How does CADA affect 5G and edge-computing deployments?

Summary The proposed Cloud and AI Development Act (CADA) does not directly regulate 5G radio access networks (RAN) hardware, but it would significantly impact 5G core functions and edge-computing deployments by classifying them as in-scope "cloud computing services" under Article 2. If your edge infrastructure supports critical public-sector activities or sectors listed in the NIS2 Directive, CADA would mandate sovereign "Union assurance levels," requiring rigorous audits, strict data localisation within the EU, and potentially excluding providers subject to third-country control. This creates a dual compliance burden where network resilience (NIS2) meets data sovereignty (CADA), forcing architects to design for strict territorial data boundaries and supply-chain transparency from day one.

Detail

To understand the impact on 5G and edge computing, one must first look at how CADA defines its scope. The proposal explicitly aligns its definition of "cloud computing service" with Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive). As stated in CADA Article 2(1), a cloud computing service is "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

This definition is critical for 5G and edge architectures. While the radio access network (RAN) hardware itself is not a cloud service, the Multi-access Edge Computing (MEC) platforms, 5G core network functions virtualised as network functions (NFVs), and the orchestration layers that manage these distributed resources fall squarely within this definition. Because the definition explicitly includes resources "distributed across several locations," edge nodes located in telecom masts, industrial factories, or regional hubs are not exempt; they are treated as part of the cloud ecosystem. Consequently, any 5G deployment that offloads processing to the edge is subject to CADA's sovereignty framework if it serves public sector bodies or critical private entities.

Sovereign Cloud and Assurance Levels for Critical Infrastructure

The core of CADA's impact on telecommunications and edge computing lies in its "Union cloud computing sovereignty framework," which establishes four Union assurance levels under Article 16. These levels dictate the degree of technological sovereignty, data localisation, and personnel requirements necessary for a service to be used by public authorities.

For 5G and edge deployments supporting critical infrastructure, the implications are severe. CADA Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), such as energy, transport, and digital infrastructure. If an edge-computing service is deemed to support such critical activities, it cannot rely on the baseline Union assurance level 1. Instead, contracting authorities must procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

The criteria for these higher assurance levels, detailed in Annex II of the proposal, impose strict constraints on 5G/edge architectures:

• Data Localisation: For levels 2, 3, and 4, customer data, including metadata and telemetry, must remain exclusively within the Union (Annex II, points 2.1(c), 3.1(c), 4.1(c)). For edge computing, this means that latency-sensitive data processed at the network edge cannot be backhauled to non-EU cloud regions for storage or analytics, even if the primary cloud provider is EU-based. The data must stay within the EU "at any time, including before, during or after the configuration or use of the service."
• Personnel and Citizenship: Union assurance levels 3 and 4 require that personnel involved in the provision of the service are Union citizens (Annex II, points 3.1(d), 4.1(d)). For edge deployments, this extends to the technical and operational support staff, including subcontractors, who must be located in the Union and, for level 4, hold necessary national security clearances. Note that for Level 2, Union citizenship is conditional: it is only required "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary" (Annex II, point 2.1(d)).
• Third-Country Control: Providers and their subcontractors must not be subject to the control of a third country (Annex II, points 3.1(g), 4.1(g)). This directly targets global hyperscalers and telecom equipment vendors with significant non-EU ownership or extraterritorial legal exposure. However, Article 18 provides a mechanism for the Commission to recognise specific third countries as providing sufficient assurances, allowing providers controlled from those countries to qualify for Union assurance level 3 under strict conditions.
• Cybersecurity Certification: For levels 2 and 3, the service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881 (Annex II, points 2.1(e), 3.1(e)). Only Level 4 requires a "high" assurance level certificate (Annex II, point 4.1(e)).

NIS2 Overlap and Network Resilience

The interplay between CADA and the NIS2 Directive is a defining feature of the regulatory landscape for 5G operators. CADA explicitly references NIS2 in multiple articles, including Article 29(1), which mandates risk assessments for activities in sectors listed in NIS2 Annex I and II. While NIS2 focuses on technical cybersecurity and incident reporting, CADA focuses on sovereignty, operational autonomy, and the risk of third-country interference.

For telecom operators and edge providers, this creates a layered compliance obligation. Under NIS2, they must implement robust cybersecurity risk management measures. Under CADA, they must additionally prove that their supply chain and operational control are free from third-country coercion. For example, an edge-computing platform used by a national energy grid operator must not only be secure against cyberattacks (NIS2) but must also demonstrate that its software supply chain does not contain remote tampering features and that its provider cannot be compelled by a non-EU law to degrade service continuity (CADA Annex II, point 2.1(i)).

Furthermore, CADA Article 31 allows private sector entities in sectors of high criticality (as defined in NIS2 Annex I) to conduct similar impact assessments. This means that even private 5G private networks or edge providers serving critical industries may face de facto sovereign cloud requirements as their public-sector clients mandate higher assurance levels to mitigate supply chain risks. The proposal notes that CADA complements the Cybersecurity Act (CSA2) revision and the NIS2 Directive, ensuring that contracting authorities can use sovereign cloud computing services where technical cybersecurity standards alone are insufficient to address sovereignty concerns.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA on 5G and edge deployments, the following actions are prioritised:

1. Audit Your Edge Data Flows: Map all data generated at the edge. If your service processes data for public sector clients or NIS2-covered industries, ensure that metadata, telemetry, and user data never leave the EU territory. Architect your edge nodes to process and store data locally, with backhaul strictly limited to EU-based central clouds. Remember that for Levels 2-4, data must remain exclusively within the Union "at any time."
2. Evaluate Supply Chain Sovereignty: Review your hardware and software dependencies. CADA's higher assurance levels require a complete Software Bill of Materials (SBOM) and proof that no third-country entity can remotely tamper with or disrupt the service (Annex II, point 2.1(i)). If your edge platform relies on proprietary components from non-EU vendors with extraterritorial data access laws, you may be disqualified from high-value public tenders unless a derogation under Article 18 applies.
3. Prepare for Personnel Verification: For contracts requiring Union assurance levels 3 or 4, ensure that your support and operations teams, including subcontractors, are EU citizens and located within the EU. For Level 2, verify if the public sector body will impose the conditional citizenship requirement. This may require restructuring your global support model to establish dedicated EU-based operations centres for critical edge deployments.
4. Engage in Risk Assessments Early: Proactively engage with public sector clients to understand their risk assessment outcomes under Article 29. Knowing whether they classify your service as supporting "public order" activities will determine the assurance level you must target. Design your offerings to be modular, allowing you to offer different assurance levels to different segments of the market.
5. Monitor NIS2 Synergies: Align your CADA compliance efforts with your NIS2 cybersecurity obligations. Use the same incident response and risk management frameworks to address both technical security and sovereignty risks, reducing administrative overhead. Note that CADA does not replace NIS2 but adds a sovereignty layer on top of it.

Common misconceptions

Misconception 1: "CADA only applies to public cloud providers like AWS or Azure." Reality: CADA applies to any "cloud computing service" as defined in Article 2, which includes edge computing resources distributed across locations. Private 5G networks, industrial MEC platforms, and virtualised network functions are in scope if they serve public sector bodies or critical private entities.

Misconception 2: "5G RAN hardware is regulated by CADA." Reality: CADA regulates the services and software layers that manage compute and data, not the physical radio hardware. However, if the RAN is managed by a cloud-based orchestration platform that falls under CADA, the sovereignty requirements for that platform indirectly affect the entire network stack.

Misconception 3: "NIS2 compliance is sufficient for CADA." Reality: NIS2 focuses on cybersecurity hygiene and incident reporting. CADA focuses on sovereignty, data localisation, and freedom from third-country control. A provider can be fully NIS2-compliant but fail CADA's assurance levels if its data flows outside the EU or its provider is subject to non-EU jurisdiction.

Misconception 4: "Edge computing is exempt because it's 'local'." Reality: CADA explicitly includes resources "distributed across several locations" in its definition. Edge nodes are part of the cloud ecosystem. In fact, for high-assurance levels, edge nodes must be strictly localised within the EU, and their operational support must also be EU-based.

Misconception 5: "Level 3 and 4 require 'high' cybersecurity certification." Reality: Only Level 4 requires a "high" assurance level cybersecurity certificate. Levels 2 and 3 require at least a "substantial" assurance level certificate (Annex II, points 2.1(e), 3.1(e), 4.1(e)).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• When do CADA provisions affect the automotive sector?
• How does CADA affect universities and research institutions?
• How does CADA affect the defence sector? Sovereign cloud and AI
• How does CADA affect the automotive industry?
• How does CADA affect telecommunications operators?

This is general information about a draft EU regulation, not legal advice.