Does CADA require energy operators to use EU sovereign cloud?

Summary No, the proposed Cloud and AI Development Act (CADA) does not directly mandate private energy operators to use EU sovereign cloud services. The regulation's binding procurement obligations apply exclusively to public sector bodies and Union entities. However, as proposed, CADA establishes a voluntary pathway for private entities in critical sectors—including energy—to conduct impact assessments under Article 31. Furthermore, the proposal explicitly anticipates a "spillover effect" where public sector requirements will indirectly pressure private regulated industries to align with higher sovereignty standards. While the Commission retains the power to make assessments mandatory for high-criticality sectors via delegated acts, no such requirement currently exists in the text of COM(2026) 502 final.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A central pillar of this proposal is the "Union cloud computing sovereignty framework," which defines four distinct levels of assurance (Level 1 to Level 4) for cloud services. While this framework imposes strict procurement obligations on public authorities, its direct legal reach into the private energy sector is intentionally limited, relying instead on voluntary mechanisms and market dynamics.

The Distinction Between Public and Private Obligations

The regulatory architecture of CADA draws a sharp line between public and private obligations regarding cloud procurement. Article 30 of the proposal sets out the mandatory rules for "contracting authorities" and "Union entities." Under Article 30(2), these public bodies must procure, as a minimum, cloud services recognised as offering "Union assurance level 1."

Crucially, Article 30(3) escalates this requirement for activities deemed to have "public order relevance." The proposal explicitly identifies sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) as relevant to public order. Since the energy sector is a core component of Annex I (essential entities), public energy bodies and state-owned utilities would be required to procure cloud services recognised at Union assurance levels 2, 3, or 4, depending on the specific risk assessment outcome.

Private sector entities, including private energy operators, are not "contracting authorities" under this definition. Consequently, they are not subject to the direct procurement mandates of Article 30. The proposal does not contain a clause forcing private companies to switch to EU-based providers or to achieve a specific assurance level for their own internal operations.

Voluntary Impact Assessments: Article 31

While the direct procurement mandate does not extend to private firms, CADA introduces a specific mechanism for them to engage with the sovereignty framework: Article 31, titled "Impact assessments."

Article 31(1) states: "Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

The NIS2 Directive (Directive (EU) 2022/2555) lists energy as an "essential" sector in its Annex I. Therefore, private energy companies are explicitly identified as entities that may voluntarily conduct impact assessments. These assessments mirror the risk assessments required of public bodies under Article 29, allowing private firms to:

• Identify the sensitivity, criticality, and magnitude of data processed.
• Assess the risk of unlawful access by third countries.
• Determine the appropriate Union assurance level for their operations.

This provision is permissive, not mandatory. The use of "may" in Article 31(1) confirms that private energy operators have the option to adopt the CADA framework voluntarily to demonstrate resilience and sovereignty.

Article 31(2) further empowers the Commission to issue guidance on the methodology for these voluntary assessments and potential mitigation measures for private entities in sectors of high criticality.

Article 31(3) introduces a conditional future mechanism. It states that "where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

As of the current proposal text, this power remains dormant. No delegated act has been adopted, and therefore, the requirement for private energy firms to conduct these assessments is not yet active. It represents a potential future escalation rather than a current obligation.

Indirect Pressure: The "Spillover Effect"

Although the text of CADA does not directly bind private energy operators, the proposal acknowledges that the market will not remain static. The explanatory memorandum explicitly addresses the interaction between public procurement and private market behavior.

Recital 66 of the proposal states: "Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This "spillover effect" creates a significant indirect pressure on private energy firms. As public regulators, state-owned utilities, and government bodies are forced to procure only high-assurance sovereign cloud services (Levels 2–4), the market for non-sovereign cloud services may shrink or become less viable for critical infrastructure. Private energy operators that supply services to these public bodies, or that operate in a tightly regulated environment where trust is paramount, may find themselves compelled to align with these standards to maintain commercial relationships and operational legitimacy.

Relationship with NIS2 and Other Frameworks

It is vital to distinguish CADA's sovereignty framework from existing cybersecurity obligations. The NIS2 Directive already imposes strict cybersecurity risk management, incident reporting, and supply chain security requirements on energy operators. CADA does not replace these; rather, it complements them.

While NIS2 focuses on technical cybersecurity and operational resilience against cyber threats, CADA focuses on "strategic autonomy," "data sovereignty," and the reduction of dependencies on third-country providers. CADA addresses risks that NIS2 does not cover, such as extraterritorial access laws (e.g., the US CLOUD Act) and the risk of service disruption due to third-country political decisions.

Energy operators must therefore navigate a dual compliance landscape: ensuring their cloud providers meet NIS2 technical standards while simultaneously evaluating the strategic sovereignty risks under the voluntary CADA framework.

What this means for you

For in-house counsel, compliance officers, and CTOs in the energy sector, the immediate legal reality is clear: there is no direct statutory requirement to switch to EU sovereign cloud providers under the current CADA proposal. However, the strategic landscape is shifting rapidly.

1. Monitor Article 31 Delegated Acts: While Article 31(1) currently permits voluntary assessments, Article 31(3) grants the Commission the power to make them mandatory for high-criticality sectors like energy. Legal teams should track the Commission's consultation processes and any draft delegated acts. Early adoption of the voluntary assessment framework can position your company as a leader and mitigate the risk of future non-compliance.
2. Audit Supply Chain Dependencies: If your private energy firm supplies services to public sector bodies or state-owned utilities, those entities will be legally required to procure cloud services with higher Union assurance levels (2, 3, or 4) if their activities are deemed to have public order relevance. You must verify whether your current cloud infrastructure can meet these standards to remain a viable supplier.
3. Conduct Internal Sovereignty Risk Assessments: Utilize the framework in Article 29 and the criteria in Annex II to conduct internal risk assessments voluntarily. Evaluate your current providers against the Union assurance criteria. This will help you quantify your exposure to third-country data access laws and service disruption risks, providing a robust basis for internal decision-making.
4. Prepare for Market Realignment: As Recital 66 predicts, the "spillover effect" is likely. As public sector adoption of sovereign cloud increases, market expectations for private energy firms will shift. Engaging early with EU-based cloud providers seeking recognition under the CADA framework can provide long-term strategic advantages and ensure business continuity.

Common misconceptions

Misconception: CADA forces all energy companies to use EU cloud providers. Fact: CADA's binding procurement rules apply only to public sector bodies and Union entities. Private energy operators are not directly bound by these rules, though they may face indirect commercial pressure.

Misconception: Article 31 makes impact assessments mandatory for private firms immediately. Fact: Article 31(1) currently allows private entities in critical sectors (like energy) to voluntarily conduct impact assessments. The Commission has the power to make these mandatory in the future via delegated acts under Article 31(3), but this is not an immediate requirement under the current proposal text.

Misconception: CADA replaces NIS2 cybersecurity requirements. Fact: CADA complements NIS2. NIS2 focuses on technical cybersecurity and incident reporting, while CADA focuses on sovereignty, data localization, and reducing dependency on third-country providers. Energy operators must comply with both frameworks.

Misconception: Private energy firms are exempt from all CADA provisions. Fact: While exempt from procurement mandates, private firms are explicitly invited to participate in the sovereignty framework through voluntary impact assessments under Article 31 and may be subject to future delegated acts.

Related

• Does CADA require telecoms to use EU sovereign cloud?
• Does CADA require public hospitals to use sovereign cloud?
• Does CADA require banks to use EU sovereign cloud providers?
• Does CADA require automotive firms to use EU sovereign cloud?
• What sovereign-cloud pressure does CADA create for the energy sector?

This is general information about a draft EU regulation, not legal advice.