CADA vs the European Electronic Communications Code

Summary The proposed Cloud and AI Development Act (CADA) does not replace, amend, or supersede the European Electronic Communications Code (EECC). Instead, CADA addresses a specific regulatory gap identified in the legislative process: scenarios where cloud computing service providers operate electronic communications networks but have not previously been subject to EECC obligations despite falling within their scope. While the EECC governs the technical and market regulation of networks, CADA introduces a distinct sovereignty framework for cloud services. Providers operating in both domains would face a dual regulatory burden: EECC rules for their network infrastructure and CADA's Union assurance levels for their cloud offerings, particularly in public procurement.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the European Electronic Communications Code (EECC) is defined by strict complementarity. CADA is a proposal aimed at strengthening the EU's cloud and AI ecosystem, focusing on strategic autonomy, data-centre capacity, and reducing dependencies on third-country providers. The EECC, conversely, is the foundational framework for the internal market in electronic communications, regulating network access, spectrum, and consumer rights.

The intersection of these two regimes is not one of conflict, but of targeted supplementation. The CADA proposal explicitly acknowledges the evolving convergence of cloud and network infrastructure, a dynamic that existing telecom regulations have not fully captured in all instances.

The Regulatory Gap: Cloud Providers Operating Networks

A critical insight from the CADA explanatory memorandum highlights a specific market failure. The proposal notes that the Digital Networks Act (which updates and complements the EECC framework) addresses the convergence of network infrastructure. Specifically, the text states:

"The Digital Networks Act also addresses the convergence of networks infrastructure, including scenarios where a cloud computing service provider operates an electronic communications network and has so far not been subject to obligations under the European Electronic Communications Code although falling into its scope."

This observation identifies a "regulatory gap." Historically, some large cloud providers may have operated network infrastructure (such as private backbones or interconnection points) that technically fell within the definition of an electronic communications network but were not formally designated or regulated as such under the EECC. This lack of designation meant they operated without the specific obligations (e.g., interconnection, transparency, or security requirements) that apply to traditional telecom operators.

CADA does not seek to fill this gap by re-regulating the network layer itself. Instead, it leverages the Digital Networks Act to "clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation." By doing so, CADA ensures that the deployment of data centres—which are ultimate clients of grid capacity and network connectivity—is harmonised. The proposal explicitly states that it "stays focused on the deployment of data centre capacities, not the prior or parallel build-out of the necessary connectivity infrastructure."

Thus, CADA's role is to ensure that when these dual-role providers offer cloud services, those services meet the Union's sovereignty standards, while the underlying network connectivity is clarified and harmonised through the Digital Networks Act/EECC framework.

Sovereignty vs. Network Regulation: Distinct Objectives

The core distinction lies in the regulatory objective. The EECC is concerned with market competition, consumer protection, and the technical interoperability of networks. CADA is concerned with technological sovereignty, operational autonomy, and public order.

Under Article 16 of the CADA proposal, a Union cloud computing sovereignty framework is established, comprising four Union assurance levels. These levels are not about network access or bandwidth (EECC concerns) but about:

• The location of infrastructure and assets within the Union.
• The citizenship and location of personnel.
• The absence of third-country control or interference.
• The security of the software supply chain.

For a telecommunications operator that also provides cloud services, this creates a bifurcated compliance landscape:

1. EECC Compliance: The operator must continue to meet all obligations regarding network licensing, interconnection, and market conduct as a network provider.
2. CADA Compliance: If that same operator wishes to sell cloud services to public sector bodies, it must undergo the CADA recognition process (Articles 17–23) to demonstrate compliance with the relevant Union assurance level (1–4).

Crucially, CADA does not impose new network-specific licensing requirements. It relies on the existing EECC framework for network governance. However, it adds a layer of scrutiny on the service layer provided over those networks. For example, Annex II of the proposal sets out criteria for Union assurance levels. For Level 2 and above, the criteria require that "the infrastructure, assets, and personnel... are located in the Union." If a telecom operator's cloud service relies on network nodes or data centres located outside the EU, it may fail to meet these criteria, regardless of its compliance with EECC network rules.

Public Procurement and the Role of Network Infrastructure

The practical impact of this interaction is most visible in public procurement. Under Article 30 of the CADA proposal, contracting authorities must procure cloud computing services that meet specific Union assurance levels based on risk assessments conducted under Article 29.

If a public body procures cloud services from a provider that is also a network operator, the integrity and sovereignty of the underlying network become relevant to the overall assurance level. Annex II, Section 2 (Union assurance level 2) and Section 3 (Union assurance level 3) explicitly require that "the infrastructure, assets, and personnel... are located in the Union."

This creates a potential pressure point for telecom operators. While the EECC ensures the network functions efficiently, CADA ensures the network (as part of the cloud service) is sovereign. If a provider's network infrastructure is globally distributed but its cloud service is sold to a public body requiring Level 3 assurance, the provider must demonstrate that the specific infrastructure supporting that service is Union-based and free from third-country control.

The proposal also emphasises that the sovereignty framework should not hinder the free flow of data within the Union. This aligns with the EECC's objectives of creating a single market for electronic communications. However, CADA introduces a more stringent approach to cross-border dependencies, requiring that infrastructure, assets, and personnel for higher assurance levels be located within the Union. This can impact network operators who might otherwise rely on cross-border network resources, forcing a re-evaluation of their infrastructure footprint to comply with CADA's sovereignty criteria.

No Replacement of the EECC Framework

It is vital to understand that CADA does not repeal, amend, or replace the EECC. The EECC remains the primary legal instrument for regulating electronic communications networks and services. CADA operates in the adjacent space of cloud computing services and AI systems.

The explanatory memorandum confirms this separation of powers:

"The Digital Networks Act will clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation. Thus, the Digital Networks Act will clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation. Thus, the Digital Networks Act will clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation. Thus, the Digital Networks Act will clarify the procedures for connectivity between providers of various networks and other market participants within a broader ecosystem cooperation."

(Note: The source text repeats this sentence for emphasis on the distinct role of the Digital Networks Act in clarifying connectivity, while CADA focuses on data centre capacity.)

Where there is overlap, such as in the provision of cloud services over electronic communications networks, both sets of rules apply concurrently. Providers must ensure compliance with the EECC's technical and market-based obligations while simultaneously meeting CADA's sovereignty and procurement requirements if they engage with the public sector. The CADA proposal explicitly states it "complements the Digital Networks Act," which itself complements the EECC, rather than supplanting it.

What this means for you

For in-house counsel, compliance officers, and strategic planners in telecommunications and cloud computing, the interplay between CADA and the EECC requires a nuanced, dual-track compliance strategy.

1. Audit Your Dual-Role Status

If your organisation provides cloud computing services and also operates an electronic communications network, you must assess whether your network operations have historically been outside the full scope of the EECC. The CADA proposal's reference to the Digital Networks Act suggests that regulatory clarity is being sought for these hybrid entities. Ensure that your network operations are fully compliant with the EECC, as any gaps here could undermine your ability to offer sovereign cloud services under CADA. The "regulatory gap" identified in the proposal implies that regulators are actively looking to close it; being proactive is essential.

2. Assess Infrastructure for Sovereignty Levels

To qualify for Union assurance levels 2, 3, or 4 under CADA, your infrastructure and assets must be located within the Union. For telecom operators, this means reviewing your network architecture. If your cloud services rely on network nodes, backbones, or data centres located outside the EU, you may not be able to achieve higher assurance levels. This could limit your eligibility for public sector contracts, which are increasingly required to use services meeting these higher standards. You may need to segregate your "sovereign" cloud infrastructure from your global network operations.

3. Prepare for Risk Assessments

Public sector bodies will conduct risk assessments to determine the required Union assurance level for their cloud procurement. As a provider, you should be prepared to demonstrate how your network infrastructure supports the sovereignty and security of your cloud offerings. This includes proving that your network operations do not expose customer data to third-country control or disruption. The criteria in Annex II are rigorous regarding the location of personnel and the absence of third-country control.

4. Monitor Regulatory Developments

As CADA progresses through the legislative procedure, pay close attention to how the Commission interprets the interaction between the Digital Networks Act and CADA. The proposal mentions that the Digital Networks Act will clarify procedures for connectivity between providers. This could lead to new technical standards or interoperability requirements that affect how you integrate your cloud services with your network infrastructure.

5. Review Procurement Contracts

If you are a public sector body, ensure that your procurement processes for cloud services include the necessary sovereignty criteria. For private sector providers, review your contracts with public sector clients to ensure they reflect the new assurance level requirements. Failure to meet these criteria could result in loss of contracts or non-compliance penalties. Note that Article 30 mandates that for activities contributing to public order, only services recognised at Union assurance levels 2, 3, or 4 may be procured.

Common misconceptions

Misconception 1: CADA replaces the EECC for cloud providers. No. CADA does not replace the EECC. The EECC continues to regulate electronic communications networks and services. CADA adds a new layer of regulation focused on cloud computing sovereignty, public procurement, and AI development. Providers must comply with both frameworks where applicable. The proposal explicitly states it complements the Digital Networks Act (which updates the EECC), rather than replacing it.

Misconception 2: Network operators are exempt from CADA if they are regulated under the EECC. This is incorrect. If a network operator also provides cloud computing services, it falls under the scope of CADA for those cloud services. The EECC regulates the network layer, while CADA regulates the cloud service layer. Dual-role providers must navigate both regulatory regimes. The "regulatory gap" identified in the proposal specifically concerns providers who were not subject to EECC obligations; CADA ensures that even if they were, their cloud services are still subject to sovereignty rules.

Misconception 3: CADA imposes new network licensing requirements. CADA does not introduce new licensing requirements for electronic communications networks. It relies on the existing EECC framework for network regulation. However, it does impose strict requirements on the location and control of infrastructure for cloud services seeking higher Union assurance levels, which can indirectly affect network deployment strategies.

Misconception 4: Sovereignty levels are only about data protection. While data protection is a component, the Union assurance levels under CADA also cover operational autonomy, security against third-country interference, and the location of personnel and assets. This is broader than the data protection obligations under the GDPR or the data governance rules under the Data Act. The criteria in Annex II explicitly address third-country control, personnel citizenship, and software supply chain security.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does CADA interact with NIS2 for telecom providers?
• How does CADA interact with DORA for cloud service providers?
• Does using a US hyperscaler create CADA risk for European banks?
• Does CADA make it easier for European AI startups to compete with hyperscalers?
• Why does CADA emphasise secure and verifiable compute for sensitive sectors?

This is general information about a draft EU regulation, not legal advice.