Which CADA tier suits a financial services workload?

Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate a single fixed tier for all financial services; instead, it requires a risk-based determination. For standard public procurement, Union Assurance Level 1 is the baseline. However, for financial activities deemed to contribute to "public order" or critical infrastructure, Union Assurance Levels 2, 3, or 4 become mandatory. While CADA primarily binds public authorities, private financial institutions (under the NIS2 Directive) are encouraged to conduct impact assessments to align with these tiers, thereby strengthening their operational resilience under the Digital Operational Resilience Act (DORA). Crucially, Level 2 requires "substantial" cybersecurity certification, while Level 3 introduces mandatory Union citizenship for personnel and strict controls on third-country influence.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised "Union cloud computing sovereignty framework" comprising four Union Assurance Levels (UALs). For financial services, selecting the correct tier is not merely a compliance exercise but a strategic decision regarding data sovereignty, supply-chain resilience, and protection against extraterritorial interference.

The Risk Assessment Trigger

The choice of tier is driven by the outcome of a risk assessment. Under Article 29, Member States and Union entities must identify public-sector activities that contribute to the preservation of public order. This assessment evaluates the sensitivity, criticality, and magnitude of data, as well as the risk of unlawful access by third countries.

• Baseline Requirement: If an activity is not identified as contributing to public order, Article 30(2) mandates the procurement of services recognised at Union Assurance Level 1.
• Public Order Requirement: If an activity is identified as contributing to public order—which includes sectors under Annex I or II of the NIS2 Directive (covering financial market infrastructures)—Article 30(3) requires procurement of services recognised at Union Assurance Levels 2, 3, or 4.

For private financial entities, Article 31 provides a voluntary mechanism to conduct similar impact assessments. While not legally mandatory for private firms, this allows them to align their cloud strategies with the rigorous sovereignty criteria used by the public sector, ensuring consistency with DORA's resilience expectations.

Deep Dive: Levels 2 and 3 for Financial Workloads

Financial institutions often require assurances beyond simple data localisation. Annex II details the cumulative criteria for these higher tiers.

Union Assurance Level 2: The "Substantial" Baseline

Level 2 is designed for services requiring robust sovereignty safeguards without the strictest personnel constraints. Key criteria include:

• Establishment & Location: The provider and all relevant subcontractors must be established in the Union. Infrastructure, assets, and personnel involved in the service must be located in the Union (Annex II, 2.1(a)-(b)).
• Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless the public sector body explicitly requires otherwise (Annex II, 2.1(c)).
• AI Training Restrictions: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country or third-country legal entity, nor can it be transferred outside the Union (Annex II, 2.1(f)).
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS) (or equivalent national schemes until EUCS is established) (Annex II, 2.1(e)).
• Foreign Control Safeguards: If the provider is subject to third-country control, it must demonstrate measures preventing that control from restricting service delivery, accessing data, or disrupting continuity (Annex II, 2.1(g)).
• Personnel: Union citizenship for personnel is conditional. It applies only "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary" (Annex II, 2.1(d)).

Union Assurance Level 3: The "High" Sovereignty Tier

Level 3 is intended for highly sensitive workloads, such as those handling classified information or critical market infrastructure. It introduces stricter, mandatory requirements:

• Mandatory Personnel Citizenship: All personnel, including those of subcontractors, must be Union citizens. Where handling classified information, they must also hold necessary national security clearances (Annex II, 3.1(d)).
• Strict No-Third-Country Control: Providers and subcontractors must not be subject to the control of a third country or a third-country legal entity.
  • Derogation: A derogation exists only if the Commission has adopted an implementing act under Article 18 (as referenced in Annex II, 3.1(g)) identifying a third country as providing sufficient assurances. This act requires the third country to have an adequacy decision and no measures enabling extraterritorial control or service disruption.
• Support Localisation: Technical and operational support must be initiated and performed exclusively within the Union by Union residents and parties not subject to third-country control (Annex II, 3.1(h)).
• Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and ensure third-country components are subject to source code audits with documented migration plans (Annex II, 3.1(i)).
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (Note: Level 4 is the only tier requiring 'high' certification) (Annex II, 3.1(e)).

Alignment with DORA and Financial Resilience

The Digital Operational Resilience Act (DORA) mandates that financial entities manage ICT risks and test incident response. However, DORA focuses on technical resilience and does not explicitly address sovereignty risks, such as the risk of a third country compelling data access or disrupting service via extraterritorial laws.

CADA complements DORA by addressing these non-technical risks. By adopting a CADA-recognised cloud service (particularly Level 2 or 3), a financial institution can demonstrate to regulators that its infrastructure is resilient not only against cyberattacks but also against geopolitical coercion and strategic dependencies. This alignment ensures that the "operational continuity" required by DORA is underpinned by a sovereign supply chain.

What this means for you

For financial services leaders, CADA shifts the conversation from "security" to "sovereignty."

1. Map Your Risk Profile: Determine if your specific financial activities (e.g., payment clearing, market data processing) fall under the "public order" or critical infrastructure categories defined in Article 29. If so, Level 1 is insufficient; you must target Level 2, 3, or 4.
2. Select the Right Tier:
   • Level 2 is likely the standard for most critical financial workloads, offering strong data residency and "substantial" cybersecurity certification.
   • Level 3 is necessary if your risk assessment identifies a need to eliminate third-country control entirely or if you require mandatory Union citizenship for all operational staff.
3. Verify via the Central Repository: Do not rely on marketing claims. Under Article 17, providers must be formally recognised. Check the central repository established under Article 22 to confirm a provider's status and the specific assurance level granted.
4. Prepare for Audits: If you are a cloud provider targeting the financial sector, prepare for rigorous third-party audits under Article 20. You must provide evidence of data flows, personnel citizenship (for Level 3), and software supply chain transparency as detailed in Annex III.

Common misconceptions

"CADA replaces DORA for financial firms." No. CADA and DORA are complementary. DORA governs ICT risk management and operational resilience. CADA governs the sovereignty of the cloud infrastructure. A financial firm must comply with DORA regardless of the cloud tier, but using a CADA-recognised provider helps mitigate the specific third-country dependency risks that DORA does not fully cover.

"Level 2 requires mandatory Union citizenship for all staff." Incorrect. Under Annex II, 2.1(d), Union citizenship for personnel at Level 2 is conditional. It is required only "if the public sector body determines" it is necessary. At Level 3, however, it becomes mandatory for all personnel involved in the service.

"Level 3 allows third-country control if safeguards exist." Partially true but nuanced. Annex II, 3.1(g) generally prohibits third-country control. A derogation exists only if the Commission has adopted an implementing act under Article 18 (referenced in Annex II) for that specific third country. This is a high bar, requiring an adequacy decision and proof that the third country cannot compel data access or service disruption.

"Data localisation is the only requirement." False. Sovereignty under CADA is multi-layered. It includes the legal establishment of the provider, the citizenship and residency of personnel, the location of support operations, and the control over the software supply chain. Data residency alone does not satisfy Level 2 or 3 criteria.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA tier suits defence and intelligence workloads?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Which CADA tier protects against foreign sanction compulsion?
• Which CADA assurance level do I need for my cloud workload?
• Why is CADA Level 4 the highest sovereignty tier?

This is general information about a draft EU regulation, not legal advice.