Summary As proposed, the Cloud and AI Development Act (CADA) does not replace the cybersecurity obligations that telecommunications providers face under the NIS2 Directive; instead, it adds a distinct sovereignty layer. While NIS2 mandates technical security risk management for telecom operators classified as essential entities, CADA Article 31 allows these private-sector entities to conduct impact assessments to determine if they need to procure cloud services with specific Union assurance levels. This creates a dual compliance framework where telecom providers must satisfy NIS2's technical security standards while potentially navigating CADA's procurement restrictions to protect public order and operational autonomy. Crucially, CADA explicitly distinguishes itself from NIS2, noting that while NIS2 improves cybersecurity risk management, it is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

Detail

To understand the interaction between the Cloud and AI Development Act (CADA) and the NIS2 Directive for telecommunications providers, it is necessary to distinguish between technical cybersecurity obligations and sovereignty-based procurement requirements. The two instruments address different, though overlapping, risks: NIS2 focuses on preventing cyber incidents and ensuring operational resilience, while CADA focuses on mitigating strategic dependencies on third-country cloud providers that could threaten public order or data confidentiality.

NIS2 Obligations for Telecom Providers: The Technical Baseline

Under Directive (EU) 2022/2555 (NIS2), telecommunications operators are explicitly classified as "essential entities." This classification is found in Annex I of the Directive, specifically under Section 1, Point 1, which lists "Electronic communications networks and services."

This classification triggers strict cybersecurity risk management requirements. NIS2 requires these entities to implement appropriate technical and organizational measures to manage risks posed by threats to the security of their network and information systems. This includes policies on incident handling, business continuity, supply chain security, and the security of communication networks and systems.

The scope of NIS2 is broad and captures the technical infrastructure upon which cloud services often run. Recitals of the NIS2 Directive emphasize that the security of network and information systems is critical for the functioning of society and the economy. By classifying telecom operators as essential, NIS2 ensures that the backbone of digital communication remains resilient against cyberattacks. However, NIS2 is primarily concerned with technical cybersecurity. It does not explicitly address sovereignty concerns, such as the risk that a cloud provider subject to third-country jurisdiction could be compelled to hand over data or disrupt services due to foreign laws.

CADA's Sovereignty Layer: Article 31 and Private Sector Impact

CADA addresses the gap left by NIS2 regarding sovereignty and strategic autonomy. While NIS2 ensures a data center or cloud provider is secure from hackers, CADA ensures that the provider is not subject to extraterritorial control by a third country that could undermine EU public order.

Article 31 of CADA is the critical provision for private-sector entities, including telecommunications providers. It states:

"1. Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29. 2. The Commission may issue guidance on the methodology for carrying out the impact assessments under this Article and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality. 3. Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation in accordance with Article 45 specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."

This provision creates a voluntary-to-mandatory pathway for telecom operators:

  1. Voluntary Impact Assessments: Telecom providers, as entities listed in Annex I of NIS2, may carry out impact assessments similar to those public sector bodies must perform under Article 29 of CADA. These assessments evaluate whether the cloud services they use expose them to risks that could undermine public order, such as unauthorized access by third countries or service disruption.
  2. Potential Mandatory Requirements: The Commission retains the power to adopt delegated acts making these impact assessments mandatory for entities in "sectors of high criticality." Given the strategic importance of telecommunications, it is plausible that the Commission could determine that telecom operators must formally assess their cloud dependencies and mitigate risks by procuring services with higher Union assurance levels (Levels 2, 3, or 4 under CADA).

The Interaction: Security vs. Sovereignty

The interaction between CADA and NIS2 for telecom providers can be summarized as follows:

  • NIS2 requires telecom operators to ensure their cloud providers meet high cybersecurity standards (e.g., incident response, vulnerability management). This is a technical requirement.
  • CADA encourages (and may eventually require) telecom operators to assess whether their cloud providers are subject to third-country control. This is a sovereignty requirement.

A telecom provider could theoretically use a cloud service that is technically secure (compliant with NIS2) but lacks sovereignty assurances (e.g., controlled by a non-EU parent company with no adequate safeguards). Under CADA, this provider would be exposed to strategic risks. Conversely, a provider could use a sovereign EU cloud (compliant with CADA) that lacks robust cybersecurity controls (non-compliant with NIS2). Both laws must be satisfied simultaneously.

CADA explicitly acknowledges this distinction in its recitals, noting that NIS2 "improves the cybersecurity risk management of cloud computing service providers and data centres in the EU, resulting in greater trust. However, it does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Thus, CADA complements NIS2 by adding the missing sovereignty dimension.

The Assurance Level Criteria for Telecoms

For telecom providers conducting assessments under Article 31, the criteria for Union assurance levels in Annex II become critical.

  • Level 2 (Substantial Cybersecurity): Requires a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme. It also mandates that infrastructure, assets, and personnel are located in the Union.
  • Level 3 (High Sovereignty): Requires a certificate of at least 'substantial' assurance and, crucially, mandates that personnel are Union citizens (conditional on public sector body requirements) and that the provider is not subject to third-country control.
  • Level 4 (Maximum Sovereignty): Requires a certificate of at least 'high' assurance level.

A key mechanism for third-country providers is found in Article 18 (Associated third countries), not Article 19. Article 18 allows the Commission to adopt implementing acts identifying third countries where providers subject to their control may be audited for Union assurance level 3. This is a specific derogation mechanism. Article 19, by contrast, relates solely to conformity self-assessment for Level 1.

Therefore, if a telecom provider relies on a cloud service controlled by a third country, they must verify if the Commission has adopted an implementing act under Article 18 for that specific country to qualify for Level 3. Without such an act, the provider would likely be restricted to Level 1 or Level 2, depending on other criteria, and could not claim Level 3 or 4 status.

What this means for you

For in-house counsel and compliance officers in the telecommunications sector, the intersection of CADA and NIS2 requires a proactive, dual-layered compliance strategy. Here are the immediate steps:

  1. Conduct Voluntary Impact Assessments Now: Although Article 31 currently permits (rather than mandates) these assessments for private entities, telecom operators should start evaluating their cloud dependencies. Use the methodology likely to be issued by the Commission to assess whether your current cloud providers expose you to third-country control risks. This early preparation will save significant resources if the Commission later makes these assessments mandatory via delegated acts.
  2. Map Cloud Providers to Assurance Levels: Identify which of your cloud providers are recognized under CADA's Union assurance levels (1–4). If you rely on non-EU hyperscalers, assess whether they can meet the criteria for Level 3 or 4, or if you need to diversify your portfolio to include EU-based providers. Pay close attention to the Article 18 status of any third-country control.
  3. Update Cloud Contracts: Ensure your cloud service agreements include clauses that address both NIS2 cybersecurity requirements and CADA sovereignty requirements. For example, contracts should require providers to notify you of any changes in ownership or control that could affect their sovereignty status under CADA.
  4. Monitor Commission Guidance: Stay alert for Commission guidance on Article 31 impact assessments and any delegated acts that may impose mandatory requirements on high-criticality sectors like telecommunications. The Commission's guidance will clarify the expected depth of these assessments and the mitigation measures required.
  5. Engage with National Authorities: As part of the impact assessment process, you may need to consult with national competent authorities, especially if you identify significant sovereignty risks. Early engagement can help you navigate any future mandatory requirements and demonstrate good faith compliance.

Common misconceptions

  • "NIS2 compliance is enough for CADA." This is incorrect. NIS2 focuses on technical cybersecurity (preventing hacks, ensuring uptime), while CADA focuses on sovereignty (preventing third-country control, ensuring data remains under EU jurisdiction). A provider can be NIS2-compliant but fail CADA's sovereignty criteria if it is subject to foreign laws that allow data access or service disruption.

  • "CADA Article 31 is mandatory for all telecom providers immediately." Currently, Article 31 allows private entities to carry out assessments; it does not strictly mandate them for all entities yet. However, the Commission can adopt delegated acts to make these assessments mandatory for sectors of high criticality. Telecoms are likely to be included in such future mandates, so treating it as optional is a strategic risk.

  • "Only public sector bodies need to worry about CADA assurance levels." While Article 29 mandates risk assessments for public sector bodies, Article 31 explicitly extends the framework to private entities in NIS2 Annex I, including telecoms. The Commission can require these private entities to perform similar assessments and adopt mitigation measures, effectively bringing them into the sovereignty framework.

  • "CADA replaces NIS2 for cloud security." CADA does not replace NIS2. It complements it. Telecom providers must still comply with NIS2's technical security obligations. CADA adds an additional layer of scrutiny regarding the ownership and control of cloud providers, not their technical security posture.

  • "Article 19 is the mechanism for third-country derogations." This is a common error. Article 18 is the specific mechanism for the Commission to identify third countries where providers subject to their control may be audited for Union assurance level 3. Article 19 is strictly for Level 1 self-assessment.

Related

This is general information about a draft EU regulation, not legal advice.