What technical measures must a sharing entity implement under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a public sector entity sharing cloud or data centre services within the EuroCloud Federation must implement appropriate technical, operational, and organisational measures to ensure services are effective, secure, and resilient. Article 35(2) of the proposal explicitly mandates these measures, which must include policies for risk analysis, information system security, incident handling, business continuity, and interoperability. The specific technical details are not yet fixed in the primary text; Article 35(6) empowers the Commission to adopt implementing acts to specify these requirements. These future acts are expected to align with existing cybersecurity frameworks, notably the NIS2 Directive, ensuring that the federation builds upon established security baselines while addressing the unique challenges of cross-border public sector sharing.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes the European public sector cloud federation (the "EuroCloud Federation") to facilitate the voluntary sharing of data centre and cloud computing services among Union entities and public sector bodies. A critical component of this framework is ensuring that such sharing does not introduce vulnerabilities or degrade service quality. Article 35 of the proposal sets out the conditions for sharing, with Article 35(2) serving as the core security obligation.

The Mandate of Article 35(2)

Article 35(2) states unequivocally: "The sharing entity shall put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

This provision imposes a tripartite obligation on any public sector body acting as a "sharing entity" (the provider of the service within the federation). The measures must be "appropriate," implying a risk-based approach, but they must collectively guarantee three outcomes: effectiveness, security, and resilience. The explanatory memorandum and recitals further clarify the scope of these measures, identifying five specific policy domains that must be addressed:

1. Risk Analysis and Information System Security: The sharing entity must establish policies dedicated to risk analysis. This involves identifying potential threats to the shared infrastructure and data. Crucially, this includes implementing strict access control policies to ensure that only authorised personnel and systems can interact with the shared resources, preventing unauthorised access or lateral movement within the federation.
2. Incident Handling: Robust policies for incident handling are required. This ensures that the sharing entity has a defined, tested process for detecting, responding to, and recovering from cybersecurity incidents, hardware failures, or other disruptions.
3. Business Continuity: The entity must have policies for business continuity. This guarantees that in the event of a significant disruption, the service provision to the "using entity" (the recipient) remains resilient or can be restored quickly without significant downtime, maintaining the continuity of essential public services.
4. Interoperability and Connectivity: Policies supporting interoperability and connectivity are essential. Since the EuroCloud Federation aims to interconnect disparate cloud infrastructures across the Union, the sharing entity must ensure its technical architecture allows for seamless and secure integration with other federation members. This prevents the creation of siloed systems that cannot communicate securely.
5. Operational and Organisational Governance: Beyond pure technology, the requirement for "operational and organisational" measures implies clear internal governance structures. This includes defining roles and responsibilities for security, establishing lines of communication for incident reporting, and ensuring staff are trained on specific security protocols.

Specification via Implementing Acts (Article 35(6))

While Article 35(2) sets the high-level obligation, the primary legislation does not enumerate granular technical standards (e.g., specific encryption algorithms or network segmentation rules). Instead, Article 35(6) provides the mechanism for detailing these requirements. It empowers the Commission to adopt implementing acts to "specify the technical, operational and organisational measures referred to in paragraph 2."

These implementing acts will be adopted in accordance with the examination procedure referred to in Article 46(2) of the proposal. This legislative design ensures that the technical requirements can evolve rapidly in response to emerging cybersecurity threats and technological advancements without requiring a full amendment of the core regulation. Consequently, CTOs and architects cannot rely solely on the current text for a final compliance checklist; they must prepare for a secondary layer of regulation that will define the precise technical standards.

Alignment with NIS2 and Cybersecurity Frameworks

The proposal's explanatory memorandum and impact assessment highlight that CADA is designed to complement, not replace, existing EU cybersecurity legislation, particularly the Directive on Security of Network and Information Systems (NIS2).

• Baseline Alignment: NIS2 already requires essential and important entities to implement appropriate technical and organisational measures to manage cybersecurity risks, including incident management, business continuity, and supply chain security. The EuroCloud Federation's requirements under Article 35(2) are expected to build upon this baseline.
• Enhanced Requirements: While NIS2 provides the foundation, CADA adds specific dimensions related to the sovereignty and operational autonomy of the public sector. The impact assessment notes that the EuroCloud platform will include mechanisms for secure access, incident management, shared identity management, and mutual authentication tools. These features reflect an alignment with high-level cybersecurity best practices but are tailored specifically to the cross-border, federated nature of the public sector cloud.
• Cybersecurity Certification: The broader CADA framework also references the future European Cybersecurity Certification Scheme for Cloud Services (EUCS). While Article 35 does not explicitly mandate EUCS certification for sharing entities, the alignment with "highest cybersecurity standards" suggests that entities may need to demonstrate compliance with such schemes to prove the "secure" and "resilient" nature of their services.

What this means for you

For CTOs, architects, and technical leads in public sector bodies or SMEs supporting them, the requirement to implement these measures has several strategic implications:

• Conduct a Gap Analysis: If your public sector body intends to share idle capacity or services via the EuroCloud Federation, conduct an immediate audit of your current technical, operational, and organisational security measures. Compare these against the baseline requirements of NIS2 and the specific domains mentioned in Article 35(2) (risk analysis, access control, incident handling, business continuity, interoperability). Identify gaps where your current infrastructure may not support the resilience and security levels expected for a federated environment.
• Prepare for Interoperability: The emphasis on "policies supporting interoperability and connectivity" suggests that siloed, proprietary architectures may need adjustment. Ensure your cloud infrastructure supports standardised interfaces and security protocols that allow for secure integration with other public sector clouds. This may involve investing in middleware or API management tools that enforce strict security boundaries while enabling resource sharing.
• Monitor Implementing Acts: Since Article 35(6) delegates the specification of detailed measures to the Commission, closely monitor the development of these implementing acts. These will provide the concrete technical standards you must meet. Early engagement with industry groups and standards bodies can help you anticipate these requirements and adapt your architecture proactively.
• SME Considerations: For SMEs providing services to public sector bodies that are part of the EuroCloud Federation, you may face indirect pressure to align with these high security standards. Public sector buyers will likely require their vendors to meet stringent security criteria to maintain the overall integrity of the federation. Ensure your service offerings can demonstrate compliance with robust security and resilience standards, potentially leveraging certifications like EUCS when available.
• Governance and Documentation: The "organisational" aspect of Article 35(2) means that documentation is as important as technology. Ensure you have clear, up-to-date policies for risk management, incident response, and business continuity. These documents will likely be subject to review by the Commission or national competent authorities as part of the recognition process for sharing entities.

Common misconceptions

• Misconception: Compliance with NIS2 is automatically sufficient. While NIS2 provides a strong baseline, Article 35(2) requires measures specifically tailored to the "effective, secure and resilient provision of services" within the EuroCloud Federation. This may include additional interoperability requirements or higher assurance levels for cross-border data flows that go beyond standard NIS2 obligations. The specific implementing acts under Article 35(6) will clarify any additional requirements.

• Misconception: Only technical measures matter. Article 35(2) explicitly includes "operational and organisational" measures. This means that having secure hardware and software is not enough. You must also have the right processes, policies, and governance structures in place. For example, a well-documented incident response plan and trained staff are as critical as encryption algorithms.

• Misconception: The technical requirements are already fully defined. The primary legislation sets the high-level obligation, but the detailed technical specifications will be defined in implementing acts under Article 35(6). Until these acts are adopted, the exact technical standards remain to be finalized. Entities should prepare for a dynamic regulatory environment where specific technical requirements may evolve.

• Misconception: SMEs are exempt from these requirements. While SMEs may not directly join the EuroCloud Federation as sharing entities (which are typically larger public bodies), they may be subcontractors or service providers to these entities. The security and resilience requirements of the sharing entity will likely cascade down to its supply chain. SMEs should be prepared to demonstrate robust security practices to remain competitive in the public sector market.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What conditions must a EuroCloud sharing entity meet under CADA?
• Must a sharing entity own the hardware behind a shared service in the EuroCloud Federation?
• Why must EuroCloud sharing fees be cost-based under CADA?
• What is an intermediate legal entity in EuroCloud sharing under CADA?
• What is a sharing entity in the EuroCloud Federation?

This is general information about a draft EU regulation, not legal advice.