When do CADA obligations start applying to the financial sector?

Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force 20 days after publication in the Official Journal, with its substantive obligations applying one year later. However, specific Member State deadlines for national cloud and AI strategies and the designation of national competent authorities (NCAs) would occur within that same one-year window. For the financial sector, CADA's sovereignty and procurement rules would apply alongside existing obligations under the Digital Operational Resilience Act (DORA), creating a layered compliance timeline where DORA handles operational resilience and CADA addresses geopolitical sovereignty.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a comprehensive framework to strengthen Europe's cloud and AI ecosystem, with significant implications for the financial sector. Understanding the precise timeline is critical for in-house counsel and compliance officers, as the regulation operates on a phased basis. The entry into force and application dates are strictly defined in Article 48 of the proposal.

Entry into Force and General Application

According to Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. This date marks the legal birth of the instrument, establishing its existence in the EU legal order, but it is not the date when most operational obligations become enforceable for market participants.

The proposal explicitly states that CADA "shall apply from [same day and month as date of entry into force plus 1 year]." This establishes a mandatory one-year transition period between the law becoming legally binding and the majority of its substantive requirements becoming applicable. For instance, if CADA were published in June 2027, it would enter into force in late June 2027, and the general application date for most obligations would be June 2028. During this interim year, the Commission and Member States would prepare the necessary administrative and regulatory infrastructure.

Staged Deadlines for Member States and Authorities

While the general application date for the private sector is one year post-entry, specific preparatory obligations for Member States have deadlines that align with this one-year mark. These are crucial because they establish the regulatory infrastructure that financial institutions will interact with immediately upon the regulation's application.

1. National Cloud and AI Strategies: Under Article 7, Member States must establish national cloud and AI strategies by "[same day as entry into force plus one year]." These strategies must include measures to support the deployment of data centre capacity and cloud computing stack technologies. Financial sector entities must monitor these national strategies closely, as they will influence local procurement criteria, sovereignty expectations, and the specific implementation of the Union Assurance Levels (UALs) within each jurisdiction.
2. Designation of National Competent Authorities (NCAs): Article 25 requires Member States to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework by "[P.O. insert date of entry into force plus 1 year]." These authorities will oversee the recognition of cloud providers under the UALs. Financial institutions will need to engage with these NCAs to verify the status of their cloud providers and understand the enforcement landscape.
3. Risk Assessments: Article 29 mandates that Member States and Union entities carry out risk assessments to determine which public sector activities require higher levels of Union Assurance (Levels 2, 3, or 4). This must be done by "[date of entry into force plus 1 year]" and repeated every two years thereafter. While this article primarily targets public sector bodies, the resulting risk assessments influence the broader market. They set precedents for what constitutes "public order" relevance, which may indirectly affect private sector entities in critical sectors, including finance, as they align their own risk profiles with national expectations.

Intersection with DORA

For the financial sector, CADA does not operate in a vacuum. The Digital Operational Resilience Act (DORA) already imposes strict ICT risk management and third-party risk obligations on financial entities. The CADA proposal explicitly acknowledges this overlap in its explanatory memorandum.

The memorandum notes that CADA supports the objectives of DORA. DORA shapes compliance obligations for cloud computing service providers indirectly if they provide services to specified financial entities. DORA has a sectoral scope specific to the financial sector, requiring financial institutions to carry out due diligence on their cloud providers regarding operational resilience. CADA complements this by providing a harmonised sovereignty framework.

As proposed, financial institutions must comply with both regimes. DORA focuses on operational resilience, technical cybersecurity, and the management of ICT third-party risk. CADA focuses on sovereignty, data confidentiality, and operational autonomy from third-country control. The timelines differ significantly: DORA is already in force, with its requirements applying progressively. CADA's additional sovereignty layers (such as the requirement to procure services with specific Union Assurance Levels for critical activities) would apply one year after CADA's entry into force. This creates a dual-compliance environment where financial entities must satisfy DORA's technical resilience standards while simultaneously meeting CADA's geopolitical sovereignty criteria.

Penalties and Enforcement

Non-compliance with CADA's obligations would carry significant penalties. Article 24 requires Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." While CADA primarily targets cloud providers, financial institutions as contracting authorities have obligations under Article 30 to procure services that meet specific Union Assurance Levels based on their risk assessments. Failure to adhere to these procurement rules could result in administrative penalties under national laws implementing CADA.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to a provider's infringement of their obligations under the sovereignty framework. This creates a direct financial risk for financial institutions if their cloud providers fail to maintain their recognised assurance levels, potentially leading to litigation and reputational damage.

What this means for you

For in-house counsel and compliance officers in the financial sector, the CADA timeline requires immediate preparatory action, even though the full application date is one year post-entry into force.

1. Map Your Cloud Dependencies: Begin auditing your current cloud providers against the proposed Union Assurance Levels (UALs) in Annex II of CADA. Identify which services are critical to your operations and may require UAL 2, 3, or 4 once the risk assessment framework is fully operational.
2. Monitor National Strategies: Track the adoption of national cloud and AI strategies by the Member States where you operate. These strategies, due one year after entry into force, will detail local implementation of sovereignty requirements and may affect your procurement decisions.
3. Engage with NCAs: Identify the national competent authorities designated by your relevant Member States. Establish lines of communication early, as these bodies will manage the recognition of cloud providers and handle cross-border cooperation.
4. Integrate CADA with DORA Compliance: Ensure your third-party risk management processes, already established under DORA, can accommodate CADA's sovereignty criteria. DORA focuses on operational resilience; CADA adds a layer of geopolitical and data sovereignty risk. Your procurement contracts and due diligence questionnaires will need to reflect both sets of requirements.
5. Prepare for Procurement Changes: As proposed, Article 32 requires contracting authorities to include "Union added value" criteria in public procurement for cloud and AI services. While this directly targets public sector bodies, the broader market shift towards sovereign cloud services will influence private sector offerings. Financial institutions should anticipate a market transition where non-EU providers may face increased scrutiny or exclusion from critical services.

Common misconceptions

• Misconception: CADA replaces DORA for financial institutions.
  • Reality: CADA complements DORA. DORA remains the primary framework for ICT operational resilience in the financial sector. CADA adds a sovereignty layer, focusing on data confidentiality and operational autonomy from third-country control. Both sets of obligations apply in parallel.
• Misconception: All cloud services will require the highest sovereignty level.
  • Reality: CADA introduces a proportionate framework with four Union Assurance Levels. Article 30 mandates that only activities identified as contributing to the preservation of public order (through risk assessments under Article 29) require UAL 2, 3, or 4. Most standard services may only require UAL 1, which involves a self-assessment.
• Misconception: The one-year transition period means no action is needed until then.
  • Reality: The one-year period is for the general application of the regulation. However, Member States must designate competent authorities and adopt national strategies within one year of entry into force. Financial institutions need to understand these national frameworks early to ensure their cloud providers are recognised and compliant before the full application date.
• Misconception: CADA only applies to public sector bodies.
  • Reality: While Article 30 directly imposes procurement obligations on contracting authorities (public sector), the sovereignty framework applies to cloud computing service providers offering services to the Union. Furthermore, Article 31 allows private sector entities in sectors of high criticality (including finance, per NIS2) to conduct similar impact assessments. The market-wide shift towards sovereign cloud services will inevitably affect private sector procurement.

Related

• When do CADA obligations start for the telecom sector?
• When do CADA obligations start for the healthcare sector?
• When do CADA obligations start for energy and utilities?
• When do CADA provisions affect the automotive sector?
• When can AI startups start benefiting from CADA support?

This is general information about a draft EU regulation, not legal advice.