Summary Under the proposed Cloud and AI Development Act (CADA), private companies operating in high-criticality sectorsβ€”specifically those listed in Annex I of the NIS2 Directiveβ€”have the option to voluntarily conduct impact assessments under Article 31(1). This provision allows critical infrastructure operators to proactively manage dependencies on cloud and AI services, align their security posture with public-sector standards, and prepare for potential future mandatory requirements. While not currently compulsory, these assessments help mitigate risks related to third-country access, service disruption, and operational autonomy, effectively allowing private entities to "future-proof" their supply chains against geopolitical volatility.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem. Its primary focus is on sovereignty, resilience, and reducing dependencies on non-European providers. A central pillar of this framework is the Union cloud computing sovereignty framework, which defines four "Union assurance levels" (UALs) based on strict criteria for data location, personnel citizenship, cybersecurity certification, and the absence of third-country control.

While the mandatory application of these assurance levels primarily targets public sector bodies and Union entities through risk assessments under Article 29, CADA explicitly acknowledges the role of the private sector in maintaining the Union's digital resilience. Article 31 introduces a specific mechanism for private sector entities to engage with these sovereignty standards voluntarily.

The Voluntary Pathway for Private Entities

Article 31(1) explicitly states that entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive), who are not public sector bodies, "may carry out similar assessments as those set out in Article 29." This provision creates a voluntary pathway for critical private infrastructure operatorsβ€”such as energy providers, transport networks, banking, and digital infrastructure companiesβ€”to evaluate their reliance on cloud and AI services.

By conducting these voluntary impact assessments, private companies can achieve three strategic objectives:

  1. Identify Critical Dependencies: Just as public authorities must assess which activities contribute to the preservation of public order, private entities can map their own operations to identify which cloud services are critical to their continuity. This mirrors the public-sector logic of Article 29 but applies it to private operational resilience.
  2. Align with Public-Sector Standards: Many private companies serve public sector clients or operate in sectors where public trust is paramount. Aligning with the same risk-based methodology used by governments (Article 29) demonstrates a commitment to high standards of data sovereignty and operational resilience. This alignment is crucial for companies bidding on public contracts or operating in regulated markets where public-order relevance is a growing concern.
  3. Mitigate Geopolitical Risks: The CADA framework is designed to address risks such as unauthorized access by third countries, service disruption, and degradation of service quality. A voluntary assessment allows a company to proactively identify if their current cloud providers expose them to these risks, particularly if those providers are subject to third-country laws that may compel data access or service interruption.

Proactive Risk Management and High-Risk Dependencies

The rationale behind allowing voluntary assessments is rooted in the concept of "proportionate and risk-based" autonomy. Not all private sector activities require the highest levels of assurance (UAL 3 or 4). However, certain activities in high-criticality sectors may have systemic importance. By conducting an assessment, a company can determine the appropriate Union assurance level for its specific use cases.

For instance, a financial institution processing sensitive transaction data might determine that its current cloud setup does not meet the criteria for UAL 2 or 3, which require strict data localization and absence of third-country control. Identifying this gap voluntarily allows the company to transition to more sovereign solutions before a crisis occurs or before regulators impose stricter rules. This proactive approach prevents the "shock" of sudden compliance mandates and allows for a managed migration strategy.

Alignment with Commission Guidance

Article 31(2) further supports this voluntary approach by stating that the Commission "may issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality."

This ensures that private companies have a clear, standardized framework to follow, making the process less burdensome and more effective. The guidance will likely mirror the templates and methodologies developed for public sector risk assessments under Article 29, ensuring consistency across the EU's digital infrastructure. This standardization reduces the administrative burden for private firms, as they can adopt a methodology that is already familiar to public authorities and auditors.

Preparing for Potential Mandatory Requirements

While Article 31(1) frames the assessment as voluntary ("may carry out"), Article 31(3) introduces a significant caveat. It states that where the Commission concludes, after consultation with Member States, that entities operating in sectors of high criticality require an impact assessment, it "may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This creates a strong incentive for private companies to act now. By conducting voluntary assessments early, companies can:

  • Demonstrate regulatory foresight and compliance readiness: Showing that a firm has already assessed its risks positions it as a responsible market actor.
  • Identify and remediate vulnerabilities before they are scrutinized by regulators: Early identification of non-compliant dependencies allows for a smoother transition to compliant providers.
  • Influence the development of delegated acts: By engaging with the process early, private entities can provide real-world feedback on the assessment process, potentially shaping the future mandatory rules.

What this means for you

If you are a cloud service provider, data centre operator, or a private entity in a NIS2 Annex I sector, understanding the voluntary nature of Article 31 is crucial for your business strategy.

For Cloud Service Providers:

  • Market Differentiation: Companies that can demonstrate compliance with higher Union Assurance Levels (UAL 2, 3, or 4) will be more attractive to private sector clients conducting voluntary impact assessments. Being "assessment-ready" is a competitive advantage.
  • Transparency: Clients will need detailed information about your supply chain, data location, personnel, and cybersecurity certifications to complete their assessments. Ensure your documentation aligns with the criteria in Annex II of CADA.

For Data Centre Operators:

  • Sustainability and Sovereignty: As private clients assess their risks, they will look for data centres that not only meet energy efficiency standards (as referenced in Article 11) but also support sovereign cloud offerings. Highlight your location, ownership structure, and security protocols.

For Private Sector Operators (NIS2 Annex I):

  • Start Early: Do not wait for mandatory rules. Begin mapping your cloud dependencies now. Use the Commission's future guidance (Article 31(2)) to structure your assessment.
  • Engage with Providers: Ask your cloud providers for the evidence needed to verify their Union Assurance Level. If they cannot provide it, you may have a significant risk exposure that could become a liability if Article 31(3) triggers mandatory requirements.

Common misconceptions

Misconception 1: Article 31 is mandatory for all private companies.

  • Correction: Article 31(1) uses the word "may," indicating it is voluntary for now. It only becomes mandatory if the Commission adopts delegated acts under Article 31(3) for specific high-criticality entities. It does not apply to all private companies, only those in NIS2 Annex I sectors.

Misconception 2: Voluntary assessments are legally binding.

  • Correction: While the assessment itself is voluntary, the findings can inform your contractual obligations and risk management strategies. If you choose to rely on a cloud provider's claim of a certain Union Assurance Level, you are responsible for verifying that claim through the audit evidence required by CADA.

Misconception 3: Impact assessments are the same as GDPR Data Protection Impact Assessments (DPIAs).

  • Correction: While they may overlap, CADA impact assessments focus on sovereignty and operational resilience (e.g., third-country control, service continuity, data localization) rather than just data protection. They are broader in scope regarding geopolitical and supply chain risks.

Misconception 4: Only public sector bodies need to worry about Union Assurance Levels.

  • Correction: While public bodies are mandated to procure based on UALs (Article 30), private companies in critical sectors are explicitly invited to assess their needs via Article 31. Ignoring this leaves them vulnerable to the same geopolitical risks that the CADA aims to mitigate.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.