CADA, NIS2 & DORA

Summary The proposed Cloud and AI Development Act (CADA), the NIS2 Directive, and the Digital Operational Resilience Act (DORA) form a three-layered regulatory framework addressing critical cloud dependencies from distinct angles. DORA mandates operational resilience and ICT third-party risk management specifically for the financial sector. NIS2 imposes supply-chain cybersecurity obligations on essential and important entities across the wider economy. CADA, as a proposal, introduces a sovereignty-driven framework that requires Member States and Union entities to conduct specific risk assessments under Article 29 to determine if cloud services must meet higher "Union assurance levels" to safeguard public order. While DORA and NIS2 focus on technical security and continuity, CADA addresses geopolitical control and third-country interference. In-house counsel must navigate these overlapping regimes, noting that technical compliance with NIS2 or DORA does not automatically satisfy CADA's sovereignty criteria.

Detail

The European Union's strategy to mitigate critical cloud dependencies is no longer a single legislative effort but a convergence of three distinct instruments. As the CADA explanatory memorandum (COM(2026) 502 final) states, the Union faces a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the European cloud market. To address this, the EU is layering existing cybersecurity mandates with a new sovereignty framework.

DORA: Financial Sector ICT Third-Party Oversight

The Digital Operational Resilience Act (DORA) is already in force and applies exclusively to the financial sector. It addresses cloud dependency by establishing a rigorous framework for managing ICT third-party risk. Under DORA, financial entities must conduct due diligence on their cloud providers, assessing operational resilience, cybersecurity measures, and business continuity plans.

Crucially, DORA introduces direct oversight of "critical ICT third-party service providers" by the European Supervisory Authorities (ESAs). This allows regulators to impose fines and require remedial actions directly on major cloud providers serving the financial sector. However, DORA's scope is strictly limited to operational resilience and cybersecurity risk management. It does not explicitly address "sovereignty," the geopolitical origin of the provider, or the risk of extraterritorial access by third-country governments. Its focus remains on ensuring that financial entities can continue to operate even if a provider faces a cyber incident or operational failure.

NIS2: Supply-Chain Security for Essential Entities

The NIS2 Directive (Directive (EU) 2022/2555) expands cybersecurity obligations to a broader range of "essential" and "important" entities, including energy, transport, health, and digital infrastructure. NIS2 addresses cloud dependency primarily through supply-chain security.

Article 21 of NIS2 requires entities to take appropriate technical and organizational measures to manage cybersecurity risks arising from their supply chains, including the selection and monitoring of cloud service providers. This includes ensuring contractual agreements contain security clauses and that providers meet high cybersecurity standards. While NIS2 indirectly addresses dependency by requiring providers to have a significant presence in the EU, its primary mandate is technical cybersecurity and incident reporting. It does not impose specific sovereignty requirements regarding third-country control or data localization for the sake of public order, focusing instead on the integrity and availability of information systems.

CADA: Sovereignty and Public Order via Article 29

The proposed CADA goes beyond technical cybersecurity to address technological sovereignty and public order. Its core mechanism for addressing cloud dependency is the Union cloud computing sovereignty framework, which establishes four "Union assurance levels" (UAL 1–4) based on criteria in Annex II.

Article 29 of CADA is the pivotal provision for in-house counsel. It mandates that:

1. Member States and Union entities must carry out risk assessments by one year after CADA's entry into force, and thereafter every two years or whenever necessary.
2. These assessments must identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.
3. The assessments must determine which Union assurance level (UAL 2, 3, or 4) is appropriate for these activities.

Unlike DORA and NIS2, which focus on technical security and operational resilience, CADA's Article 29 requires an assessment of sovereignty risks. The proposal explicitly lists risks such as "unlawful access under Union law to such data by a third country," "possible service disruption," and "dependency vulnerabilities" (e.g., political or economic coercion). This means that even if a cloud provider is technically secure and compliant with NIS2/DORA, it may not be suitable for critical public sector functions if it fails to meet the required Union assurance level due to third-country control or lack of data localization.

Overlaps and Intersections

The intersection of these three regimes creates a complex, multi-layered compliance landscape:

1. Concurrent Risk Assessments: Entities in the financial sector (subject to DORA) that are also classified as essential under NIS2 will face dual reporting obligations. If these entities are also public sector bodies or provide services to the public sector, they may trigger CADA obligations under Article 29. This creates a potential for fragmented risk assessment methodologies unless harmonized by national competent authorities.
2. Supply Chain vs. Sovereignty: NIS2 and DORA require due diligence on cloud providers' cybersecurity and operational resilience. CADA requires due diligence on their jurisdictional control and sovereignty. A provider may pass NIS2/DORA cybersecurity audits but fail CADA's UAL 3 or 4 requirements due to third-country ownership, lack of Union citizenship for personnel, or data localization constraints.
3. Criticality Definitions: DORA defines "critical" based on the impact on the financial system. NIS2 defines "essential" based on societal impact. CADA defines "public order relevance" based on national security and sovereignty. These definitions may not align, leading to situations where a provider is "critical" under DORA but not subject to CADA's highest assurance levels, or vice versa.
4. Penalties and Enforcement: DORA and NIS2 have established penalty regimes (fines up to 2% of global turnover under NIS2, and significant fines under DORA). CADA, as a proposal, outlines penalties for infringements of its sovereignty framework under Article 24 (Title IV, Chapter I), requiring Member States to set rules that are "effective, proportionate and dissuasive." In-house counsel must prepare for potential cumulative penalties if a single incident breaches multiple regimes, particularly where a provider's failure to meet sovereignty criteria leads to a public order breach.

What this means for you

For in-house counsel and compliance officers, the convergence of CADA, NIS2, and DORA requires a proactive, integrated compliance strategy:

1. Map Your Regulatory Exposure: Identify if your organization is subject to DORA (financial sector), NIS2 (essential/important entity), or both. Then, assess if you are a public sector body or provide services to the public sector, which would trigger CADA obligations under Article 29. Note that private sector entities in sectors listed in Annex I of NIS2 may also be encouraged to conduct similar impact assessments under Article 31.
2. Integrate Risk Assessments: Develop a unified risk assessment framework that captures both technical cybersecurity risks (NIS2/DORA) and sovereignty/dependency risks (CADA). This will help avoid duplication and ensure comprehensive coverage. Specifically, ensure that your risk assessment methodology accounts for the specific criteria in Annex II of CADA, such as the location of infrastructure, personnel citizenship, and third-country control.
3. Review Cloud Contracts: Update cloud service contracts to include clauses that address not only cybersecurity and incident reporting (NIS2/DORA) but also data localization, jurisdictional control, and sovereignty assurance levels (CADA). Ensure contracts allow for switching providers if sovereignty risks emerge, aligning with the Data Act's switching provisions which CADA complements.
4. Prepare for Article 29 Assessments: If you are a public sector body, begin preparing for the mandatory risk assessments under Article 29. Engage with national competent authorities to understand how they interpret "public order relevance" and the required Union assurance levels. Remember that under Article 30, if an activity is identified as contributing to public order, contracting authorities must procure only services recognized at UAL 2, 3, or 4.
5. Monitor Legislative Developments: CADA is still a proposal. Track its progress through the European Parliament and Council, as final text may change. Pay particular attention to delegated acts that will define the detailed criteria for Union assurance levels and audit procedures, as well as the implementing acts for the risk assessment methodology.
6. Train Your Team: Ensure your compliance, IT, and legal teams understand the differences between cybersecurity compliance (NIS2/DORA) and sovereignty compliance (CADA). Misunderstanding these distinctions could lead to non-compliance or over-compliance. Specifically, clarify that "cybersecurity certification" (e.g., under the Cybersecurity Act) is distinct from "Union assurance levels" under CADA.

Common misconceptions

Misconception 1: CADA replaces NIS2 and DORA. No. CADA does not replace NIS2 or DORA. It complements them by adding a sovereignty dimension. NIS2 and DORA remain the primary laws for cybersecurity and operational resilience. CADA focuses on reducing strategic dependencies and ensuring public order through sovereignty assurance levels. The CADA explanatory memorandum explicitly states that the proposal "complements" the Cybersecurity Act and "supports the objectives" of DORA.

Misconception 2: Technical compliance with NIS2/DORA is sufficient for CADA. No. A cloud provider can be fully compliant with NIS2 cybersecurity requirements and DORA operational resilience standards but still fail to meet CADA's Union assurance levels if it is subject to third-country control or does not meet data localization requirements. Sovereignty and cybersecurity are distinct concepts under CADA. For example, Annex II requires Union citizenship for personnel at UAL 3 and 4, a criterion unrelated to technical cybersecurity.

Misconception 3: CADA only applies to the public sector. While CADA's core procurement and risk assessment obligations (Article 29) target public sector bodies and Union entities, its sovereignty framework and recognition mechanisms (Article 17) apply to all cloud computing service providers seeking to serve the public sector. Private sector entities in critical sectors (e.g., finance under DORA, energy under NIS2) will also feel the impact as public sector procurement shifts toward sovereign providers, potentially creating a "spillover" effect where private entities adopt similar standards to remain competitive.

Misconception 4: The "Union assurance levels" are optional. No. For public sector activities identified as contributing to public order under Article 29, contracting authorities must procure services that have been recognized as offering the appropriate Union assurance level (UAL 2, 3, or 4). For other public sector activities, UAL 1 is the minimum requirement. These are mandatory procurement criteria, not voluntary best practices. Under Article 30, failure to procure at the required level would constitute an infringement.

Misconception 5: CADA's penalties are identical to DORA's. No. While DORA has specific fine structures, CADA's penalty regime is defined in Article 24 (Title IV, Chapter I), which requires Member States to lay down rules that are "effective, proportionate and dissuasive." CADA does not itself fix a maximum fine amount like the AI Act (Article 99) or DORA; instead, it delegates the specific penalty rules to Member States, though it provides criteria for their imposition.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Sovereignty vs NIS2/DORA Resilience: What's the Difference?
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• CADA Compliance Order: NIS2, DORA, Risk Assessments & Recognition
• DORA vs CADA: How Critical ICT Rules Interact with Sovereignty Tiers
• Does CADA require a separate risk assessment from DORA and NIS2 risk management?

This is general information about a draft EU regulation, not legal advice.