Are telecom operators that run cloud services covered by CADA?

Summary Yes, as proposed, telecommunications operators that provide cloud computing services would be covered by the Cloud and AI Development Act (CADA). The proposal defines a "cloud computing service provider" functionally as "a legal entity which provides a cloud computing service," without excluding entities based on their primary sector. Consequently, telecom operators offering infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or managed cloud solutions would be subject to CADA's sovereignty framework, including the requirements for Union assurance levels and independent audits, if they wish to serve public sector bodies. The proposal explicitly acknowledges scenarios where a cloud provider also operates an electronic communications network, confirming that network operators are not exempt from cloud-specific sovereignty rules.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a framework to strengthen the EU's cloud and AI ecosystem by addressing sovereignty, capacity, and resilience. A central pillar of this framework is the regulation of cloud computing service providers to ensure data sovereignty and operational autonomy. To determine whether telecommunications operators fall within this scope, one must examine the precise definitions in Article 2 and the contextual guidance provided in the recitals regarding the convergence of network and cloud infrastructure.

The Definition of Cloud Computing Service Provider

The scope of CADA is determined by the nature of the service provided, not the historical sector classification of the provider. Article 2(2) of the proposal provides the definitive definition:

"‘cloud computing service provider’ means a legal entity which provides a cloud computing service"

This definition is deliberately broad and functional. It does not contain exclusions for telecommunications operators, utilities, or other entities that may have a primary business in connectivity. Therefore, if a telecom operator provides a service that meets the definition of a "cloud computing service," that operator is legally classified as a "cloud computing service provider" under CADA.

The definition of the underlying service, "cloud computing service," is found in Article 2(1). It incorporates the definition from Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive):

"‘cloud computing service’ means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

Telecommunications operators increasingly offer services that fit this description precisely. Many have launched IaaS, PaaS, and edge computing solutions that provide "on-demand administration" and "scalable and elastic" resources. By providing these capabilities, these operators are providing a "cloud computing service" as defined by the proposal. The fact that the operator also provides the underlying network connectivity does not negate the cloud nature of the service.

Recital Context: Network-Operating Providers

The proposal explicitly recognizes the convergence between telecommunications networks and cloud infrastructure. The Explanatory Memorandum (Section 1, under "Consistency with other Union policies") notes that the proposal complements the Digital Networks Act, which addresses the convergence of network infrastructure. Specifically, the text states:

"The Digital Networks Act also addresses the convergence of networks infrastructure, including scenarios where a cloud computing service provider operates an electronic communications network and has so far not been subject to obligations under the European Electronic Communications Code although falling into its scope."

While the Digital Networks Act focuses on connectivity and the European Electronic Communications Code (EECC) regulates the provision of electronic communications networks and services, CADA focuses on the sovereignty and security of the cloud services themselves. The proposal recognizes that entities operating electronic communications networks (i.e., telecom operators) may also act as cloud computing service providers. In such cases, the cloud services they offer are subject to CADA's sovereignty requirements, distinct from the connectivity rules of the Digital Networks Act or the EECC.

This distinction is crucial: a telecom operator is not exempt from CADA simply because it is regulated under the EECC. If it offers a "cloud computing service," it must comply with the sovereignty framework for that specific service.

Application of the Sovereignty Framework

Being defined as a "cloud computing service provider" triggers the obligations under Title IV, Chapter I of the proposal, which establishes the Union cloud computing sovereignty framework. This framework introduces four "Union assurance levels" (1 to 4), with criteria set out in Annex II.

If a telecom operator wishes to provide cloud services to Union entities or public sector bodies, it must be recognized as offering a specific Union assurance level. The recognition process varies by level:

1. Union Assurance Level 1: The provider must carry out a conformity self-assessment and issue an EU statement of conformity (Article 19). This level requires the provider to be established in the Union and for infrastructure to be located in the Union, unless the public sector body explicitly requires otherwise.
2. Union Assurance Levels 2, 3, and 4: The provider must undergo independent third-party audits (Article 20) to obtain an audit report and a "positive" audit opinion. These levels impose stricter requirements, such as:
   • Level 2: Requires a European cybersecurity certificate of at least assurance level "substantial" (Annex II 2.1(e)).
   • Level 3: Requires personnel to be Union citizens (Annex II 3.1(d)) and a European cybersecurity certificate of at least "substantial" assurance.
   • Level 4: Requires personnel to be Union citizens and a European cybersecurity certificate of at least assurance level "high" (Annex II 4.1(e)).

Telecom operators providing cloud services to the public sector would need to comply with these audit requirements. The audits would assess criteria such as the location of infrastructure, the citizenship of personnel, the absence of third-country control, and software supply chain transparency, as detailed in Annex II.

Distinction from Pure Connectivity Services

It is important to distinguish between pure connectivity services and cloud computing services. If a telecom operator only provides internet access, voice services, or network connectivity without offering a "scalable and elastic pool of shareable computing resources," it is not providing a "cloud computing service" under the NIS2 definition. In such cases, CADA's cloud-specific sovereignty obligations would not apply to those connectivity services.

However, most modern telecom offerings include hybrid cloud, edge computing, or managed services that likely fall within the scope. The proposal's definition explicitly includes resources "distributed across several locations," which covers edge computing scenarios often deployed by telecom operators.

What this means for you

For telecommunications operators that have diversified into cloud services, the proposal introduces new compliance burdens and strategic considerations:

1. Compliance Readiness: If you offer cloud services to public sector bodies, you must prepare for the Union assurance level recognition process. This includes implementing robust internal controls for Level 1 or preparing for independent audits for Levels 2–4. The audit process is rigorous and requires full cooperation with auditing organizations (Article 20).
2. Audit Costs: Independent audits for higher assurance levels (2, 3, and 4) are mandatory and must be paid for by the provider (Article 20). Telecom operators should budget for these recurring costs and select auditing organizations that meet the independence and competence criteria set out in Article 20.
3. Data Sovereignty Controls: You must ensure that your cloud infrastructure meets the strict localization and control requirements of the desired assurance level. For example, Level 3 and 4 require that personnel involved in service provision are Union citizens (Annex II 3.1(d) and 4.1(d)) and that data remains exclusively within the Union. This may require significant operational restructuring for operators with global workforces.
4. Public Procurement Advantage: Public sector bodies are required to procure cloud services that meet the assurance levels determined by their risk assessments (Article 30). By achieving a high Union assurance level, telecom operators can position themselves as competitive suppliers for critical public sector contracts, potentially gaining an advantage over non-compliant or non-EU providers.
5. Separation of Concerns: If you operate both network infrastructure and cloud services, ensure that your cloud offerings are clearly delineated and compliant with CADA, even if your network operations are governed by the Digital Networks Act or the EECC. The sovereignty framework applies specifically to the cloud service component.

Common misconceptions

Misconception 1: "Telecom operators are exempt because they are regulated under the Electronic Communications Code." This is incorrect. The proposal explicitly addresses the overlap between network operators and cloud providers. While the Digital Networks Act and the EECC regulate connectivity, CADA regulates the cloud services themselves. An entity can be subject to both regimes simultaneously if it provides both connectivity and cloud computing services. The proposal does not grant a sectoral exemption for telecoms.

Misconception 2: "Only pure-play cloud providers like AWS or Azure are covered." The definition in Article 2(2) is based on the service provided, not the primary business model. Any legal entity, including telecom operators, hyperscalers, or niche providers, that offers a cloud computing service is covered. The proposal aims to create a level playing field, ensuring that all providers serving the public sector meet the same sovereignty standards.

Misconception 3: "Offering only edge computing avoids CADA." Edge computing often involves the same "scalable and elastic pool of shareable computing resources" as centralized cloud services. The definition of "cloud computing service" in Article 2(1) explicitly includes resources "distributed across several locations." If the edge services meet the NIS2 definition, they are covered by CADA. The proposal's focus on distributed resources explicitly includes scenarios where resources are distributed across several locations.

Misconception 4: "Telecoms only need to worry about cybersecurity, not sovereignty." While cybersecurity is a component (e.g., the requirement for a European cybersecurity certificate), CADA goes beyond technical security to address sovereignty. This includes requirements on the location of infrastructure, the citizenship of personnel, and the absence of third-country control (Annex II). These are distinct from pure cybersecurity standards and are central to the CADA framework.

Related

• Can telecom providers run CADA impact assessments?
• Can energy operators run CADA impact assessments?
• When do CADA obligations start for the telecom sector?
• What sovereign-cloud pressure does CADA create for financial services?
• CADA for connectivity and submarine-cable operators: NIS2, risk assessments and sovereign data flows

This is general information about a draft EU regulation, not legal advice.