Which CADA obligations stack with NIS2 obligations?

Summary As proposed, the Cloud and AI Development Act (CADA) does not replace or override the Network and Information Security 2 Directive (NIS2); instead, it imposes parallel, complementary obligations on entities within its scope. Cloud computing service providers and public sector bodies must simultaneously satisfy NIS2's technical cybersecurity risk management requirements and CADA's sovereignty assurance levels, procurement constraints, and risk assessments. Compliance with one does not automatically satisfy the other, creating a dual-layer regulatory burden where NIS2 addresses technical security and CADA addresses strategic autonomy and public order.

Detail

The proposed Cloud and AI Development Act (CADA) is explicitly designed to complement existing EU digital legislation, including NIS2, rather than supplant it. The explanatory memorandum states that NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust." However, it clarifies that NIS2 "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Consequently, a cloud provider or public sector entity may fall within the scope of both instruments, requiring adherence to two distinct sets of duties that, while overlapping in spirit, differ significantly in scope, objective, and enforcement.

Parallel Duties for Cloud Providers

Under CADA, a "cloud computing service provider" is defined by reference to Article 6, point (30), of Directive (EU) 2022/2555 (NIS2) (CADA Article 2(2)). This definitional link ensures that entities regulated under NIS2 for their cloud services are likely in scope for CADA's sovereignty framework. However, the obligations diverge sharply in nature.

1. Technical Security vs. Sovereign Assurance NIS2 requires designated entities to implement appropriate technical and organizational cybersecurity risk management measures to prevent, detect, and respond to incidents. CADA, conversely, introduces a "Union cloud computing sovereignty framework" comprising four Union assurance levels (CADA Article 16). To be recognized as offering a Union assurance level 2, 3, or 4, a provider must undergo independent third-party audits (CADA Article 20). While NIS2 focuses on the resilience of the system against attacks, CADA's assurance criteria (set out in Annex II) focus on operational autonomy, data localization, personnel citizenship, and the absence of third-country control. A provider must maintain NIS2-compliant security protocols while simultaneously demonstrating, through CADA-specific audit evidence, that their infrastructure and governance meet strict sovereignty criteria. For instance, under Annex II, Section 2.1(c), customer data must "remain exclusively within the Union, unless the public sector body explicitly requires otherwise," a geographic constraint that goes beyond NIS2's technical risk management.

2. Incident Reporting and Transparency NIS2 mandates strict timelines for reporting significant cybersecurity incidents to competent authorities. CADA imposes its own transparency obligations. Under CADA Article 23, recognized cloud computing service providers must notify the auditing organization and the national competent authority of establishment "as soon as possible" of any material change in circumstances that may affect their audit report or recognition status. This creates a parallel reporting duty: a significant incident under NIS2 may also constitute a "material change" under CADA, triggering a reassessment of the provider's sovereignty assurance level. Failure to notify under CADA could lead to the revocation of recognition, even if the NIS2 incident was reported correctly.

3. Supply Chain Security NIS2 requires entities to manage supply chain cybersecurity risks. CADA extends this into the realm of strategic autonomy and supply chain resilience. For Union assurance levels 2, 3, and 4, providers must demonstrate that subcontractors involved in service provision are established in the Union and that technical support is performed exclusively within the Union (Annex II, Sections 2.1 and 3.1). Furthermore, CADA requires a complete and up-to-date software bill of materials (SBOM) and controls to block remote features that could tamper with systems (Annex II, Sections 2.1(i) and 3.1(i)). These requirements go beyond NIS2's general supply chain risk management, imposing specific geographic and technical constraints on the provider's ecosystem to prevent third-country interference.

Obligations for Public Sector Bodies and Contracting Authorities

Public sector bodies face distinct stacking obligations under CADA, particularly regarding procurement and risk assessment, which operate alongside NIS2's resilience requirements.

1. Risk Assessments and Procurement Constraints CADA Article 29 requires Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine the appropriate Union assurance level (2, 3, or 4) for cloud services used in those activities. This is a proactive, strategic assessment distinct from the operational risk management required by NIS2.

Based on these risk assessments, CADA Article 30 imposes strict procurement constraints. Contracting authorities whose activities are identified as contributing to public order preservation (e.g., in sectors listed in NIS2 Annex I or II, or in national security, defense, and law enforcement) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." Even for non-critical activities, a minimum of Union assurance level 1 is required (CADA Article 30(2)). This means public buyers must integrate CADA's sovereignty tiers into their procurement processes, a requirement that does not exist under NIS2.

2. Multi-Cloud Strategies CADA Article 29(9) explicitly requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement, based on the risk assessment. This adds a strategic architectural consideration to the public procurement process that operates alongside NIS2's resilience requirements, ensuring that reliance on a single provider does not compromise public order.

Penalties and Enforcement

The stacking of obligations means that non-compliance can trigger penalties under both regimes. NIS2 allows Member States to impose administrative fines of up to EUR 10 million or 2% of global turnover for infringements. CADA, under Article 24, requires Member States to lay down rules on penalties for infringements by cloud computing service providers, which must be "effective, proportionate and dissuasive." While CADA does not specify fixed fine amounts in the same manner as the AI Act, it empowers national competent authorities to impose fines and periodic penalty payments (CADA Article 26(2)). A provider failing to maintain NIS2 incident reporting standards while simultaneously failing to notify CADA authorities of a material change affecting their sovereignty status could face concurrent enforcement actions, potentially leading to both financial penalties and the loss of the right to serve public sector clients.

What this means for you

For in-house counsel and compliance officers, the stacking of CADA and NIS2 obligations requires a bifurcated compliance program. You cannot assume that NIS2 compliance certificates or audits will satisfy CADA's sovereignty requirements.

1. Map Your Entities: Identify which entities are "cloud computing service providers" under NIS2. These are likely in scope for CADA's sovereignty framework if they seek to serve the public sector or aim for Union assurance recognition.
2. Dual Audit Preparation: Prepare for independent third-party audits under CADA Article 20 for assurance levels 2–4. These audits will examine evidence not covered by NIS2, such as ownership structures, third-country control, and personnel citizenship. Ensure your documentation includes SBOMs and evidence of legal separation from third-country subsidiaries (Annex II, Section 3.1(k)).
3. Update Procurement Processes: Public sector legal teams must integrate CADA Article 29 risk assessments into their procurement workflows. Before tendering for cloud services, you must determine if the activity contributes to public order and, if so, restrict tenders to providers with recognized Union assurance levels 2, 3, or 4.
4. Incident Response Protocols: Review incident response plans to ensure they trigger both NIS2 reporting timelines and CADA Article 23 notifications to auditing organizations and competent authorities. A delay in CADA notification could lead to revocation of sovereignty recognition, disrupting public sector contracts.
5. Monitor Regulatory Updates: CADA is a proposal. The specific criteria for Union assurance levels are in Annex II and may be updated via delegated acts (CADA Article 16(2)). Stay alert for implementing acts that will define the detailed audit procedures and risk assessment methodologies.

Common misconceptions

Misconception 1: NIS2 compliance is sufficient for CADA. This is incorrect. NIS2 focuses on technical cybersecurity resilience. CADA focuses on strategic autonomy, data sovereignty, and protection against third-country interference. A provider can be NIS2-compliant but fail to meet CADA's Union assurance level 3 criteria if, for example, it is subject to the control of a third-country entity or if its technical support is performed outside the Union.

Misconception 2: CADA replaces NIS2 for cloud providers. CADA does not repeal or amend NIS2. The explanatory memorandum explicitly states that CADA complements NIS2. Entities must comply with both. NIS2 remains the primary instrument for technical cybersecurity risk management, while CADA adds the sovereignty layer.

Misconception 3: Only public sector bodies need to worry about CADA. While CADA's procurement rules (Article 30) directly bind public sector bodies, the sovereignty framework and recognition mechanisms (Articles 16–24) apply to cloud computing service providers. Private sector entities operating in sectors of high criticality (listed in NIS2 Annex I) may also be subject to impact assessments and risk mitigation measures under CADA Article 31, and they must comply with the assurance criteria if they wish to serve public sector clients.

Misconception 4: Data localization under GDPR satisfies CADA's data residency requirements. CADA's requirements for data to remain "exclusively within the Union" (Annex II, Sections 2.1(c) and 3.1(c)) are stricter and more absolute than GDPR's transfer mechanisms. CADA prohibits the transfer of customer data outside the Union unless the public sector body explicitly requires otherwise, regardless of adequacy decisions or standard contractual clauses.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Which CADA obligations stack on top of AI Act obligations?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• Which CADA definitions come from the NIS2 Directive?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• Which existing EU certifications can be reused as CADA tier evidence?

This is general information about a draft EU regulation, not legal advice.