What sovereign-cloud pressure does CADA create for telecoms?

Summary The proposed Cloud and AI Development Act (CADA) creates significant sovereign-cloud pressure for telecommunications operators not through direct regulation of the sector, but by establishing a four-tier Union assurance level framework for public procurement that is expected to spill over into regulated private industries. While CADA primarily targets contracting authorities, Recital 66 explicitly states that public procurement requirements "tend to be mirrored by private-sector entities operating in regulated industries." As telecommunications operators are classified as essential entities under the NIS2 Directive (Directive (EU) 2022/2555), their cloud supply chains face de facto pressure to align with CADA's sovereignty criteria—particularly Union assurance levels 2, 3, and 4—to maintain market access and ensure resilience against third-country interference.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers and to safeguard public order. For telecommunications operators, who are increasingly reliant on cloud infrastructure for network operations, customer data management, and service delivery, this framework creates a powerful market signal that extends beyond the public sector.

The Four Union Assurance Levels

At the heart of CADA's sovereignty framework are four Union assurance levels, detailed in Annex II and referenced in Article 16. These levels define the cumulative criteria cloud computing service providers must meet to be recognised as offering services to Union entities and public sector bodies. The pressure on telecoms arises because their critical infrastructure status often aligns with the higher assurance tiers required for public-order-relevant activities.

• Union Assurance Level 1: This is the baseline. It requires the provider to be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless explicitly required otherwise by the public sector body. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors.
• Union Assurance Level 2: Builds on Level 1 by requiring that subcontractors involved in service provision are also established in the Union. Crucially, infrastructure, assets, and personnel must be located in the Union. The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Data generated by the service cannot be used to train AI systems operated by third countries.
• Union Assurance Level 3: Imposes stricter personnel requirements, mandating that personnel involved in service provision are Union citizens. The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country, unless a specific derogation is granted by the Commission under Article 18. Technical and operational support must be performed exclusively within the Union by Union residents.
• Union Assurance Level 4: The highest level, requiring that sensitive data identified through risk assessment remains exclusively within the Union. Personnel must be Union citizens with necessary national security clearances. The service must obtain a European cybersecurity certificate of at least assurance level 'high'. There is no third-country control allowed for the provider or subcontractors.

Public Procurement and the NIS2 Link

Article 29 of CADA obliges Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for specific public sector activities. These assessments consider the sensitivity of data, the criticality of the service, and the potential impact on public order.

Article 30 then mandates procurement rules based on these assessments:

• Public sector bodies whose activities are not identified as contributing to the preservation of public order must use cloud services recognised as offering Union Assurance Level 1.
• Contracting authorities whose activities are identified as contributing to the preservation of public order must only procure services recognised as offering Union Assurance Levels 2, 3, or 4.

The link to telecommunications is explicit in the text. Article 30(3) specifies that this higher procurement requirement applies to activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2). Telecommunications networks and services are explicitly listed as essential entities under NIS2. Therefore, when public bodies procure cloud services for activities related to telecommunications infrastructure or public safety, they are legally required (as proposed) to demand Level 2, 3, or 4 assurance.

The Spillover Effect: Recital 66 and Regulated Industries

The direct impact of CADA on private telecom operators is mediated through market dynamics and sector-specific regulations. Recital 66 of CADA explicitly addresses this dynamic, stating:

"Public procurement frequently serves as a primary signal of market direction. Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This recital confirms that while CADA does not directly mandate private telecoms to adopt specific assurance levels, the market will likely force them to do so. Telecommunications operators are classified as essential entities under the NIS2 Directive, which imposes strict cybersecurity and risk management obligations. Because telecoms are critical to public order and national security, their cloud providers are likely to be scrutinised under the same sovereignty and resilience standards applied to public sector bodies. A telecom operator relying on a Level 1 provider for critical network functions may find itself unable to demonstrate the "high common level of cybersecurity" required by NIS2 if that provider cannot meet the higher sovereignty standards demanded by public clients and regulators.

Article 31: Private Sector Impact Assessments

While CADA primarily targets public procurement, Article 31 introduces a mechanism for private sector entities. It allows entities referred to in Annex I of the NIS2 Directive (which includes telecom operators) to carry out impact assessments similar to those conducted by public bodies. Although these assessments are not mandatory under CADA, the Commission may issue guidance or adopt delegated acts requiring them for entities in high-criticality sectors.

This creates a de facto expectation that telecom operators will assess their cloud dependencies against the Union assurance levels to ensure compliance with broader cybersecurity and resilience goals. If a telecom operator conducts such an assessment and identifies a risk to public order, the logical mitigation measure under CADA's framework would be to migrate to a provider offering a higher assurance level.

What this means for you

For cloud service providers, data centre operators, and telecommunications operators serving the sector, CADA's sovereignty framework translates into concrete operational and strategic requirements:

1. Supply Chain Transparency: You must be prepared to provide detailed evidence of your establishment, infrastructure location, personnel citizenship, and subcontractor relationships. Levels 2–4 require rigorous documentation of software bills of materials (SBOMs) and supply chain controls, as detailed in Annex II.
2. Cybersecurity Certification: To qualify for Levels 2–4, you will need to obtain or demonstrate compliance with the EUCS certification scheme. Telecom operators will increasingly prefer or require providers with these certifications to mitigate their own NIS2-related risks. Note that Level 2 requires a 'substantial' certificate, while Level 4 requires a 'high' certificate.
3. Data Localisation and Control: Ensure that customer data, including metadata and telemetry, remains within the Union. Any cross-border data flows must be explicitly authorised and documented. For Levels 3 and 4, you must demonstrate that no third-country entity exercises control over your operations or infrastructure.
4. Contractual Alignment: Review contracts with telecom clients to include clauses that reflect the Union assurance levels. Be prepared to undergo independent third-party audits (for Levels 2–4) and provide audit reports to clients and competent authorities.
5. Strategic Positioning: Market your services based on their Union assurance level. Telecom operators seeking to align with public sector standards or enhance their own resilience will prioritise providers offering higher assurance levels.

Common misconceptions

"CADA directly regulates private telecom operators." No. CADA primarily regulates public procurement and the recognition of cloud services. However, its influence on private operators is indirect but powerful, driven by market signals (Recital 66) and the need for telecoms to comply with NIS2 cybersecurity obligations. The pressure is market-driven, not a direct statutory mandate on private entities to adopt a specific level.

"Only Level 4 is relevant for critical infrastructure." Not necessarily. The appropriate assurance level depends on the risk assessment of specific activities. While some critical telecom functions (e.g., those handling classified information) may require Level 3 or 4, others may only require Level 2 or even Level 1, depending on the sensitivity of the data and the criticality of the service to public order. The framework is risk-based.

"Third-country providers are completely excluded." No. Third-country providers can still qualify for Union Assurance Level 3 if the Commission adopts a decision under Article 18 recognising that the third country provides sufficient safeguards. This requires an adequacy decision under the GDPR and the absence of measures allowing third-country access to data or service disruption. However, Level 4 strictly prohibits third-country control.

"CADA replaces the NIS2 Directive." No. CADA complements NIS2. NIS2 focuses on technical cybersecurity risk management, while CADA addresses sovereignty, third-country control, and operational autonomy. They operate in parallel, with CADA's assurance levels often serving as a tool to meet NIS2's resilience requirements.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?
• What sovereign-cloud pressure does CADA create for automotive?

This is general information about a draft EU regulation, not legal advice.