What single checklist covers CADA plus the main EU digital laws?

Summary There is no single statutory checklist that covers the proposed Cloud and AI Development Act (CADA) alongside the GDPR, AI Act, NIS2, DORA, and Data Act. CADA is a proposal designed to complement, not replace, these instruments by addressing a specific gap: technological sovereignty and operational autonomy. As proposed, CADA would require cloud service providers to obtain formal recognition under a four-tier "Union assurance" framework (Article 16) and would mandate public-sector risk assessments (Article 29) to determine procurement requirements. Providers must therefore track distinct audit trails, parallel deadlines, and separate compliance obligations for each regulation, ensuring that CADA's sovereignty criteria (e.g., personnel citizenship, third-country control) do not conflict with existing cybersecurity or data protection postures.

Detail

The EU's digital regulatory landscape is characterized by a "stacked" approach where multiple laws apply simultaneously to the same infrastructure. For cloud service providers (CSPs) and data centre operators, understanding how the proposed CADA interacts with the General Data Protection Regulation (GDPR), the AI Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the Data Act is critical for strategic planning.

The Regulatory Baseline: Existing Obligations

Before addressing CADA, providers must maintain compliance with the current baseline of EU digital laws, each of which addresses a specific risk vector. CADA explicitly acknowledges these frameworks in its explanatory memorandum, noting that while they address technical cybersecurity and data protection, they do not cover "aspects of sovereignty."

• GDPR (General Data Protection Regulation): Governs the processing of personal data. For cloud providers, this entails strict controls on data transfers outside the EU, mandatory data processing agreements, and accountability for security breaches. CADA's sovereignty framework is designed to complement these rules by addressing operational autonomy and data confidentiality beyond mere privacy compliance. While GDPR focuses on the rights of the data subject, CADA focuses on the control of the infrastructure hosting that data.
• AI Act (Regulation (EU) 2024/1689): Regulates AI systems based on risk. While CADA focuses on the infrastructure and services hosting AI, the AI Act imposes obligations on providers and deployers of high-risk AI systems. Providers must ensure that their cloud services facilitate the compliance of downstream AI deployers, particularly regarding data governance and transparency. The AI Act does not regulate the location of the cloud infrastructure or the ownership of the provider; CADA fills this gap.
• NIS2 Directive (Directive (EU) 2022/2555): Establishes cybersecurity risk management obligations for essential and important entities. Cloud computing service providers and data centre operators are explicitly within scope. NIS2 requires robust security practices, incident reporting, and supply chain security measures. CADA builds on this by adding sovereignty criteria, noting that NIS2 focuses on technical cybersecurity, whereas CADA addresses broader sovereignty and operational continuity risks against third-country interference.
• DORA (Digital Operational Resilience Act): Specifically targets the financial sector's ICT third-party risk. If a cloud provider serves financial entities, it must comply with DORA's stringent requirements for ICT risk management, incident reporting, and testing. CADA complements DORA by ensuring that the cloud services underpinning financial resilience meet specific sovereignty assurance levels, particularly for critical financial infrastructure.
• Data Act (Regulation (EU) 2023/2854): Focuses on data access and switching. It aims to reduce vendor lock-in by mandating interoperability and portability. CADA leverages the Data Act's switching provisions to enable users to move to sovereign European cloud services more easily, but does not replicate its technical interoperability mandates. The Data Act enables the choice of provider; CADA defines the criteria for a "sovereign" choice in the public sector.
• Digital Governance Act (DGA): While not a single "checklist" item, the broader data governance framework facilitates trusted data sharing. Providers must align their data management practices with these evolving standards to support the data sovereignty goals of CADA.

CADA's Unique Compliance Layer

CADA introduces specific obligations that sit alongside the above laws, primarily focusing on public procurement and sovereignty assurance.

1. Union Cloud Computing Sovereignty Framework (Article 16) As proposed, Article 16 establishes a Union cloud computing sovereignty framework comprising four "Union assurance levels." Cloud computing service providers must meet specific criteria to be recognized at each level. These criteria are cumulative and increasingly strict, covering:

• Establishment and Location: Providers must be established in the Union, with infrastructure and assets located within the Union (Level 1 and above).
• Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Level 1 and above).
• Cybersecurity and Audits: Higher levels (2, 3, and 4) require independent third-party audits. Crucially, the cybersecurity certification requirement differs by level: Levels 2 and 3 require a certificate of at least assurance level "substantial", while Level 4 requires a certificate of at least assurance level "high" under a European cybersecurity certification scheme (Annex II).
• Personnel and Control: Higher levels impose restrictions on third-country control. For Levels 3 and 4, personnel involved in the provision of the service must be Union citizens (Annex II, 3.1(d) and 4.1(d)). For Level 2, this is conditional: personnel must be Union citizens only if the public sector body explicitly requires it (Annex II, 2.1(d)).
• Third-Country Derogation: Under Article 18, the Commission may recognize third countries as providing sufficient assurances, allowing services controlled from those countries to qualify for Union assurance level 3, provided specific safeguards are met. This is a derogation, not the standard rule.

Providers must submit applications for recognition to the national competent authority of their establishment. Recognition is valid across the Union, but the evidence required (e.g., EU statement of conformity for Level 1, audit reports for Levels 2-4) must be meticulously maintained.

2. Risk Assessments and Procurement Compliance (Article 29) Article 29 obliges Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments identify the appropriate Union assurance level (2, 3, or 4) required for specific cloud services.

• Public Order Relevance: Activities in sectors falling under NIS2 Annex I or II, as well as national security, defence, justice, and law enforcement, are scrutinized.
• Procurement Mandates: Under Article 30, contracting authorities must procure cloud services that meet the assurance level determined by the risk assessment. If an activity is not identified as contributing to public order, a minimum of Union assurance level 1 is required. If it is identified as contributing to public order, they must procure services recognized at levels 2, 3, or 4.
• Transition Periods: Where a risk assessment requires migration to a different cloud service, Member States or Union entities must migrate within a reasonable transition period not exceeding 12 months, considering technical feasibility and data portability.

3. Parallel Deadlines and Audits Providers must manage parallel timelines. While GDPR, NIS2, and the AI Act are already in force (with phased application), CADA's application dates are set for one year after its entry into force (Article 48). Providers must:

• Prepare conformity self-assessments for Level 1 or engage auditing organizations for Levels 2-4.
• Align audit scopes with both NIS2 cybersecurity requirements and CADA's sovereignty criteria. Note that CADA audits focus on sovereignty (ownership, control, personnel), while NIS2 audits focus on security management.
• Monitor public procurement notices for sovereignty-related award criteria, which may include European added value (Article 32).

What this means for you

For cloud service providers and data centre operators, the practical implication is the need for a multi-layered compliance architecture. You cannot treat CADA as a standalone project; it must be integrated into your existing governance, risk, and compliance (GRC) frameworks.

1. Map Your Services to Assurance Levels: Conduct an internal audit to determine which of your services can realistically achieve Union assurance levels 1 through 4. Level 1 requires self-assessment and public disclosure of conformity. Levels 2-4 require independent audits and stricter controls on data residency and third-country influence.
2. Enhance Data Residency Controls: Ensure your infrastructure allows for strict data localization. CADA's criteria for Levels 1-4 require that customer data remains within the Union unless explicitly authorized otherwise. This may require architectural changes to prevent inadvertent data leakage to third-country subsidiaries or support centers.
3. Prepare for Sovereignty Audits: Engage with auditing organizations early. For Levels 2-4, you must provide evidence of compliance with Annex II criteria, including software supply chain transparency (SBOMs), personnel screening, and cybersecurity certifications. These audits will run parallel to your NIS2 and ISO 27001 audits, so seek auditors with cross-regulatory expertise.
4. Monitor Public Procurement Trends: As public authorities conduct risk assessments under Article 29, they will increasingly specify sovereignty requirements in tenders. Ensure your marketing and technical documentation clearly articulate your CADA recognition status and compliance with the relevant assurance level.
5. Track Legislative Progress: CADA is still a proposal. Monitor the legislative procedure for changes to the assurance levels, audit requirements, and transition periods. Align your internal policies with the current proposal but remain agile to adapt to final text.

Common misconceptions

• Misconception 1: CADA replaces NIS2 or GDPR.
  • Reality: CADA is complementary. NIS2 addresses technical cybersecurity; GDPR addresses personal data privacy; CADA addresses sovereignty, operational autonomy, and public order. You must comply with all three. For example, a provider can be NIS2-compliant but fail to meet CADA's Level 3 sovereignty criteria due to third-country ownership structures.
• Misconception 2: Only EU-based providers can offer sovereign cloud services.
  • Reality: While providers must be established in the Union, the framework allows for third-country services to be audited for Union assurance level 3 under specific conditions (Article 18), provided the third country has adequate safeguards and no measures enabling unauthorized data access or service disruption. However, this is the exception, not the rule.
• Misconception 3: A single audit covers all EU digital laws.
  • Reality: While there is overlap, each law has distinct evidentiary requirements. NIS2 audits focus on incident response and risk management; GDPR audits focus on data subject rights and transfer mechanisms; CADA audits focus on sovereignty criteria like data residency, personnel citizenship, and software supply chain independence. A unified GRC framework can streamline evidence collection, but separate audit opinions may be required.
• Misconception 4: Public procurement will automatically exclude non-EU providers.
  • Reality: CADA mandates procurement based on assurance levels determined by risk assessments. If a public sector activity does not require Level 2-4, Level 1 services (which can include some third-country controlled entities meeting strict criteria) may be procured. However, for high-criticality sectors, only recognized sovereign services will be eligible.
• Misconception 5: CADA penalties are the same as the AI Act.
  • Reality: The AI Act imposes fines up to €35 million or 7% of turnover for prohibited practices. CADA, as proposed in Article 24, requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive," but does not itself fix a maximum fine amount. The penalty regimes are distinct.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• How should an SME plan compliance across CADA and the other EU digital laws?
• CADA and the Chips Act 2.0: How the EU's Digital Stack Laws Interact
• Does complying with all other EU digital laws make CADA automatic?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• CADA vs Sectoral EU Laws: How Conflicting Cloud Rules Are Resolved

This is general information about a draft EU regulation, not legal advice.