference point — watch for it, as it is likely to offer methodology and possibly templates.

4. Contractual leverage Documented high-risk findings can strengthen your hand in negotiating contractual terms with providers, such as commitments against third-country data access or data localisation within the Union.

Common misconceptions

Misconception: Article 31 makes sovereignty assessments mandatory for all private companies. Fact: No. Article 31(1) says in-scope entities "may carry out" these assessments — they are voluntary as proposed. They would become mandatory only if the Commission exercised its power under Article 31(3) for specific high-criticality cases.

Misconception: Only public sector bodies need to worry about CADA sovereignty levels. Fact: Public bodies are directly bound by procurement rules (Article 30), but private entities in NIS2-scope sectors are expressly addressed in Article 31, and market dynamics often push private firms to align with public-sector standards.

Misconception: The assessment is a one-time compliance checkbox. Fact: It mirrors the Article 29 risk assessment, which public bodies must redo at least every two years (or whenever necessary). Private entities would sensibly treat their assessments as living documents.

Misconception: Non-NIS2 entities are excluded from all CADA sovereignty frameworks. Fact: Article 31 names NIS2 Annex I entities specifically, but the wider sovereignty framework (the Union assurance levels under Article 16 and the recognition regime in Articles 17–24) shapes the whole public-sector cloud market. Non-NIS2 firms can still voluntarily align with these standards to reduce dependency risk.

Related

This is general information about a draft EU regulation, not legal advice.