How does CADA affect energy and utility companies?

Summary As proposed, the Cloud and AI Development Act (CADA) affects energy and utility companies primarily by recognising them as critical infrastructure under the NIS2 Directive, granting them the right to conduct voluntary impact assessments for cloud sovereignty. While CADA does not currently mandate that all energy utilities switch to sovereign cloud providers, it establishes a framework where grid operators can align their procurement with Union assurance levels to safeguard public order. This complements broader EU goals for energy-system digitalisation and grid resilience, with Recital 38 explicitly linking data centre deployment to energy supply stability and clean energy integration.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem, reduce dependencies on non-European providers, and ensure the resilience of critical infrastructure. For energy and utility companies, the impact is multifaceted, touching on data sovereignty, procurement rules, and the strategic importance of the energy sector in the EU's digital transition. Unlike the AI Act, which regulates the software layer, CADA targets the infrastructure and supply chain beneath it, directly affecting how energy operators procure and manage cloud services.

Energy as a Strategic Sector and Digitalisation Goals

The proposal explicitly recognises the digital transformation of key industries as a priority. While Recital 18 outlines the Cloud and AI Leadership Initiatives' goal to accelerate industrial AI uptake, it specifically lists "climate and environment" and "agri-food" alongside healthcare, transport, and manufacturing as strategic sectors. Although "energy" is not explicitly named as a standalone item in the list within Recital 18, the recital's focus on "climate and environment" encompasses the energy transition, and Recital 38 provides the critical link for the energy sector.

Recital 38 states that "Sufficient and timely energy supply to the acceleration zones constitutes a fundamental enabling condition" for data centre deployment. It further notes that data centres can "support clean energy growth and the sustainable use of energy" and that power purchasing agreements (PPAs) are "important instruments for data centres." This establishes a reciprocal relationship: the energy sector is a strategic enabler for cloud capacity, and cloud capacity is essential for the digitalisation of the energy grid.

The proposal aligns with the EU's energy-system digitalisation goals by encouraging the use of AI-optimised servers and software (Article 4(2)) and promoting cloud stacks that support technological autonomy. Energy companies are expected to leverage these initiatives to enhance grid stability, support renewable integration through forecasting, and ensure operational resilience against geopolitical disruptions.

NIS2 Coverage and Private Sector Impact Assessments

The most direct legal mechanism affecting energy utilities in CADA is found in Article 31. This article addresses private sector entities that are not public bodies but are listed in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive). Energy companies, including electricity, gas, and heating system operators, fall squarely within the definition of "essential entities" under NIS2.

Article 31(1) states that these entities "may carry out similar assessments as those set out in Article 29." Article 29 requires public sector bodies to conduct risk assessments to determine the appropriate Union assurance level (1, 2, 3, or 4) for their cloud services based on public order relevance. By extension, Article 31 allows energy utilities to voluntarily assess their own cloud dependencies and determine if they need to migrate to higher-assurance sovereign cloud services to mitigate operational risks.

Furthermore, Article 31(2) and (3) empower the Commission to issue guidance on these impact assessments. Crucially, if the Commission concludes that entities in sectors of high criticality—such as energy—require mandatory impact assessments due to specific circumstances, it may adopt delegated acts to specify the need for such assessments and the risk mitigation measures those entities must take. This creates a potential pathway for mandatory sovereignty requirements for critical energy infrastructure, even though the initial obligation under the proposal is voluntary.

Sovereign Cloud Expectations for Grid Operators

While CADA does not impose a blanket ban on non-EU cloud providers for the private sector, it creates strong incentives for grid operators and system operators to adopt sovereign cloud solutions. The proposal establishes a Union cloud computing sovereignty framework with four assurance levels (detailed in Annex II).

For energy companies, the choice of assurance level depends on the sensitivity of the data and the criticality of the function. Grid operators handling real-time data for electricity balancing, critical infrastructure control, or national security may determine, through their Article 31 impact assessment, that they require Union assurance level 2, 3, or 4. These higher levels impose strict criteria, such as:

• Data Localisation: Customer and operational data must remain exclusively within the Union (Annex II, Section 2.1(c) and 3.1(c)).
• Personnel Requirements: For levels 3 and 4, personnel involved in service provision must be Union citizens (Annex II, Section 3.1(d) and 4.1(d)). Note that for Level 2, this is conditional: personnel requirements apply "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary" (Annex II, Section 2.1(d)).
• Cybersecurity Certification: Services must obtain a European cybersecurity certificate of at least assurance level 'substantial' (Levels 2 and 3) or 'high' (Level 4) (Annex II, Section 2.1(e) and 4.1(e)).

This framework ensures that if an energy company chooses to use a cloud provider subject to third-country control (e.g., US or Chinese hyperscalers), it must demonstrate that adequate legal, technical, and organisational measures are in place to prevent unauthorised access or service disruption. For critical grid functions, meeting these criteria with non-EU providers may be legally or technically unfeasible, effectively driving migration to EU-based providers.

Crucially, for Union assurance level 3, the framework allows for a derogation where a provider subject to third-country control may still qualify if the Commission has adopted an implementing act under Article 18 ('Associated third countries'). However, Annex II, Section 3.1(g) explicitly references an implementing act under Article 19 in the text of the Annex, which appears to be a drafting inconsistency in the proposal itself; the Regulation text (Article 18) establishes the mechanism for identifying third countries, while the Annex cross-references Article 19. In practice, the mechanism relies on the Commission's decision under Article 18 to identify a third country as providing sufficient assurances.

Overlap with Energy-System Digitalisation Goals

CADA aligns with the EU's broader goals for energy-system digitalisation, including the integration of renewable energy sources and the modernisation of smart grids. The proposal supports the deployment of AI-optimised servers and software (Article 4(2)) and promotes the development of cloud computing stacks that support technological autonomy.

Energy companies are encouraged to leverage these initiatives to:

1. Enhance Grid Stability: Use AI-driven analytics on sovereign cloud platforms to predict and manage load fluctuations.
2. Support Renewable Integration: Utilise cloud-based tools for forecasting renewable energy production and optimising storage.
3. Ensure Resilience: Reduce the risk of service disruption caused by geopolitical tensions or extraterritorial data access laws (such as the US CLOUD Act), which CADA explicitly aims to mitigate by ensuring operational autonomy.

What this means for you

If you are a cloud service provider or data centre operator serving the energy sector, you must prepare for a market where sovereignty is a key procurement criterion. Energy utilities are increasingly aware of their critical infrastructure status and are likely to conduct impact assessments under Article 31.

• For Cloud Providers: To win contracts with major energy utilities, you may need to achieve recognition under the Union assurance levels. This involves rigorous independent audits (for levels 2-4) and demonstrating compliance with strict data localisation and personnel rules. SMEs can benefit from the simplified recognition process for Union assurance level 1 (Article 17(3)), but larger energy projects will likely demand higher assurance.
• For Energy Companies: You should begin mapping your cloud dependencies and assessing which systems are critical to public order. While not yet mandatory, conducting a voluntary impact assessment under Article 31 positions you ahead of potential future delegated acts that may make such assessments compulsory. Engage with your cloud providers to understand their sovereignty credentials and readiness for the CADA framework.
• For Data Centre Operators: The proposal promotes the deployment of sustainable and innovative computing capacity (Article 3). Energy companies are sensitive to the environmental impact of their digital footprint. Data centres that demonstrate high energy efficiency, use renewable energy, and integrate with the local grid (as encouraged in Article 10 regarding acceleration zones and energy supply analysis) will be more attractive partners for energy utilities looking to align their digital and sustainability goals.

Common misconceptions

• "CADA forces all energy companies to switch to EU cloud providers." This is incorrect. CADA does not impose a blanket ban on non-EU providers for private sector entities. However, it creates a regulatory environment where using non-EU providers for critical functions becomes more complex and risky due to the sovereignty framework. Energy companies may choose to switch voluntarily to mitigate risk, but it is not an automatic legal requirement for all services.

• "Only public sector bodies need to worry about sovereignty levels." Incorrect. Article 31 explicitly extends the ability to conduct risk assessments to private sector entities covered by NIS2, which includes energy utilities. While the assessment is currently voluntary, the Commission has the power to make it mandatory for high-criticality sectors.

• "CADA replaces existing cybersecurity laws for energy companies." No. CADA complements existing laws like NIS2, GDPR, and the Data Act. It does not replace cybersecurity requirements but adds a layer of sovereignty assurance. Energy companies must still comply with all existing regulatory obligations.

• "The EU assurance levels are optional for private companies." The levels themselves are a framework for recognition. While private companies are not forced to procure services at a specific level by CADA (unlike public authorities under Article 30), the market pressure and potential future delegated acts under Article 31(3) mean that adhering to these levels may become a de facto requirement for critical operations.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Which CADA obligations bite hardest for fintech companies?
• When do CADA provisions affect the automotive sector?
• When do CADA obligations start for energy and utilities?
• What sovereign-cloud pressure does CADA create for the energy sector?
• CADA for Insurance Companies: Voluntary Assessments & Sovereign Cloud

This is general information about a draft EU regulation, not legal advice.