How does CADA affect telecommunications operators?

Summary As proposed, the Cloud and AI Development Act (CADA) impacts telecommunications operators through a dual-track approach: it clarifies that connectivity and network convergence fall under the Digital Networks Act (referencing the European Electronic Communications Code, EECC), while cloud sovereignty and data-centre capacity fall under CADA. Crucially, Article 31 allows private-sector entities in critical sectors—including telecoms listed under Annex I of the NIS2 Directive—to voluntarily conduct impact assessments to determine their sovereign cloud needs. While CADA does not currently mandate private telecoms to use sovereign cloud, it creates a powerful market signal: public sector clients must procure services at Union assurance levels 2, 3, or 4 (Article 30), indirectly pressuring telecom providers to align their infrastructure with these standards to remain competitive.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by increasing domestic computing capacity and reducing reliance on third-country providers. For telecommunications operators, the regulation's impact is nuanced, operating at the intersection of network infrastructure, cloud service provision, and critical national infrastructure. Unlike the public sector, which faces direct procurement mandates, private telecom operators are currently subject to a voluntary framework that could evolve into mandatory requirements.

The Intersection with Electronic Communications Networks and the EECC

A critical distinction in the CADA proposal is the separation of "connectivity" from "cloud sovereignty." The proposal explicitly acknowledges the convergence of network and cloud infrastructure, a reality where many telecommunications operators act as both.

Recital 41 of the CADA proposal addresses this directly. It states that the Digital Networks Act "addresses the convergence of networks infrastructure, including scenarios where a cloud computing service provider operates an electronic communications network and has so far not been subject to obligations under the European Electronic Communications Code (EECC)." The proposal clarifies that the Digital Networks Act will "clarify the procedures for connectivity between providers of various networks and other market participants."

This recital serves as a demarcation line:

• Connectivity & Network Convergence: Governed by the Digital Networks Act and the EECC. This covers the physical and logical transmission of data, spectrum, and the interconnection of networks.
• Cloud Sovereignty & Data Centres: Governed by CADA. This covers the location of data, the ownership of the provider, the assurance levels of the service, and the deployment of data centre capacity.

For telecommunications operators, this means that while their core network obligations remain under the EECC framework, any cloud services they offer, or any data centres they operate to support those services, fall squarely within CADA's scope. The proposal leverages the Digital Networks Act's advancements for connectivity but remains "focused on the deployment of data centres capacities, not the prior or parallel build-out of the necessary connectivity infrastructure." This prevents regulatory overlap but requires operators to navigate two distinct legislative frameworks simultaneously.

Article 31: Voluntary Impact Assessments for NIS2 Telecom Entities

The most significant provision for private telecommunications operators is Article 31, titled "Impact assessments." This article specifically targets entities that are not public sector bodies but operate in critical sectors.

Article 31(1) states: "Entities referred to in Annex I of Directive (EU) 2022/2555 [NIS2] who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Telecommunications operators are explicitly listed in Annex I of the NIS2 Directive as "essential entities." Consequently, they are the primary beneficiaries of this voluntary provision. Under Article 29, public sector bodies are required to conduct risk assessments to identify activities contributing to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4). Article 31 extends this logic to the private sector, allowing telecom operators to:

1. Voluntarily Assess Risks: Evaluate their own exposure to third-country control, extraterritorial access, and service disruption risks.
2. Determine Assurance Needs: Decide internally whether their operations require the higher safeguards of Union assurance levels 2, 3, or 4, even if not legally compelled to do so by CADA.
3. Prepare for Future Mandates: The Commission is empowered under Article 31(3) to adopt delegated acts "specifying the need for such impact assessment and the risk mitigation measures" if it concludes that entities in sectors of high criticality require them. This creates a clear pathway for the Commission to make these assessments mandatory for telecoms in the future if dependencies are deemed a systemic risk.

The Commission may also issue guidance on the methodology for these assessments under Article 31(2). For telecom operators, this is a strategic window to proactively audit their supply chains, identify dependencies on non-EU hyperscalers, and align their infrastructure with the sovereignty standards that will soon be mandatory for their public sector clients.

Sovereign Cloud Expectations and Market Pressure

While CADA does not directly mandate private telecom operators to switch to sovereign cloud providers, it creates a powerful "pull" mechanism through public procurement rules.

Article 30(3) mandates that contracting authorities (public sector bodies) whose activities contribute to the preservation of public order "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4." Telecommunications operators frequently serve as the primary cloud and connectivity providers for these public sector bodies.

If a telecom operator's cloud offering does not meet the necessary Union assurance levels, it risks exclusion from public procurement opportunities. Furthermore, as public sector bodies migrate to sovereign solutions, they may require their private sector partners to adopt similar security and sovereignty standards to ensure the integrity of the entire supply chain. This creates a de facto requirement for telecoms to align with CADA's sovereignty framework to maintain their market share in the public sector.

Recital 46 underscores the stakes, highlighting the risks of dependence on providers subject to third-country control, including "vulnerabilities arising from the extraterritorial application of third-country laws" and "potential disruptions affecting the continuity, quality and resilience of cloud computing services." For telecom operators, using cloud infrastructure from non-EU providers without adequate safeguards could be viewed as a strategic risk, potentially affecting their reputation and ability to serve sensitive clients in law enforcement, defence, or critical infrastructure.

Data Centre Deployment and Acceleration Zones

Telecommunications operators are also directly affected by CADA's provisions on infrastructure deployment. Title III of the proposal establishes data centre acceleration zones (Article 10) to streamline permitting and ensure sustainable deployment.

Telecom operators that build or operate data centres to support their cloud and network services (including edge computing nodes for 5G/6G) will benefit from these simplified administrative processes. Article 10 requires Member States to designate acceleration zones where data centre capacity is being deployed, considering factors such as:

• Available and future power grid capacity.
• Network connectivity capacity.
• Sustainability requirements (e.g., waste heat reuse).

Operators can leverage these zones to expand their infrastructure more efficiently, benefiting from aggregated baseline permits (Article 13) and streamlined environmental assessments. This is particularly relevant for operators looking to deploy edge computing nodes or large-scale data centres to support next-generation networks, as the proposal aims to "triple EU capacity in the next five-to-seven years."

What this means for you

For telecommunications operators, CADA presents a strategic inflection point. You are not directly mandated to use sovereign cloud services today, but the regulatory landscape is shifting in a way that makes sovereignty a competitive necessity.

1. Leverage Article 31 Immediately: Do not wait for a delegated act to make impact assessments mandatory. Use the framework in Article 31 to voluntarily assess your cloud dependencies. Identify which parts of your infrastructure are critical, map your third-country risks, and determine if you need to upgrade to Union assurance levels 2, 3, or 4 to protect your operations.
2. Align with Public Sector Standards: If you serve public sector clients, ensure your cloud offerings can meet the Union assurance levels required by Article 30. This may involve partnering with EU-based cloud providers that have obtained recognition under the CADA framework or upgrading your own services to meet the criteria in Annex II.
3. Leverage Data Centre Acceleration Zones: If you are expanding your data centre footprint, actively engage with Member States to identify designated acceleration zones. These zones offer streamlined permitting and support for sustainable deployment, which can significantly reduce your time-to-market and operational costs.
4. Monitor Commission Guidance: Stay informed about any guidance the Commission issues on impact assessments for private sector entities under Article 31(2). This guidance will provide clarity on the methodology and expected mitigation measures, helping you prepare for potential future mandatory requirements.

Common misconceptions

• Misconception: CADA forces all telecommunications operators to use only EU-based cloud providers immediately.
  • Reality: CADA mandates public sector bodies to use sovereign cloud services for critical activities. For private telecom operators, the use of impact assessments under Article 31 is currently voluntary, though the Commission has the power to make them mandatory via delegated acts.
• Misconception: Telecom operators are exempt from CADA because they are regulated by the EECC.
  • Reality: While the EECC and Digital Networks Act regulate connectivity and network convergence, CADA addresses cloud sovereignty and data centre deployment. Telecom operators providing cloud services or operating data centres are subject to CADA's provisions, particularly regarding the convergence of network and cloud infrastructure as clarified in Recital 41.
• Misconception: Article 31 creates immediate legal obligations for telecom operators to switch providers.
  • Reality: Article 31 currently allows for voluntary impact assessments. However, the Commission has the power to require these assessments for high-criticality sectors through delegated acts, meaning the landscape could become more prescriptive in the future.

Related

• How do CADA data-centre acceleration zones affect grid operators?
• When do CADA provisions affect the automotive sector?
• CADA for connectivity and submarine-cable operators: NIS2, risk assessments and sovereign data flows
• CADA and NIS2 for Energy Operators: The Sovereignty Layer Explained
• How does CADA affect universities and research institutions?

This is general information about a draft EU regulation, not legal advice.