Does CADA require telecoms to use EU sovereign cloud?

Summary No, the proposed Cloud and AI Development Act (CADA) does not directly mandate that private telecommunications operators must use EU sovereign cloud services. The binding procurement obligations for specific "Union assurance levels" apply exclusively to public sector bodies and Union entities. However, telecommunications operators are explicitly empowered to conduct voluntary impact assessments under Article 31 to evaluate their own sovereignty risks. Furthermore, Recital 66 of the proposal anticipates significant indirect market pressure, noting that public sector procurement requirements often create "spillover effects" that compel private regulated entities, including telecoms, to align with higher sovereignty standards to maintain commercial viability.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dual-track framework: a mandatory sovereignty regime for the public sector and a voluntary, risk-based framework for the private sector. Understanding the obligations for telecommunications operators requires a precise reading of the distinction between contracting authorities and private sector entities within the text.

The Scope of Binding Obligations: Public Sector Only

CADA creates a "Union cloud computing sovereignty framework" comprising four "Union assurance levels" (Article 16). These levels define the cumulative criteria a cloud service must meet to be recognized as sovereign, ranging from basic Union establishment (Level 1) to strict requirements regarding personnel citizenship and the absence of third-country control (Levels 2–4).

The binding obligation to procure services at these specific levels rests solely with contracting authorities (public sector bodies) and Union entities. Under Article 30, these public bodies must first conduct risk assessments (as per Article 29) to determine which assurance level is appropriate for their activities. If a public body's activities are identified as contributing to the preservation of public order—such as in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defence, or law enforcement—Article 30(3) mandates that they "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

Telecommunications operators, in their capacity as private legal entities, are not defined as "contracting authorities" under this Regulation. Consequently, CADA does not impose a direct statutory duty on a private telecom company to migrate its internal infrastructure, customer-facing platforms, or network management systems to a Level 3 or 4 sovereign cloud provider. The Act does not force a private entity to switch its own procurement choices to EU sovereign clouds.

Article 31: The Voluntary Path for Private Entities

While the direct mandate is absent, CADA explicitly acknowledges the strategic importance of the telecommunications sector. Article 31, titled "Impact assessments," addresses private sector entities directly.

The provision states that entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive)—which explicitly includes telecommunications network and service providers—"may carry out similar assessments as those set out in Article 29."

This creates a voluntary mechanism for telecom operators to:

1. Evaluate Sovereignty Risks: Assess the sensitivity, criticality, and magnitude of data processed, and the risk of unlawful access by third countries or service disruption.
2. Determine Assurance Levels: Voluntarily determine which Union assurance level (2, 3, or 4) would be appropriate for their operations if they were to adopt the CADA framework.
3. Access Guidance: The Commission may issue guidance on the methodology for these assessments and possible mitigation measures for entities in sectors of high criticality.

Crucially, Article 31(3) provides a future-looking mechanism: if the Commission concludes that entities in sectors of high criticality require an impact assessment due to specific circumstances, it may adopt delegated acts to supplement the Regulation. This would specify the need for such assessments and the risk mitigation measures those entities must take. However, as currently drafted, the primary obligation remains voluntary, pending such future delegated acts.

Indirect Pressure: The "Spillover" Effect

Even without a direct mandate, the proposal anticipates that the public sector's shift toward sovereign cloud will inevitably reshape the private market. Recital 66 of the CADA proposal explicitly articulates this dynamic:

"Public procurement frequently serves as a primary signal of market direction. Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

For telecommunications operators, this "spillover" effect manifests in several ways:

• Contractual Requirements: As public bodies (e.g., ministries, police forces, health agencies) are forced by Article 30 to procure only Level 2–4 cloud services, they may require their telecom partners to demonstrate equivalent sovereignty controls or to use certified providers to ensure end-to-end compliance.
• Market Expectations: If the public sector drives demand for sovereign infrastructure, private telecoms may find that their commercial customers (who also face regulatory pressure) expect similar standards.
• Regulatory Alignment: While CADA does not mandate private adoption, the Commission's guidance under Article 31(2) and potential future delegated acts under Article 31(3) could create a de facto standard that private operators must follow to avoid being flagged as high-risk by national competent authorities.

What this means for you

For in-house counsel, compliance officers, and procurement teams in the telecommunications sector, CADA introduces a strategic risk management layer rather than an immediate compliance checklist.

• Monitor Delegated Acts: While Article 31 currently frames impact assessments as voluntary, the Commission retains the power to make them mandatory for high-criticality sectors via delegated acts. Legal teams must monitor the adoption of these secondary laws, as a future act could transform the "may" in Article 31(1) into a "shall."
• Conduct Voluntary Assessments: Even without a mandate, conducting an impact assessment similar to Article 29 is a prudent exercise in due diligence. This allows telecom operators to proactively identify sovereignty risks, such as third-country access to data or potential service disruption, and to document their mitigation strategies.
• Review Public Sector Contracts: As public bodies migrate to higher assurance levels (Levels 2–4) under Article 30, they may impose new contractual clauses on their telecom partners. Review existing and future contracts with public sector clients to anticipate requirements for sovereignty certification or data localization.
• Vendor Due Diligence: While there are no immediate CADA-specific penalties for a private telecom operator choosing a non-sovereign provider for its own internal use, Article 24 establishes penalties for cloud providers who misrepresent their assurance level. Telecoms must ensure their vendors are accurately recognized in the central repository to avoid downstream liability.

Common misconceptions

"All telecom operators must immediately switch to EU sovereign clouds."

• Fact: CADA does not impose this direct obligation. The binding mandate to procure specific assurance levels applies only to public sector bodies and Union entities. Private telecoms have the option to conduct voluntary assessments under Article 31, but are not currently forced to switch.

"NIS2 compliance is the same as CADA sovereignty compliance."

• Fact: While both frameworks apply to telecoms, they address different risks. NIS2 focuses on cybersecurity risk management and operational resilience. CADA focuses on sovereignty, data autonomy, and operational independence from third-country control. They are complementary but distinct; a provider can be NIS2 compliant but fail CADA's sovereignty criteria (e.g., due to third-country control).

"Article 31 forces telecoms to publish their risk assessments."

• Fact: Article 31 allows for voluntary assessments. It does not currently mandate public disclosure of these assessments. Unlike the public sector, which must communicate risk assessment results to the Commission under Article 29(4), private entities are not required to publish their findings unless a future delegated act specifies otherwise.

"CADA only affects the public sector."

• Fact: While the direct procurement mandate is public-sector focused, the Act explicitly includes private entities in Article 31 and anticipates "spillover effects" in Recital 66. The Act also establishes a central repository and certification framework that private providers must navigate to serve public clients.

Related

• Does CADA require public hospitals to use sovereign cloud?
• Does CADA require energy operators to use EU sovereign cloud?
• Does CADA require banks to use EU sovereign cloud providers?
• Does CADA require automotive firms to use EU sovereign cloud?
• What sovereign-cloud pressure does CADA create for telecoms?

This is general information about a draft EU regulation, not legal advice.