CADA and Telco Cloud

Summary As proposed, the Cloud and AI Development Act (CADA) does not directly regulate telecommunications networks, but it fundamentally reshapes telco cloud strategies by establishing a harmonised sovereignty framework for cloud computing services. A critical nuance for telecom operators is the regulatory gap for entities that operate both networks and clouds; CADA explicitly notes that the Digital Networks Act is intended to clarify the status of cloud providers operating electronic communications networks, which have "so far not been subject to obligations under the European Electronic Communications Code (EECC) although falling into its scope." For telcos offering cloud services, CADA introduces four "Union assurance levels." While Level 1 is the baseline, Levels 3 and 4—essential for high-value public sector contracts—require strict data localisation, Union citizenship for personnel, and independence from third-country control. Furthermore, Recital 65 encourages public bodies to adopt "multi-vendor or multi-cloud strategies" based on risk assessments, meaning telcos must position their sovereign offerings as resilient components of broader architectures rather than standalone replacements.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by reducing dependencies on non-European providers and ensuring data sovereignty. For telecommunications operators, cloud architects, and 5G strategists, the intersection of CADA with network infrastructure is defined by how the Act treats cloud computing services provided by entities that also operate electronic communications networks. The Act does not seek to duplicate existing telecom regulation but rather to fill the sovereignty gap for cloud services, while relying on parallel legislation to resolve jurisdictional ambiguities for converged entities.

The Regulatory Gap: Network-Operating CSPs and the EECC

A critical nuance for telco CTOs and legal counsel is how CADA interacts with the European Electronic Communications Code (EECC). The convergence of network infrastructure and cloud services has created a scenario where a single entity may act as both a network operator and a cloud service provider. The CADA proposal explicitly acknowledges this evolution.

In the Explanatory Memorandum, under the section "Consistency with other Union policies," the Commission states that the proposal complements the Digital Networks Act. The text notes that the Digital Networks Act "addresses the convergence of networks infrastructure, including scenarios where a cloud computing service provider operates an electronic communications network and has so far not been subject to obligations under the European Electronic Communications Code although falling into its scope."

Consequently, the Digital Networks Act is intended to "clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation."

This creates a distinct regulatory division of labour:

1. CADA regulates the sovereignty and assurance of the cloud computing service itself, regardless of whether the provider also owns the underlying network.
2. The Digital Networks Act (as referenced in CADA) is tasked with resolving the specific jurisdictional ambiguity for entities that are both network operators and cloud service providers, ensuring they are subject to the appropriate obligations under the EECC.

For telecommunications operators, this means CADA does not create a new, standalone regulatory regime for the network aspect of their business. However, once a telco offers a "cloud computing service" as defined in Article 2(1) of CADA (which mirrors the definition in the NIS2 Directive), it falls squarely within CADA's sovereignty framework. The provider must then navigate the Union assurance levels, even if the Digital Networks Act clarifies their status as a network operator.

Assurance Levels and Telco Cloud Positioning

The core of CADA's impact on telco cloud strategy lies in its four-tiered "Union assurance levels" established under Article 16. These levels determine the sovereignty guarantees a cloud service must meet to be procured by public sector bodies. For telcos aiming to serve the public sector, critical infrastructure, or government entities, positioning their cloud offerings within these levels is essential for market access.

The criteria for these levels are detailed in Annex II of the proposal:

• Union Assurance Level 1 (Baseline): Under Article 30(2), this is the minimum requirement for public sector bodies whose activities do not contribute to the preservation of public order. Providers must be established in the Union, and infrastructure and data must remain in the Union unless the public sector body explicitly requires otherwise. For telcos, this is the entry point for general public procurement but offers no competitive advantage for sensitive workloads.
• Union Assurance Level 2: This level introduces stricter criteria. Under Annex II (2.1), the audited provider and subcontractors must be established in the Union, and infrastructure and personnel must be located in the Union. Crucially, data generated cannot be used to train or fine-tune AI systems operated by a third country. It also requires a European cybersecurity certificate of at least assurance level "substantial" (not "high").
• Union Assurance Level 3: This level is designed for activities contributing to public order. Annex II (3.1) mandates that personnel, including those of subcontractors, must be Union citizens (conditional at L2, mandatory at L3/L4). It also prohibits control by third-country entities, with a specific derogation mechanism under Article 18 for "associated third countries" that meet strict safeguards. The cybersecurity requirement remains at the "substantial" level.
• Union Assurance Level 4: The highest tier, required for the most critical public order activities. Annex II (4.1) requires a European cybersecurity certificate of at least assurance level "high" (a distinction often missed; L3 is "substantial," L4 is "high"). It mandates Union citizenship for all personnel and strict separation from third-country control.

Strategic Implication for Telcos: Telco clouds that rely on global hyperscaler infrastructure (e.g., for management planes) or have significant third-country ownership may struggle to meet Levels 3 and 4 without significant architectural changes. Conversely, telcos with sovereign, EU-based infrastructure, a Union-based workforce, and independent control are uniquely positioned to capture high-value public sector contracts that require these higher assurance levels. The "substantial" vs. "high" cybersecurity distinction is a key differentiator for telcos aiming for Level 4.

Multi-Cloud Strategies and Risk Assessment

CADA explicitly encourages a risk-based approach to cloud adoption to enhance resilience. Recital 65 states that to limit dependency on a single provider, Union entities and Member States should consider whether a "multi-vendor or multi-cloud strategy may be appropriate." The recital clarifies that this decision must be based on a "context-specific risk assessment."

For telcos, this has two major implications:

1. Integration over Replacement: Public sector clients are unlikely to mandate a single "sovereign" provider for all workloads. Instead, they will likely adopt multi-cloud architectures where different assurance levels are applied to different workloads. A telco's sovereign cloud might be the primary choice for Level 4 workloads (e.g., law enforcement data), while Level 1 or 2 services might be used for less sensitive administrative tasks.
2. The Risk Assessment Gatekeeper: Under Article 29, Member States and Union entities must carry out risk assessments to determine which assurance level is appropriate for specific public sector activities. If a telco's cloud service is deemed insufficiently sovereign for a specific critical use case (e.g., national security), it may be excluded from that segment of the procurement, even if it is part of a multi-cloud setup.

Therefore, telcos must ensure their cloud services are transparently audited and recognised under the appropriate assurance level to remain viable options in multi-cloud strategies. The risk assessment conducted by the contracting authority will effectively filter which providers can participate in which layers of the stack.

Private Sector Impact and NIS2 Entities

While CADA primarily targets public procurement, it also influences the private sector through a "spillover" effect. Article 31 allows entities listed in Annex I of the NIS2 Directive (which includes telecommunications operators) to conduct impact assessments similar to those required for public sector bodies.

Although not mandatory for all private sector entities, the Commission may require impact assessments for entities in sectors of high criticality via delegated acts. This means telcos providing cloud services to other critical infrastructure operators (e.g., energy, transport) may face de facto sovereignty requirements driven by their clients' risk assessments. If a critical infrastructure operator determines that their operations require Level 3 or 4 assurance to mitigate public order risks, they will likely demand that their cloud providers meet those same standards, effectively extending CADA's reach into the private sector.

What this means for you

For CTOs, architects, and strategy leads in the telecommunications sector, CADA presents both a challenge and a significant opportunity to differentiate from non-EU hyperscalers.

1. Audit Your Sovereignty Posture: Conduct a gap analysis of your current cloud offerings against the CADA assurance levels. If your management plane relies on third-country infrastructure or your workforce includes significant non-EU personnel, you may only qualify for Level 1 or 2. To compete for high-value public sector contracts (Levels 3 and 4), you may need to ring-fence EU-based infrastructure, ensure strict data localisation, and verify the citizenship status of your operational staff.
2. Clarify Your Regulatory Status: Engage with national regulators to understand how the Digital Networks Act will clarify your status as a network-operating cloud service provider. Ensure your compliance frameworks address both NIS2 cybersecurity requirements and CADA sovereignty criteria, as the two regimes are complementary, not overlapping.
3. Prepare for Multi-Cloud Procurement: Recognise that public sector clients will increasingly adopt multi-cloud strategies to mitigate risk, as encouraged by Recital 65. Ensure your cloud services are interoperable and can be seamlessly integrated into such architectures. Position your sovereign offering not as a monolithic replacement, but as the trusted "sovereign layer" for critical workloads within a broader multi-cloud environment.
4. Invest in EU-Based Talent and Infrastructure: Higher assurance levels (3 and 4) require Union citizenship for personnel and EU-based infrastructure. Telcos should prioritise hiring and training EU-based staff for cloud operations and consider investing in sovereign data centres to meet these criteria. The distinction between "substantial" (L2/L3) and "high" (L4) cybersecurity certification is also a key investment area for those targeting the highest tier.

Common misconceptions

"CADA regulates telecommunications networks." Incorrect. CADA regulates cloud computing services. While it acknowledges the convergence of networks and clouds, it relies on the Digital Networks Act to address network-specific regulatory gaps and clarify the status of providers operating electronic communications networks. Telcos are only subject to CADA when they provide cloud computing services as defined in Article 2.

"All telco clouds must meet the highest sovereignty level." Incorrect. The required assurance level is determined by a risk assessment conducted by the contracting authority under Article 29. Not all public sector activities require Levels 3 or 4. Many may only require Level 1 or 2. Telcos should tailor their offerings to the specific needs of their clients rather than assuming a one-size-fits-all approach.

"CADA replaces NIS2 cybersecurity requirements." Incorrect. CADA complements NIS2. NIS2 focuses on technical cybersecurity risk management, while CADA focuses on sovereignty, operational autonomy, and data localisation. Telcos must comply with both regimes. Furthermore, CADA explicitly references the need for European cybersecurity certification (EUCS) under the Cybersecurity Act, which is distinct from NIS2 compliance.

"Level 3 and Level 4 have the same cybersecurity requirements." Incorrect. Under Annex II, Level 3 requires a European cybersecurity certificate of at least assurance level "substantial," whereas Level 4 requires a certificate of at least assurance level "high." This is a critical distinction for telcos planning their certification roadmaps.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• CADA concentration risk: multi-cloud strategies for financial cloud users
• CADA and Civil Protection: How the Act Secures Crisis Response Cloud
• CADA, EDF and EDIP: How the Cloud Act complements defence funding
• CADA vs AI Act for Connected Vehicles: Who Regulates What?

This is general information about a draft EU regulation, not legal advice.