Does CADA give telecom CSPs a path to sovereign-cloud recognition?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) provides a clear, harmonised pathway for telecommunications cloud service providers (CSPs) to achieve formal sovereign-cloud recognition across all four Union assurance levels. Telecom operators must apply to the national competent authority of their establishment under Article 17, submitting either a self-assessment for Level 1 or an independent third-party audit report for Levels 2–4. This mechanism allows telecom CSPs to demonstrate compliance with strict sovereignty criteria, including data localisation and the absence of third-country control. Crucially, while Article 18 offers a potential derogation for third-country controlled providers to reach Level 3, Annex II explicitly bars them from Level 4, reserving the highest tier for providers with no third-country control.

Detail

The proposed CADA establishes a unified "Union cloud computing sovereignty framework" designed to mitigate the risks associated with dependence on non-European cloud providers. For telecommunications operators who provide cloud computing services—whether as a standalone offering or as part of a broader digital infrastructure portfolio—this framework offers a formal, legally binding route to recognition as a sovereign provider. This recognition is not automatic; it is a procedural status granted only after a rigorous assessment against the cumulative criteria set out in Annex II of the proposal.

The Recognition Mechanism: Article 17

The core of the sovereign recognition process is Article 17 of the CADA proposal. This article establishes the mechanism by which cloud computing service providers—including those operating within the telecommunications sector—are recognised as offering a specific Union assurance level (1, 2, 3, or 4).

1. Application to the National Competent Authority A telecom CSP seeking recognition must submit an application to the "national competent authority of establishment." As defined in Article 25(4), the Member State of establishment is where the provider has its head office or registered office from which the principal financial functions and operational control are exercised. This ensures that a single authority has exclusive competence for enforcing the sovereignty framework for that provider, simplifying cross-border compliance for large telecom groups that may operate across multiple Member States.

2. Evidence Requirements by Level The evidence required depends entirely on the assurance level targeted, creating a tiered approach to compliance:

• For Union Assurance Level 1: The provider must submit an "EU statement of conformity" (issued under Article 19) and all necessary evidence supporting the self-assessment. Notably, Article 17(3) provides a significant derogation for small and medium-sized enterprises (SMEs): their EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This accelerates market entry for smaller telecom operators.
• For Union Assurance Levels 2, 3, and 4: The provider must submit an audit report, a "positive" audit opinion (issued under Article 20), and all evidence provided to the auditing organisation during the audit. Self-assessment is insufficient for these higher tiers.

3. The Evaluation Timeline and Cross-Border Review Once the application is accepted, the evaluating national competent authority has 60 days to assess the evidence. The authority can:

• Prepare a draft recognition decision and notify other Member States for a 60-day review period.
• Request further information if evidence is insufficient (suspending the 60-day clock for up to 30 days).
• Reject the request, giving the provider 30 days to provide written comments.

If no reasoned objection is raised by other Member States during the review period, the service is recognised throughout the Union at the applicable assurance level. If objections arise, the evaluating authority must assess them and either maintain or revoke its draft decision. In case of persistent disagreement, the matter can be referred to the European Commission for a binding decision under Article 17(10).

Third-Country Providers: Article 18

Article 18 addresses the specific scenario of cloud computing service providers subject to the control of a third country or a legal entity established in a third country. This is a critical provision for many global telecom operators with non-EU parent companies or significant foreign investment.

Under Article 18(1), the Commission may adopt implementing acts identifying third countries whose providers may be audited against the criteria for Union Assurance Level 3. This is subject to strict cumulative criteria, including:

• The existence of an adequacy decision under GDPR Article 45.
• No measures enabling the third country to exercise control over the provider in a way that conflicts with lawful access to non-personal data.
• No measures compelling the provider to degrade or disrupt service continuity.
• No measures impeding the provision of state-of-the-art technologies.
• Maintenance of an open market to Union cloud services.
• Equivalent access to public procurement procedures for Union providers.

Crucially, Union Assurance Level 4 does not have a similar derogation for third-country control. Annex II, Section 4.1(g) explicitly states that for Level 4, "the audited provider and the subcontractors... are not subject to the control of a third country or a legal entity established in a third-country." Therefore, telecom CSPs controlled by non-EU entities can only aspire to Level 3 recognition, and only if their home country is specifically approved by the Commission under Article 18.

The Role of Audits: Article 20

For Levels 2, 3, and 4, self-assessment is insufficient. Article 20 mandates independent third-party audits. Telecom CSPs must contract an auditing organisation that is independent, has no conflicts of interest, and possesses proven technical competence. The audit must result in a "positive" opinion, confirming that the provider complies with the cumulative criteria in Annex II.

These criteria become increasingly strict at higher levels. For example, Annex II, Section 2.1(b) requires that for Level 2, "the infrastructure, assets, and personnel... are located in the Union." For Level 3, Section 3.1(d) adds that personnel must be Union citizens. For Level 4, Section 4.1(e) requires a European cybersecurity certificate of at least assurance level 'high'. The audit evidence required is detailed in Annex III, covering everything from software bills of materials (SBOM) to proof of effective separation from third-country subsidiaries.

What this means for you

For telecom cloud service providers and data centre operators, the CADA proposal represents a significant shift from voluntary trust seals to mandatory, legally binding recognition for public sector contracts.

1. Strategic Positioning for Public Procurement Public sector bodies are required to conduct risk assessments (Article 29) to determine the appropriate assurance level for their activities. Most public services will require at least Level 1. However, activities contributing to the preservation of public order (e.g., critical infrastructure, national security, law enforcement) will require Levels 2, 3, or 4. By obtaining recognition, telecom CSPs remove a major barrier to entry for these high-value contracts. Without recognition, you cannot legally supply these services to public authorities under the proposed rules.

2. Preparation for Audit Rigour If you are targeting Levels 2–4, you must prepare for intense scrutiny. Auditors will examine your software bill of materials (SBOM), data flow diagrams, and ownership structures. You must demonstrate that no third country can compel you to access customer data or disrupt service. For telecom operators with global subsidiaries, you must prove effective legal, technical, and organisational separation between the Union parent company and third-country subsidiaries (Annex II, Section 2.1(k)).

3. SME Advantage If your telecom CSP qualifies as an SME, you can leverage the automatic recognition provision in Article 17(3) for Level 1. This reduces administrative burden and accelerates time-to-market for sovereign cloud offerings in the public sector.

4. Cross-Border Consistency Recognition in one Member State is valid across the entire Union. This harmonisation eliminates the need to navigate fragmented national sovereignty schemes, allowing telecom operators to scale their sovereign cloud offerings EU-wide with a single certification process.

Common misconceptions

Misconception 1: Sovereignty recognition is the same as cybersecurity certification. While related, they are distinct. CADA's sovereignty framework focuses on control, data localisation, and operational autonomy. Cybersecurity certification (e.g., EUCS) focuses on technical security standards. A provider may be cyber-secure but not sovereign (e.g., if data is accessible by third-country authorities). Conversely, a sovereign provider must still meet high cybersecurity standards, but the assurance levels in CADA are specifically tied to sovereignty criteria in Annex II, not just security benchmarks.

Misconception 2: Third-country owned providers can achieve Level 4. No. Annex II, Section 4.1(g) explicitly prohibits Level 4 recognition for providers subject to third-country control. Level 4 is reserved for providers with no third-country control whatsoever. Telecom CSPs with foreign ownership must cap their ambitions at Level 3, and only if their home country is approved under Article 18.

Misconception 3: Recognition is permanent. Recognition is dynamic. Article 23 imposes transparency obligations on providers to notify the auditing organisation and competent authority of any material changes that may affect their compliance. If a provider fails to maintain the required standards, the competent authority can revoke recognition, and the revocation will be published in the central repository for five years.

Misconception 4: Telecom operators are excluded because they are "network" providers. CADA applies to any entity providing a "cloud computing service" as defined in Article 2(1), which references the NIS2 Directive definition. Many telecom operators now offer cloud services (IaaS, PaaS, SaaS). If you provide these services, you fall within the scope of CADA and can seek recognition.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• When do CADA obligations start for the telecom sector?
• What sovereign-cloud pressure does CADA place on the public sector?
• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?

This is general information about a draft EU regulation, not legal advice.