What sovereign-cloud pressure does CADA create for financial services?

Summary As proposed, the Cloud and AI Development Act (CADA) creates significant sovereign-cloud pressure for the financial sector, not through direct mandates on private banks, but through a powerful "spillover" mechanism. While CADA directly obliges public authorities to procure cloud services meeting specific Union assurance levels (Article 30), Recital 66 explicitly states that these requirements "tend to be mirrored by private-sector entities operating in regulated industries." For financial institutions, this means that as public bodies shift toward higher assurance levels (2, 3, or 4) to safeguard public order, private banks will face intense market pressure to align their own cloud strategies with these standards to ensure interoperability and resilience. Furthermore, Article 31 empowers the Commission to mandate impact assessments for high-criticality sectors, effectively turning voluntary alignment into a potential regulatory requirement.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, represents a paradigm shift in how the EU approaches digital infrastructure. Unlike previous regulations that focused primarily on technical cybersecurity or data protection, CADA targets the geopolitical and strategic dimensions of cloud sovereignty. For the financial services sector—a cornerstone of the EU's economic security—this creates a complex landscape where compliance is driven by a combination of direct public procurement rules, explicit regulatory encouragement for private actors, and the inevitable market realignment that follows.

The Four Union Assurance Levels: A Hierarchy of Sovereignty

At the heart of CADA's sovereignty framework is Article 16, which establishes a "Union cloud computing sovereignty framework" comprising four distinct Union assurance levels. These levels are not merely labels; they are cumulative criteria defined in Annex II that cloud computing service providers must meet to be formally recognised. The framework is designed to offer a proportionate approach, where the level of assurance required matches the sensitivity of the activity and the risk to public order.

• Union Assurance Level 1 (The Baseline): This level serves as the minimum standard for public sector procurement. It requires providers to be established in the Union, with infrastructure and customer data remaining exclusively within the Union unless explicitly required otherwise. It mandates compliance with state-of-the-art cybersecurity standards and full transparency regarding subcontractors. Crucially, for Level 1, providers can be subject to third-country control provided they guarantee that no third-country laws require the reporting of software vulnerabilities prior to exploitation.
• Union Assurance Level 2 (Substantial Sovereignty): Moving to Level 2 introduces stricter requirements. Providers must undergo independent third-party audits. The criteria include stricter controls on third-country influence, requiring that such control does not restrict the provider's ability to deliver services or undermine standards. Personnel requirements become conditional: if a public sector body determines that Union citizenship is necessary, the provider must ensure such personnel are available. Cybersecurity certification of at least "substantial" assurance is required.
• Union Assurance Level 3 (High Sovereignty): Level 3 tightens the screws further. Personnel involved in the provision of the service must be Union citizens, and where appropriate, hold national security clearances. The cybersecurity certification requirement remains at "substantial" assurance. A critical distinction for Level 3 is the treatment of third-country control: providers subject to third-country control are generally excluded, unless the Commission has adopted an implementing act under Article 18 recognising that specific third country as providing sufficient assurances. This is the only pathway for a third-country-controlled entity to reach Level 3.
• Union Assurance Level 4 (Maximum Sovereignty): The highest tier is reserved for the most critical activities. It requires that providers and their subcontractors are not subject to the control of a third country or a legal entity established in a third country. Personnel must be Union citizens with necessary security clearances. The cybersecurity certification requirement escalates to "high" assurance. This level is designed for activities where any risk of third-country interference is unacceptable.

The Public Procurement Mandate and the "Spillover" to Finance

CADA directly regulates the public sector. Article 30 mandates that contracting authorities whose activities contribute to the preservation of public order must procure cloud services recognised at Union assurance levels 2, 3, or 4. The definition of "public order" in Article 29(1) explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), which encompasses financial market infrastructures and credit institutions.

This means that public bodies responsible for financial oversight, central banks, and regulatory authorities will be legally required to use highly sovereign cloud services. However, the pressure on private financial institutions arises from the mechanism described in Recital 66. The explanatory memorandum states:

"Public procurement frequently serves as a primary signal of market direction. Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This "spillover" is the critical link for the financial sector. As public authorities shift their procurement to Level 2, 3, or 4 services, the market for cloud providers will reorient to meet these standards. Private banks, which rely on the same cloud infrastructure providers as public bodies, will find that the "standard" offering in the market shifts. To maintain interoperability, ensure consistent security postures, and align with the expectations of their own regulators (who are increasingly influenced by public-sector standards), private financial institutions will likely feel compelled to mirror these assurance levels.

Article 31: From Voluntary to Mandatory Impact Assessments

While CADA does not currently impose a direct procurement mandate on private banks, Article 31 provides a mechanism that could transform voluntary alignment into a regulatory requirement. Article 31(1) states that entities referred to in Annex I of Directive (EU) 2022/2555 (which includes financial entities) "may carry out similar assessments as those set out in Article 29."

More significantly, Article 31(3) empowers the Commission to adopt delegated acts to "supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take" if they operate in sectors of high criticality. Given that the financial sector is explicitly identified as a sector of high criticality in the context of public order and economic security, the Commission could, in the future, mandate that banks conduct these impact assessments and implement specific mitigation measures. This creates a "regulatory shadow" where banks must proactively assess their cloud dependencies to avoid future non-compliance.

Alignment with DORA and the Broader Regulatory Context

The pressure from CADA does not exist in a vacuum; it complements the Digital Operational Resilience Act (DORA). DORA already imposes strict ICT risk management, incident reporting, and third-party risk management obligations on financial entities. However, DORA focuses primarily on technical cybersecurity and operational resilience. CADA adds a layer of strategic autonomy.

While DORA ensures that a bank's cloud provider is technically secure, CADA ensures that the provider is not subject to extraterritorial control that could compromise the bank's operations during a geopolitical crisis. Recital 66 reinforces this by noting that private entities in high-criticality sectors need to be able to carry out assessments similar to public bodies to ensure they can "preserve the public order of the Union and its Member States." For a bank, this means that CADA's sovereignty framework is not just about data protection; it is about ensuring that the bank's critical infrastructure remains under EU control, preventing scenarios where a third-country actor could disrupt service or access sensitive financial data.

What this means for you

For cloud service providers, data centre operators, and financial institutions, the implications of CADA are profound and immediate.

For Cloud Service Providers

1. Audit Readiness: Providers targeting the financial sector must prepare for independent third-party audits under Article 20 to achieve Union assurance levels 2, 3, or 4. This involves rigorous documentation of third-country control, data localisation, and supply chain transparency.
2. Supply Chain Transparency: You must implement robust software supply chain measures, including maintaining up-to-date Software Bills of Materials (SBOMs) and ensuring that third-country software components do not pose risks of remote tampering or disruption (Annex II, Section 2.1(i)).
3. Personnel and Control: For higher assurance levels, you must ensure that personnel involved in service provision are Union citizens and that the provider is not subject to the control of a third country (Annex II, Sections 3.1 and 4.1). If you are a third-country entity, you must explore the Article 18 derogation pathway, which requires a Commission implementing act recognising your country's safeguards.
4. Market Positioning: Position your services as compliant with Union assurance levels. Financial institutions will increasingly demand this compliance to mirror public-sector standards. Highlighting your ability to meet Level 3 or 4 criteria will be a decisive competitive advantage.

For Financial Institutions (Banks & Insurers)

1. Proactive Risk Assessment: Do not wait for a delegated act under Article 31(3). Conduct impact assessments similar to those required for public authorities under Article 29. Evaluate your current cloud providers against the Union assurance levels.
2. Vendor Selection: Prioritise cloud providers that are already recognised at Level 2, 3, or 4. As public procurement shifts, the pool of compliant providers may shrink, and prices for non-compliant services may rise due to market realignment.
3. DORA Integration: Integrate CADA's sovereignty criteria into your DORA compliance framework. Ensure that your ICT third-party risk management processes account for the strategic risks of third-country control, not just technical vulnerabilities.
4. Strategic Planning: Consider a multi-cloud strategy to mitigate concentration risks. Recital 65 encourages Union entities and Member States to consider multi-vendor strategies, a principle that will likely apply to the private sector as well.

Common misconceptions

"CADA directly mandates financial institutions to use sovereign clouds." Correction: CADA directly mandates public authorities to procure cloud services with Union assurance levels 2-4 for activities contributing to public order. For private financial institutions, the mandate is currently indirect, driven by Recital 66's spillover effect and the potential for future delegated acts under Article 31(3). However, the market pressure is significant and likely to become de facto mandatory.

"Union assurance levels replace DORA compliance." Correction: CADA complements DORA. DORA focuses on technical cybersecurity and operational resilience, while CADA addresses strategic sovereignty, data protection, and resilience against extraterritorial threats. Financial institutions must comply with both frameworks. A provider can be DORA-compliant but fail CADA's sovereignty criteria if it is subject to third-country control.

"Only Level 4 is required for the financial sector." Correction: The required assurance level depends on the risk assessment. Public authorities in financial oversight roles may require Levels 2, 3, or 4 depending on the specific activity. Private financial institutions will likely mirror these standards based on their specific risk profiles. Level 1 is the minimum for general public sector use, but higher levels are required for public order-relevant activities.

"CADA applies only to cloud providers established in the EU." Correction: While providers must be established in the Union to meet the criteria (Annex II), third-country providers may be eligible for Union assurance level 3 if the Commission adopts an implementing act under Article 18 recognising that third country as providing sufficient assurances. This requires strict conditions, including adequacy decisions and safeguards against third-country control.

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for automotive?

This is general information about a draft EU regulation, not legal advice.