Which CADA obligations bite hardest for fintech companies?

Summary For fintech companies, the proposed Cloud and AI Development Act (CADA) introduces a critical new compliance layer: Article 31, which empowers the Commission to mandate impact assessments for private entities in high-criticality sectors (overlapping with NIS2). While CADA does not replace financial-sector rules like DORA, it creates a "sovereign cloud" market signal where public procurement requirements (Article 30) will likely force private fintechs to adopt higher assurance levels (2–4) to serve regulated clients. As proposed, fintechs must prepare for a dual regime: DORA for operational resilience and CADA for data sovereignty and third-country control.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, is designed to reduce the EU's dependency on non-European cloud providers. For the financial sector, this is not merely a procurement guideline but a potential structural shift in how cloud services are architected and procured. The proposal establishes a "Union cloud computing sovereignty framework" (Article 16) with four assurance levels, creating a tiered system of trust that will increasingly dictate market access.

Article 31: The Impact Assessment Mechanism for Private Entities

The most significant potential obligation for fintechs lies in Article 31, titled "Impact assessments." This article specifically targets private sector entities that are not public bodies but are listed in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive). Given that many fintechs, payment processors, and crypto-asset service providers fall under the NIS2 scope as "essential" or "important" entities, Article 31 is directly relevant.

Currently, Article 31(1) states that these entities "may carry out similar assessments as those set out in Article 29." However, the provision contains a powerful "teeth" mechanism in paragraph 3:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This creates a regulatory "sword of Damocles." While the initial step is voluntary, the Commission retains the explicit power to convert this into a mandatory requirement for sectors deemed "high criticality" (which includes finance). If triggered, fintechs would be legally required to assess their cloud dependencies against CADA's sovereignty criteria and implement specific mitigation measures.

The Sovereign Cloud Market Signal and Assurance Levels

Even without a mandatory Article 31 order, fintechs face a powerful market signal driven by public procurement rules. Article 30 mandates that contracting authorities (public bodies) procure cloud services at specific assurance levels (Level 1 baseline; Levels 2–4 for public-order-relevant activities).

Recital 66 of the proposal explicitly warns of the "spillover effect" on the private sector:

"Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

For fintechs, this means that if their clients (e.g., public banks, insurance regulators, or government-linked financial institutions) are forced to procure Level 3 or 4 services, the fintechs themselves will be pressured to migrate to providers capable of meeting those same levels. The assurance levels impose strict, cumulative criteria found in Annex II:

• Level 1: Requires establishment in the Union, data residency in the Union, and state-of-the-art cybersecurity.
• Level 2: Adds requirements for personnel location, European cybersecurity certification (at least "substantial"), and a ban on using service-generated data to train third-country AI systems.
• Level 3 & 4: These levels impose the strictest sovereignty controls. They require that the provider and its subcontractors are not subject to the control of a third country (unless a specific derogation applies under Article 18). They also mandate that technical support and operational assistance are performed exclusively within the Union by Union residents.

Crucially, Annex II, Section 3.1(g) contains a drafting slip referencing Article 19 for the third-country derogation, but the substantive power to recognize third countries lies in Article 18 ("Associated third countries"). This distinction is vital for legal interpretation: the Commission's power to grant exceptions for third-country control is rooted in Article 18, not the self-assessment rules of Article 19.

Interaction with DORA

Fintechs must navigate a dual compliance landscape: the Digital Operational Resilience Act (DORA) and the proposed CADA. DORA focuses on ICT risk management, incident reporting, and testing for financial entities and their critical third-party providers. CADA complements this by adding a sovereignty dimension.

The Explanatory Memorandum (Section: Consistency with other Union policies) clarifies this relationship:

"The proposal also supports the objectives of the Digital Operational Resilience Act (DORA). The Digital Operational Resilience Act shapes compliance obligations for cloud computing service providers. It indirectly covers cloud computing service providers if they provide services to specified financial entities or if their role is significant enough in terms of operational resilience."

DORA ensures the cloud is resilient; CADA ensures the cloud is sovereign. A fintech serving banks must ensure its architecture satisfies DORA's rigorous testing and incident response requirements while simultaneously meeting CADA's criteria for data confidentiality and operational autonomy from third-country jurisdictions. For instance, a multi-cloud strategy encouraged by Recital 65 to enhance resilience must also be designed to prevent third-country control, satisfying both DORA's redundancy needs and CADA's sovereignty constraints.

What this means for you

For CTOs, compliance officers, and architects in fintech firms, the CADA proposal necessitates immediate strategic review.

1. Prepare for Mandatory Impact Assessments: Do not wait for a delegated act under Article 31(3). Proactively conduct impact assessments similar to Article 29. Map your cloud providers against the CADA assurance levels. Identify any reliance on third-country controlled providers that would fail Level 2, 3, or 4 criteria.
2. Audit Data Flows and AI Training: A key requirement for Level 2 and above (Annex II, Section 2.1(f)) is that data generated by the service is not used to train or fine-tune any AI system operated by a third country. Fintechs using AI for fraud detection or credit scoring must verify their cloud provider's data usage policies to ensure compliance.
3. Anticipate Vendor Shifts: If your current cloud provider is established outside the Union or is subject to third-country control without an Article 18 derogation, you may face pressure to migrate. The "spillover effect" from public procurement will likely make EU-based or EU-controlled providers the only viable option for serving regulated clients.
4. Align with DORA and Multi-Cloud: Ensure your sovereignty measures do not conflict with DORA's operational resilience requirements. Recital 65 encourages multi-vendor or multi-cloud strategies to limit dependency. Design these architectures to enhance both resilience (DORA) and sovereignty (CADA), ensuring that no single third-country entity controls the entire stack.

Common misconceptions

• "CADA replaces DORA for fintechs." False. CADA and DORA address different risks. DORA focuses on operational resilience and cybersecurity; CADA focuses on sovereignty and reducing dependency on third-country providers. They are complementary, and fintechs must comply with both.
• "Only public sector entities need to worry about assurance levels." Incorrect. While Article 30 mandates specific levels for public procurement, Recital 66 acknowledges that private sector entities in regulated industries will mirror these requirements. Fintechs serving public or critical infrastructure clients will face indirect pressure to adopt higher assurance levels.
• "Impact assessments under Article 31 are optional forever." Misleading. Article 31 currently allows entities to carry out assessments, but the Commission retains the power to make them mandatory for high-criticality sectors via delegated acts under Article 45. Fintechs should prepare for this potential shift.
• "The third-country derogation is in Article 19." Incorrect. While Annex II, Section 3.1(g) contains a drafting slip referencing Article 19, the substantive power to recognize third countries and grant derogations lies in Article 18.

Related

• Which CADA assurance level should defence workloads use?
• Which CADA assurance level applies to patient and medical records?
• When do CADA obligations start for the telecom sector?
• When do CADA obligations start for the healthcare sector?
• When do CADA obligations start for energy and utilities?

This is general information about a draft EU regulation, not legal advice.