Summary Under Article 31 of the proposed Cloud and AI Development Act (CADA), private-sector entities listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) may voluntarily carry out impact assessments mirroring the public sector's risk assessments. These assessments are specifically targeted at sectors of high criticality to evaluate sovereignty risks, third-country access, and service continuity. While currently optional, the Commission retains the power to adopt delegated acts to make these assessments mandatory for specific entities if systemic risks warrant it.

Detail

Article 31 of the CADA proposal (COM(2026) 502 final) establishes a unique bridge between the mandatory sovereignty framework applied to the public sector and the voluntary market dynamics of the private sector. While Article 29 imposes a strict obligation on Member States and Union entities to conduct risk assessments to determine the appropriate Union assurance level for public-order-relevant activities, Article 31 extends a similar mechanism to the private sector, but with a crucial distinction: it is permissive, not mandatory, at the outset.

The Scope: Who is eligible?

The provision is narrowly tailored to entities operating in sectors deemed critical to the Union's security and economic stability. Article 31(1) explicitly states that the mechanism applies to:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies."

This refers to the NIS2 Directive (Directive on measures for a high common level of cybersecurity across the Union). Annex I of NIS2 enumerates "essential entities" in high-criticality sectors, including:

  • Energy (electricity, gas, hydrogen, oil)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, laboratories, research centres)
  • Drinking water and waste water
  • Digital infrastructure (IXPs, DNS, TLD registries, cloud computing, data centres)
  • ICT service management
  • Space
  • Public administration
  • Digital providers (online marketplaces, search engines, social media platforms)

Crucially, the text excludes public sector bodies from this specific article, as they are already covered by the mandatory regime in Article 29. Therefore, Article 31 is exclusively for private operators within these high-criticality sectors.

The Action: "May carry out"

The operative language in Article 31(1) is permissive: these entities "may carry out similar assessments as those set out in Article 29."

This phrasing confirms that, as proposed, the impact assessment is voluntary. Private entities are not legally compelled to perform these assessments upon the entry into force of the regulation. Instead, they are empowered to adopt the same rigorous methodology used by public bodies to evaluate:

  1. The sensitivity, criticality, and magnitude of data processed.
  2. The risk of unlawful access by third countries or legal entities established in third countries.
  3. The risk of service disruption or degradation.

By conducting these assessments, private entities can determine which Union assurance level (1, 2, 3, or 4) is appropriate for their operations, aligning their procurement strategies with the CADA sovereignty framework even without a direct legal mandate.

The Commission's Power: From Voluntary to Mandatory

While the baseline is voluntary, the proposal includes a "safety valve" mechanism allowing the Commission to escalate requirements if the voluntary approach proves insufficient.

Article 31(2) empowers the Commission to "issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality." This guidance would standardize the assessment process, ensuring that private firms evaluate risks consistently across the Union.

More significantly, Article 31(3) grants the Commission the authority to adopt delegated acts. The text states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This means that if the Commission identifies specific circumstancesβ€”such as a sudden surge in third-country dependencies or a systemic vulnerability in a critical sectorβ€”it can legally transform the voluntary "may" into a mandatory "shall" for specific entities or sectors. This ensures the framework remains agile and responsive to evolving geopolitical risks.

Connection to the Sovereignty Framework

The primary utility of an Article 31 impact assessment is to inform procurement decisions. By assessing their risks, private entities can justify the procurement of cloud services at higher Union assurance levels (2, 3, or 4), even if not strictly required by law. This is particularly relevant for entities handling sensitive data or those whose disruption could have severe consequences for the Union's economy or security.

The assessment allows these private operators to mirror the public sector's logic: if the risk assessment determines that an activity is critical, the entity can voluntarily commit to sourcing only from providers recognized at the appropriate assurance level, thereby enhancing the overall resilience of the Union's digital ecosystem.

What this means for you

For cloud service providers, data centre operators, and private entities in NIS2 Annex I sectors, Article 31 represents a strategic opportunity and a potential future compliance burden.

1. Strategic Voluntary Adoption

Even though the assessments are currently optional, private entities in critical sectors (e.g., energy, finance, health) are likely to adopt them proactively.

  • For Private Entities: Conducting an Article 31 assessment allows you to demonstrate due diligence regarding supply chain sovereignty. It provides a documented basis for selecting cloud providers that meet higher assurance levels, protecting your organization from future regulatory shifts or geopolitical shocks.
  • For Providers: If your clients in NIS2 sectors begin conducting these assessments, they will demand evidence that your services meet the criteria for Union assurance levels 2, 3, or 4. Being able to demonstrate compliance with the Annex II criteria (e.g., Union establishment, data localisation, personnel citizenship, and cybersecurity certification) will become a key competitive differentiator.

2. Preparing for Mandatory Shifts

The possibility of Article 31(3) delegated acts means that the voluntary nature of these assessments is not guaranteed forever.

  • Monitor Commission Guidance: Watch closely for the guidance mentioned in Article 31(2). This will likely set the standard for how assessments are conducted. Aligning your internal processes with this guidance early will make future compliance seamless.
  • Watch for Delegated Acts: The Commission can act quickly if it deems a sector "high criticality" and at risk. If a delegated act is adopted, the "may" in Article 31(1) effectively becomes a "must" for the specified entities. Private firms should maintain the capability to perform these assessments at short notice.

3. Documentation and Mitigation

The impact assessment is not just a theoretical exercise; it must lead to risk mitigation measures.

  • Mitigation Planning: If an assessment reveals high risks (e.g., reliance on a third-country provider with extraterritorial access laws), the entity must document how it plans to mitigate these risks. This could involve multi-cloud strategies, switching to EU-based providers, or implementing specific technical controls.
  • Audit Readiness: While private entities are not currently subject to the same audit regime as public bodies, the methodology of the assessment should be robust enough to withstand scrutiny from regulators or auditors if the Commission later mandates the process.

Common misconceptions

Misconception 1: Article 31 applies to all private companies. This is incorrect. Article 31 is strictly limited to entities listed in Annex I of the NIS2 Directive. It does not apply to small and medium-sized enterprises (SMEs) or private firms operating outside these high-criticality sectors (e.g., a local retail chain or a non-critical software startup). The focus is exclusively on sectors of high criticality.

Misconception 2: The assessments are mandatory immediately. No. Article 31(1) uses the word "may," which legally establishes the assessments as voluntary for private entities. They are only mandatory if the Commission exercises its power under Article 31(3) to adopt a delegated act specifying the need for such assessments due to specific circumstances.

Misconception 3: These assessments are identical to GDPR DPIAs. While there is overlap in data protection, Article 31 impact assessments have a distinct focus. They are designed to evaluate sovereignty, operational autonomy, and supply chain resilience. They specifically assess risks related to third-country control, extraterritorial access, and service continuity, which are not the primary focus of a GDPR Data Protection Impact Assessment (DPIA).

Misconception 4: Only public bodies need to worry about the sovereignty framework. Article 31 explicitly brings private entities in critical sectors into the sovereignty framework. While public bodies have mandatory risk assessments under Article 29, private entities in NIS2 Annex I sectors are the primary target for the voluntary (and potentially future mandatory) impact assessments under Article 31. This ensures that the Union's critical infrastructure is resilient regardless of whether it is owned by the state or the private sector.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.