Summary The proposed Cloud and AI Development Act (CADA) focuses on sovereignty: maintaining control over infrastructure and data to prevent unauthorized access by third-country laws and ensuring operational autonomy. In contrast, the NIS2 Directive and the Digital Operational Resilience Act (DORA) focus on resilience: keeping services running securely against technical cyberattacks, outages, and disruptions. While both frameworks protect critical digital infrastructure, they address distinct risks. CADA targets geopolitical and legal dependencies (e.g., foreign government access), whereas NIS2 and DORA target technical security and business continuity. A provider can be highly resilient (NIS2/DORA compliant) but not sovereign, and vice versa.

Detail

To understand the distinction between CADA sovereignty and NIS2/DORA resilience, it is necessary to examine the specific risks each instrument is designed to mitigate. The CADA proposal (COM(2026) 502 final) explicitly frames these laws as complementary but operating at different levels of abstraction.

NIS2 and DORA: Technical Resilience and Security

The NIS2 Directive (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554) are primarily concerned with technical cybersecurity and operational continuity.

  • NIS2 improves the cybersecurity risk management of cloud computing service providers and data centres. As stated in the CADA explanatory memorandum, NIS2 is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." It mandates measures to prevent, detect, and respond to cyber incidents, ensuring systems remain available and secure against malicious actors.
  • DORA shapes compliance obligations for cloud computing service providers serving the financial sector. It requires providers to implement ICT risk management and conduct regular incident response testing. Its goal is to ensure that financial institutions can continue to operate even if their cloud provider experiences a disruption.

In short, NIS2 and DORA answer the question: "Can this service withstand a hack, a power outage, or a technical failure and keep running?" They do not, however, address whether a provider might be legally compelled by a foreign government to access data or shut down a service due to geopolitical pressures.

CADA: Sovereignty and Operational Autonomy

The Cloud and AI Development Act (CADA) introduces a "Union cloud computing sovereignty framework" under Article 16 that goes beyond technical security to address strategic dependencies and legal jurisdiction.

CADA defines sovereignty through four "Union assurance levels" (Levels 1–4). The core concern is not just whether a server is secure, but who controls it and under whose laws it operates. The explanatory memorandum notes that the EU's dependence on third-country providers exposes users to risks such as:

  • Extraterritorial data access: Laws from third countries (such as the US CLOUD Act) that may compel providers to hand over data to foreign authorities.
  • Operational discontinuity: The risk that a third-country actor could unilaterally disrupt service provision due to geopolitical tensions, sanctions, or embargoes.

Article 16 establishes the framework, while Annex II sets out the specific criteria for each assurance level. For example, at higher assurance levels (2, 3, and 4), providers must demonstrate that:

  • Infrastructure, assets, and personnel are located in the Union.
  • Customer data remains exclusively within the Union.
  • The provider is not subject to the control of a third country in a way that could compromise service continuity or data confidentiality.

Crucially, Article 18 provides a mechanism for the Commission to identify third countries that provide "sufficient assurances," allowing providers subject to their control to potentially qualify for Union assurance level 3. This is a specific recognition pathway, not a general waiver of sovereignty rules.

CADA asks: "Can a foreign government legally force this provider to access my data or shut down my service?"

Overlapping but Distinct Goals

The corpus explicitly states that CADA "complements" NIS2 and DORA rather than replacing them. A service can be highly resilient (secure against hackers, compliant with NIS2/DORA) but not sovereign (subject to foreign law). Conversely, a service can be sovereign (EU-based, free from foreign legal reach) but poorly secured (vulnerable to cyberattacks).

The CADA proposal emphasizes that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, public sector bodies must evaluate both dimensions:

  1. Technical Security: Verified through NIS2/DORA compliance and cybersecurity certifications (e.g., EUCS).
  2. Sovereign Assurance: Verified through CADA's Union assurance levels (Article 16) and risk assessments (Article 29).

The Role of Risk Assessments and Procurement

Under CADA, Member States and Union entities must conduct risk assessments (Article 29) to determine which Union assurance level is appropriate for their activities. This assessment considers the sensitivity of data and the importance of the activity to public order. Specifically, Article 29(1) requires identifying activities in sectors such as national security, internal security, external border management, defence, justice, or law enforcement.

If a risk assessment determines that an activity has "public order relevance," the contracting authority must procure services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). This procurement obligation is distinct from, but complementary to, the cybersecurity requirements of NIS2/DORA.

What this means for you

For public-sector procurement officers, compliance officers, and legal teams, this distinction has practical implications for tender design and vendor evaluation. You cannot rely solely on a provider's NIS2 or DORA compliance to ensure sovereignty, nor can you assume a sovereign provider is automatically cyber-secure.

1. Dual Evaluation Criteria

When procuring cloud services, your evaluation criteria must include both technical security metrics (aligned with NIS2/DORA) and sovereignty criteria (aligned with CADA's Union assurance levels). A provider may be technically robust but fail sovereignty requirements if they are subject to third-country control.

2. Risk-Based Procurement

Use the risk assessment process outlined in Article 29 to determine the required Union assurance level for your specific use case. For activities involving sensitive data or critical public order functions (e.g., law enforcement, defence), you will likely need to mandate Union assurance level 2, 3, or 4. Note that Article 30(2) sets a baseline of Union assurance level 1 for all public sector activities not identified as having public order relevance.

3. Check the Central Repository

CADA establishes a central repository of recognized services (Article 22). Before awarding a contract, verify that the provider is listed in this repository with the appropriate Union assurance level. This recognition is separate from any cybersecurity certification and is maintained by the Commission and national competent authorities.

4. Monitor for Changes

Providers must report material changes that could affect their recognition status (Article 23). Ensure your contracts include clauses that allow you to respond if a provider's sovereignty status changes (e.g., if they are acquired by a third-country entity or if the Commission revokes a third-country recognition under Article 18).

5. Understand the Derogation Pathway

Be aware that CADA allows for a specific mechanism under Article 18 for third countries that provide sufficient assurances. This allows providers subject to the control of those specific countries to be audited for Union assurance level 3. This is not a general exception but a targeted recognition decision by the Commission based on strict criteria regarding data access and service continuity.

Common misconceptions

"If a provider is NIS2 compliant, it is sovereign."

  • Reality: NIS2 compliance ensures technical cybersecurity but does not prevent a provider from being compelled by foreign law to access data or disrupt services. CADA addresses this legal and operational dependency gap.

"CADA replaces NIS2 and DORA."

  • Reality: CADA complements these laws. A provider must still comply with NIS2/DORA for technical security while also meeting CADA's sovereignty criteria for public sector procurement. The explanatory memorandum states that CADA "supplements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations."

"Sovereignty means all data must stay in one Member State."

  • Reality: CADA allows data to be stored and processed across the Union. The requirement, found in Annex II for all assurance levels, is that customer data "remain exclusively within the Union," ensuring free flow within the single market while preventing transfer to third countries.

"CADA only applies to the public sector."

  • Reality: While the procurement obligations in Article 30 apply to contracting authorities, the sovereignty framework and recognition mechanism apply to any cloud provider wishing to serve the public sector. Furthermore, Article 31 allows private sector entities in high-criticality sectors to conduct similar impact assessments.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.