What sovereign-cloud pressure does CADA create for the energy sector?

Summary As proposed, the Cloud and AI Development Act (CADA) creates significant sovereign-cloud pressure on the energy sector by establishing a "Union cloud computing sovereignty framework." Because energy infrastructure is classified as critical under the NIS2 Directive, Member States must conduct risk assessments that often require higher Union assurance levels (2, 3, or 4) for cloud services supporting public-order activities. While CADA does not directly mandate private energy companies to use sovereign clouds, Recital 66 explicitly states that public procurement requirements "tend to be mirrored by private-sector entities operating in regulated industries," creating a de facto market shift. Energy operators must prepare for rigorous audits, personnel citizenship checks, and strict third-country control restrictions to remain viable partners for public utilities and critical infrastructure.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a comprehensive framework to reduce dependencies on third-country providers and safeguard the Union's public order. For the energy sector—a domain defined by critical infrastructure and high regulatory scrutiny—this framework creates pressure through a combination of direct public procurement mandates and powerful indirect market dynamics.

The Four Union Assurance Levels

At the core of CADA's sovereignty framework are four "Union assurance levels," established under Article 16. These levels define the cumulative criteria a cloud computing service must meet to be recognized as providing a specific level of Union assurance. The criteria, detailed in Annex II, escalate in stringency:

• Union Assurance Level 1: The baseline. Requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union unless explicitly required otherwise. It mandates state-of-the-art cybersecurity standards and full transparency regarding subcontractors.
• Union Assurance Level 2: Adds requirements for the location of personnel within the Union and mandates a European cybersecurity certificate of at least 'substantial' assurance level under a scheme established under Regulation (EU) 2019/881. It also imposes strict controls on data usage (e.g., data cannot be used to train third-country AI systems) and requires detailed software supply chain transparency, including Software Bills of Materials (SBOM).
• Union Assurance Level 3: Imposes that personnel, including those of subcontractors, must be Union citizens and may require national security clearances when handling classified information. Crucially, the provider and its subcontractors must not be subject to the control of a third country. A derogation exists only if the Commission has adopted an implementing act under Article 18 (associated third countries) confirming sufficient safeguards.
• Union Assurance Level 4: The highest tier. Requires Union citizenship for all personnel, a European cybersecurity certificate of at least 'high' assurance level, and absolute independence from third-country control. It mandates effective legal, technical, and organizational separation from any third-country subsidiaries and ensures no third country holds effective control over the design or evolution of software components.

Risk Assessments and Public Procurement in Energy

Under Article 29, Member States and Union entities are obligated to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. Recital 62 notes that these assessments must consider sectors falling under Directive (EU) 2022/2555 (NIS2), which explicitly lists energy (electricity, district heating, gas, hydrogen) as a critical sector.

Consequently, cloud services supporting energy grid management, regulatory functions, or critical infrastructure are likely to be classified as activities contributing to public order. This classification triggers Article 30(3), which mandates that contracting authorities in these sectors "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." Public entities managing energy grids cannot simply choose the cheapest provider; they must select from a curated list of providers recognized under the CADA framework.

The "Mirror Effect" on Private Energy Operators

While Articles 29 and 30 directly bind public authorities, the pressure extends to private energy companies through what the proposal describes as a "mirror effect." Recital 66 explicitly states: "Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

The energy sector is heavily regulated. Energy operators are classified as "essential entities" under the NIS2 Directive, subject to strict cybersecurity risk management obligations. CADA acknowledges this overlap in Article 31, which allows entities referred to in Annex I of the NIS2 Directive (who are not public sector bodies) to "carry out similar assessments as those set out in Article 29." Although Article 31 is currently permissive ("may carry out"), the market reality is that private energy companies often align their procurement standards with public sector requirements to ensure interoperability, joint ventures, and compliance with overarching regulatory expectations. If a public utility requires Level 3 for a joint project, the private partner must likely match that standard.

Implications for Cloud Providers and Data Centre Operators

For cloud service providers (CSPs) and data centre operators, this creates a bifurcated market. To serve the energy sector effectively, providers must either:

1. Obtain recognition for one of the higher Union Assurance Levels (2, 3, or 4), which involves rigorous independent third-party audits (Article 20) and compliance with complex criteria regarding data localization, personnel citizenship, and third-country control.
2. Exit the high-value energy segment if they cannot or do not wish to meet these sovereignty criteria.

The proposal emphasizes that auditing organizations must be independent and that audit reports must be substantiated. Providers must demonstrate that their software supply chains are transparent and that they have measures to prevent remote tampering or disruption from third countries. This is particularly relevant for energy grids, where operational continuity is paramount.

What this means for you

If you are a cloud service provider, data centre operator, or an energy utility planning your digital strategy, CADA proposes a significant shift in competitive dynamics.

1. Prepare for Sovereign Audits and Personnel Checks You must evaluate your current service offerings against the criteria for Union Assurance Levels 2, 3, and 4 in Annex II. Key areas of focus include:

• Data Localization: Ensure all customer data, metadata, and telemetry data remain exclusively within the Union.
• Personnel: For Level 2, verify that personnel are located in the Union. For Levels 3 and 4, verify that personnel are Union citizens. Be prepared to provide proof of citizenship and, where applicable, national security clearances.
• Third-Country Control: Demonstrate that neither you nor your subcontractors are subject to the control of a third country. This requires a deep analysis of ownership structures, board composition, and commercial links.
• Cybersecurity Certification: Obtain a European cybersecurity certificate of at least 'substantial' assurance level (for Level 2 and 3) or 'high' assurance level (for Level 4) under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Note that Level 3 and 4 require 'substantial' and 'high' respectively, not just 'substantial' for all.

2. Engage with NIS2 Obligations Energy operators are already subject to NIS2 cybersecurity requirements. Align your CADA compliance strategy with these existing obligations. Highlight how your sovereign cloud offerings help energy clients meet both NIS2 resilience requirements and CADA sovereignty standards. This dual compliance is a strong selling point.

3. Anticipate Private Sector Demand Even if your direct clients are private energy companies, expect them to request CADA-compliant services. Recital 66's "mirror effect" suggests that private entities will increasingly demand Union Assurance Levels to mitigate regulatory and operational risks. Proactively offering recognized sovereign cloud services will position you as a preferred partner in the energy sector.

4. Plan for Transition Costs Achieving higher assurance levels involves costs related to audits, potential infrastructure relocation, personnel screening, and software supply chain documentation. Factor these into your pricing models for energy sector clients. The proposal notes that public procurement may consider European added value criteria (Article 32), which could favor providers who demonstrate strong contributions to the Union's digital sovereignty.

Common misconceptions

Misconception 1: CADA directly forces private energy companies to use sovereign clouds. Correction: CADA's direct procurement mandates (Article 30) apply to public authorities and Union entities. Private energy companies are not directly mandated to procure specific assurance levels. However, Recital 66 and the critical nature of their infrastructure under NIS2 create strong indirect pressure. Private entities "may" conduct impact assessments (Article 31), but market forces and regulatory alignment often lead to de facto compliance.

Misconception 2: Only US-based providers are affected. Correction: While the proposal aims to reduce dependence on third-country providers, the sovereignty criteria apply to all providers seeking recognition. European providers must also meet the strict criteria for Union Assurance Levels 2, 3, and 4. This includes requirements for Union citizenship of personnel, European cybersecurity certification, and independence from third-country control. Many European providers currently do not meet these stringent criteria and must adapt.

Misconception 3: Data localization alone is sufficient for sovereignty. Correction: Data localization is a baseline requirement for Union Assurance Level 1. Higher levels (2, 3, 4) require much more, including cybersecurity certification, personnel citizenship, supply chain transparency, and absence of third-country control. A provider can have data in the EU but still fail to meet Level 3 or 4 if, for example, its board is controlled by a third-country entity or if its personnel are not Union citizens.

Misconception 4: The EU-US Data Privacy Framework resolves sovereignty concerns. Correction: The proposal explicitly states that while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers (Explanatory Memorandum). CADA's sovereignty framework goes beyond data protection to include operational autonomy and resilience against third-country interference.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign-cloud pressure does CADA place on the public sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?

This is general information about a draft EU regulation, not legal advice.