Can telecom providers run CADA impact assessments?

Summary Under the proposed Cloud and AI Development Act (CADA), telecommunications providers may conduct impact assessments for their cloud and AI procurement, but they are not currently required to do so. As entities explicitly listed in Annex I of the NIS2 Directive, telecom operators fall within the scope of Article 31 of the CADA proposal. This article grants them the right to carry out "similar assessments" to the mandatory risk assessments required for public bodies under Article 29. While the current text is permissive, the Commission retains the power to adopt delegated acts to make these assessments mandatory for specific high-criticality sectors in the future.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dual-track framework for cloud sovereignty. It imposes strict, mandatory obligations on public-sector bodies while creating a flexible, voluntary mechanism for critical private-sector entities. For the telecommunications sector, the pivotal provision is Article 31, titled "Impact assessments."

The Legal Basis: Article 31 and the NIS2 Link

The applicability of CADA to telecommunications providers hinges on their classification under existing EU cybersecurity law. Article 31(1) states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Directive (EU) 2022/2555, known as the NIS2 Directive, defines the scope of essential and important entities across the EU. Annex I of the NIS2 Directive explicitly lists "electronic communications networks and services" as a sector. Consequently, telecommunications operators providing public networks or services are legally defined as entities referred to in Annex I of the NIS2 Directive.

Because telecom providers are not typically "public sector bodies" (as defined in Article 2(1) of the Public Sector Information Directive), they fall squarely into the category addressed by Article 31(1). The use of the modal verb "may" in the text confirms that the assessment is optional for these entities under the current proposal. Unlike public bodies, which are compelled to assess risks and procure specific assurance levels, telecom operators have the discretion to decide whether to engage with the CADA sovereignty framework.

Mirroring Public-Sector Obligations (Article 29)

The core value of Article 31 lies in its reference to Article 29 ("Risk assessments"). Article 29 mandates that Member States and Union entities conduct risk assessments to identify public sector activities that "contribute to the preservation of public order." These activities include sectors such as national security, internal security, defence, justice, and law enforcement.

When a public body identifies an activity as critical, Article 30(3) requires it to procure only cloud services recognised at Union assurance levels 2, 3, or 4.

Article 31 allows private-sector entities, including telecoms, to "carry out similar assessments." This means a telecom operator can voluntarily:

1. Identify Critical Activities: Determine which of its own operations (e.g., core network management, emergency services support, critical data routing) are vital to public order or operational continuity.
2. Assess Sovereignty Risks: Evaluate the sensitivity, criticality, and magnitude of data processed, and the risk of unlawful third-country access or service disruption, mirroring the criteria in Article 29(2).
3. Determine Assurance Levels: Decide internally that specific cloud services require Union assurance levels 2, 3, or 4 to mitigate identified risks, even though CADA does not legally force them to procure at those levels.

This mechanism effectively allows telecoms to "self-regulate" their cloud sovereignty posture, aligning their procurement with the same rigorous standards applied to the public sector if they deem it necessary for their resilience.

The Commission's Power to Mandate (Article 31(3))

While the baseline rule in Article 31(1) is voluntary, the proposal includes a "safety valve" for the Commission to intervene if market failures or security risks escalate. Article 31(3) provides a specific legal pathway to convert this voluntary right into a mandatory obligation.

The text states:

"Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

This provision is significant for the telecommunications sector. If the Commission determines that the current voluntary approach is insufficient to address risks in the "high criticality" telecom sector, it can adopt a delegated act. Such an act would:

• Specify that impact assessments are mandatory for defined telecom operators.
• Define the exact risk mitigation measures those operators must implement.
• Supplement the Regulation without requiring a full new legislative procedure.

Until such a delegated act is adopted, the regime remains voluntary. However, the existence of this power signals that the EU views the sovereignty of critical telecom infrastructure as a potential future mandate.

Strategic Context: Why Telecoms Should Care

Even without a current legal mandate, the strategic incentives for telecom providers to run Article 31 impact assessments are substantial.

1. Regulatory Alignment and NIS2 Synergy Telecoms are already subject to strict cybersecurity obligations under NIS2. Recital 5 of the CADA proposal notes that while NIS2 improves technical cybersecurity risk management, it "does not contain measures to boost the uptake and use of such services" (sovereign services) and focuses on technical aspects rather than "broader sovereignty considerations." An Article 31 assessment allows telecoms to bridge this gap, addressing the sovereignty and operational autonomy risks that NIS2 does not explicitly cover.

2. Market Signalling and Procurement Recital 66 highlights that public procurement requirements often create "spillover effects" in the private sector. As public bodies are forced to procure Level 3 or 4 sovereign cloud, the market for these services will expand. Telecoms conducting voluntary assessments can position themselves as early adopters, securing access to these sovereign services before they become scarce or more expensive.

3. Risk Mitigation for Critical Infrastructure Telecom networks are the backbone of the digital economy. A disruption caused by third-country interference (e.g., sanctions, extraterritorial laws) could have cascading effects. By conducting an Article 31 assessment, a telecom can formally document its exposure to such risks and justify the procurement of higher-assurance cloud services to its board and regulators as a necessary investment in business continuity.

What this means for you

For in-house counsel, compliance officers, and procurement leads at telecommunications providers, the CADA proposal presents a strategic opportunity rather than an immediate compliance burden.

1. Adopt a "Voluntary-First" Strategy: You are not currently required to produce an Article 31 impact assessment. However, given your status as a critical infrastructure operator under NIS2, it is prudent to conduct a voluntary assessment using the Article 29 methodology. This allows you to map your cloud dependencies against the CADA Union Assurance Levels and identify any "sovereignty gaps" in your supply chain.
2. Prepare for Potential Mandates: Monitor the Commission's activities regarding Article 31(3). If the Commission issues a delegated act mandating assessments for the telecom sector, you will need to have the internal processes, data collection mechanisms, and risk assessment templates ready to deploy immediately.
3. Integrate with Existing Frameworks: Do not treat CADA as a standalone exercise. Use the Article 31 assessment to complement your NIS2 risk management and DORA (Digital Operational Resilience Act) ICT risk management. CADA specifically targets the sovereignty dimension (third-country control, data location, personnel citizenship) which may not be fully addressed by technical cybersecurity standards alone.
4. Leverage for Procurement: If your voluntary assessment identifies high risks, use the findings to justify the procurement of Union assurance level 2, 3, or 4 services. Even if not legally required, demonstrating that you have assessed and mitigated sovereignty risks can strengthen your position with regulators and stakeholders.

Common misconceptions

Misconception 1: Telecoms are legally required to run CADA impact assessments. Correction: No. Article 31(1) uses the word "may," establishing a permissive regime. Only public sector bodies are mandatorily required to conduct risk assessments under Article 29. Telecoms are currently free to choose whether to participate.

Misconception 2: CADA replaces or overrides NIS2 obligations for telecoms. Correction: CADA is complementary. Recital 5 explicitly states that NIS2 focuses on technical cybersecurity but lacks measures for sovereignty. CADA fills this gap. Telecoms must comply with NIS2's technical requirements and may choose to use CADA to address sovereignty risks.

Misconception 3: Impact assessments are only for cloud service providers. Correction: Article 31 assessments are for the users of cloud services (the telecom operators), not the providers. Cloud providers must undergo independent audits to achieve Union Assurance Levels (Articles 17–21), but the impact assessment is a tool for the customer to determine their own risk profile and required assurance level.

Misconception 4: The Commission has already mandated these assessments for telecoms. Correction: As of the current proposal, the Commission has not adopted any delegated acts under Article 31(3). The power to mandate exists, but it has not been exercised. Telecoms should monitor for future legislative developments but are not currently bound by a mandate.

Related

• Can private clinics run CADA impact assessments like hospitals?
• Can energy operators run CADA impact assessments?
• Can a bank use CADA impact assessments instead of public-sector risk assessments?
• CADA for Water & Waste Utilities: Article 31 Impact Assessments Explained
• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments

This is general information about a draft EU regulation, not legal advice.