CADA for connectivity and submarine-cable operators

Summary As proposed, the Cloud and AI Development Act (CADA) does not directly regulate submarine-cable operators or pure-play connectivity providers, as its scope is strictly limited to cloud computing services and AI systems. However, CADA creates a powerful downstream demand shock for resilient, intra-EU connectivity. By mandating that Member States and Union entities conduct Article 29 risk assessments to identify activities contributing to "public order" (including critical digital infrastructure under NIS2 and the Preparedness Union Strategy), CADA forces critical sectors to procure cloud services at high Union assurance levels (2, 3, or 4). These levels impose strict data-localisation and infrastructure-location criteria (Annex II), effectively requiring that the underlying connectivity—whether terrestrial fiber or submarine cables—remains exclusively within the Union to prevent third-country routing. While CADA complements the cybersecurity focus of NIS2 and the resilience goals of the Preparedness Union Strategy, it shifts the compliance burden to cloud providers and their customers, making connectivity operators critical enablers of sovereign data flows rather than direct subjects of the regulation.

Detail

The Cloud and AI Development Act (CADA), as set out in Commission Proposal COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem. For connectivity and submarine-cable operators, the regulation's impact is not found in direct obligations but in the structural transformation of the market for cloud services that rely on their infrastructure.

1. Scope: Why Connectivity Operators Are Not Directly Regulated

CADA's regulatory reach is defined by its definition of "cloud computing service" in Article 2(1), which mirrors the definition in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2). This definition covers digital services enabling on-demand access to scalable computing resources. Crucially, the explanatory memorandum and the text of the proposal clarify that the AI system itself and its underlying model are excluded, as is the pure transmission of data without the provision of computing resources.

Therefore, submarine-cable operators and entities providing only connectivity (transmission) without cloud computing services fall outside the direct scope of CADA's sovereignty framework. They are not required to undergo the independent audits (Article 20), submit to the central repository registration (Article 22), or achieve Union assurance levels themselves.

2. The Critical Infrastructure Framing: NIS2 and the Preparedness Union Strategy

The indirect impact on connectivity operators stems from how CADA interacts with the existing critical infrastructure landscape. The proposal explicitly aligns with the Preparedness Union Strategy, which identifies dependence on critical digital infrastructure as a systemic risk. The explanatory memorandum states that the sovereignty framework, and in particular the risk assessment mechanism in Article 29, "contributes directly to the digital preparedness dimension of that Strategy by ensuring that the cloud and AI services underpinning emergency management, civil protection coordination and disaster response operations are provided at the appropriate Union assurance level."

Furthermore, Article 29(1) mandates that Member States and Union entities identify public sector activities that contribute to the preservation of public order. This identification explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2). The NIS2 Directive covers "digital infrastructure" providers, which includes internet exchange points, domain name system (DNS) service providers, and top-level domain name registries, as well as cloud computing service providers.

While NIS2 focuses on technical cybersecurity risk management, CADA addresses sovereignty and geopolitical risk. For connectivity operators serving these NIS2-covered entities, the implication is profound: their customers (the critical infrastructure providers) will be legally required to assess whether their cloud usage poses a risk to public order. If the risk assessment determines that the activity is critical to public order, the customer must procure cloud services at Union assurance levels 2, 3, or 4.

3. Article 29 Risk Assessments: The Trigger for Sovereign Data Flows

Article 29 is the engine driving the demand for sovereign connectivity. It requires Member States and Union entities to carry out risk assessments to determine the appropriate Union assurance level for their activities.

• Identification of Public Order Relevance: Under Article 29(1)(a), authorities must identify activities in sectors such as national security, internal security, external border management, defence, justice, and law enforcement. Crucially, this includes sectors under NIS2 Annex I and II. For a connectivity operator, this means that if they provide services to a critical digital infrastructure provider (e.g., a major internet exchange or a backbone provider), that provider may be forced to classify their cloud usage as "public order relevant."
• Determination of Assurance Levels: Once an activity is identified as contributing to public order, Article 29(1)(b) requires the authority to determine if Union assurance levels 2, 3, or 4 are appropriate.
• The Sovereign Cloud Mandate: If a higher assurance level is required, Article 30(3) mandates that the contracting authority "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

This creates a chain reaction. To achieve these assurance levels, cloud providers must meet the cumulative criteria in Annex II. For Union assurance level 3 and 4, Annex II, Section 3.1(b) and 4.1(b) require that "the infrastructure, assets, and personnel... are located in the Union." Furthermore, Annex II, Section 3.1(c) and 4.1(c) mandate that customer data "remain exclusively within the Union."

For a cloud provider to meet these criteria, the underlying network infrastructure—including submarine cables and terrestrial fiber—must not route data outside the Union. If a cable operator routes traffic through a third country, the cloud provider using that cable cannot guarantee that data remains exclusively within the Union, thereby failing the criteria for levels 3 and 4. Thus, connectivity operators become the gatekeepers of sovereign data flows.

4. Sovereign Cloud Assurance for Critical Connectivity Data

The specific requirements for Union assurance levels 2, 3, and 4 in Annex II impose strict constraints on data flows that directly impact cable operators:

• Data Localisation: Annex II, Section 2.1(c), 3.1(c), and 4.1(c) require that customer data, including metadata and telemetry, remain exclusively within the Union. This prohibits the use of international cables that transit through third countries for the storage or processing of sensitive data associated with high-assurance cloud services.
• Infrastructure Location: Annex II, Section 2.1(b), 3.1(b), and 4.1(b) require that the infrastructure and assets of the provider (and its subcontractors) are located in the Union. While this primarily targets data centres, it extends to the network assets used to deliver the service. If a cloud provider relies on a submarine cable landing station in a third country or a cable segment that traverses non-EU waters for the primary routing of critical data, they may struggle to demonstrate compliance with the "exclusively within the Union" requirement.
• Third-Country Control: Annex II, Section 3.1(g) and 4.1(g) prohibit the provider and its subcontractors from being subject to the control of a third country. For connectivity operators, this means that if a cable system is controlled by a third-country entity, cloud providers serving critical public-order activities may be forced to avoid that infrastructure entirely, unless the Commission has adopted an implementing act under Article 18 (associated third countries) granting a derogation. Note that Article 18 is the correct cross-reference for third-country derogations in the context of assurance levels, correcting any potential drafting slips in earlier discussions.

5. Strategic Projects and Data Centre Acceleration Zones

CADA also introduces mechanisms that directly benefit connectivity infrastructure. Article 10 requires Member States to designate data centre acceleration zones, and Article 14 allows the Commission to designate data centre strategic projects.

Article 14(1)(c) specifically lists as a criterion for strategic projects: "the project contributes to the security, safety, and stability of the electricity grid and contributes to the electricity system needs." Article 14(1)(e) includes projects that "address a major shortage of compute capacity." Connectivity operators providing the high-bandwidth, low-latency links required to connect these strategic data centres to the broader EU network may find themselves integral to these designated projects. The proposal aims to triple EU data centre capacity, necessitating massive upgrades to intra-EU connectivity, particularly for submarine cables connecting EU member states to ensure data sovereignty.

What this means for you

For CTOs, network architects, and strategic planners at connectivity and submarine-cable operators, CADA represents a shift from being a passive utility to a strategic enabler of EU sovereignty.

1. Architect for "Exclusively Within the Union": Your network architecture must be capable of guaranteeing that traffic for critical cloud services does not transit through third countries. This may require dedicated intra-EU fiber routes, submarine cables with landing stations exclusively in the EU, and strict routing policies that prevent "hair-pinning" through non-EU hubs.
2. Partner with Sovereign Cloud Providers: Cloud providers seeking recognition at Union assurance levels 2, 3, or 4 will actively seek connectivity partners who can certify that their infrastructure supports the "exclusively within the Union" requirement. Position your services as the "sovereign backbone" for these providers.
3. Engage with NIS2 Critical Entities: Your customers in the digital infrastructure sector (NIS2 Annex I/II) will be conducting Article 29 risk assessments. Proactively engage with them to demonstrate how your connectivity solutions support their sovereignty requirements. If they are mandated to use high-assurance cloud, they will need your assurance that the data flow is sovereign.
4. Monitor Strategic Project Designations: Keep a close watch on Article 14 designations for data centre strategic projects. These projects will likely require significant connectivity investments. Being a preferred partner for these projects could secure long-term contracts and influence the physical layout of future EU data centre clusters.
5. Understand the "Public Order" Definition: Be aware that the definition of "public order" in Article 29 is broad, covering national security, defence, and law enforcement. Even if your customer is a private entity, if they serve a public-order function (e.g., a private cloud provider serving a government agency), the sovereignty requirements will cascade down to your connectivity layer.

Common misconceptions

"CADA directly regulates submarine-cable operators." No. CADA regulates cloud computing service providers and the public/private entities that procure them. Connectivity operators are not subject to the audit, recognition, or assurance level requirements of the Act. However, they are indirectly regulated through the contractual demands of their cloud customers.

"CADA replaces the cybersecurity requirements of NIS2." No. CADA complements NIS2. NIS2 focuses on technical cybersecurity risk management (e.g., incident response, network security). CADA focuses on sovereignty, geopolitical dependencies, and the location of infrastructure and data. A connectivity operator must comply with NIS2 for cybersecurity and may face new market demands from CADA for sovereignty.

"All cloud services must meet the highest sovereignty standards." No. CADA uses a risk-based approach under Article 29. Only activities identified as contributing to the preservation of public order (e.g., law enforcement, defence, critical digital infrastructure) are required to procure cloud services at Union assurance levels 2, 3, or 4. Most general public services may only require Union assurance level 1, which has less stringent geographic constraints.

"Data can be routed through third countries if it is encrypted." No. Annex II, Section 3.1(c) and 4.1(c) require that customer data "remain exclusively within the Union." This is a geographic constraint on the data itself, not just its security status. Encryption does not satisfy the requirement if the data physically traverses a third country's infrastructure.

Related

• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments
• CADA for Insurance Companies: Voluntary Assessments & Sovereign Cloud
• CADA and NIS2 for Energy Operators: The Sovereignty Layer Explained
• How do CADA data-centre acceleration zones affect grid operators?
• Does CADA require energy operators to use EU sovereign cloud?

This is general information about a draft EU regulation, not legal advice.