When do CADA obligations start for the telecom sector?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) enters into force 20 days after publication in the Official Journal, but its substantive obligations apply only one year later, as explicitly stated in Article 48. For the telecom sector, this creates a critical transition window. Member States must designate data centre acceleration zones within six months and establish national strategies and competent authorities within one year. Crucially, CADA does not replace the NIS2 Directive; it operates in parallel. Telecom operators, already subject to NIS2 as essential entities, will face additional sovereignty requirements under CADA's Union assurance levels, particularly if they provide cloud services to public bodies performing functions related to public order.

Detail

The precise timing of CADA's entry into force and application is governed by Article 48 of the proposal. This article establishes a clear distinction between the legal existence of the Regulation and the moment its rules become binding on Member States and market participants.

Article 48 states: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." However, the same article clarifies the application date: "It shall apply from [same day and month as date of entry into force plus 1 year]."

This one-year gap is not merely a formality; it is a structured transition period designed to allow Member States to build the necessary administrative and physical infrastructure before the rules bite. For the telecom sector, which often acts as both a critical infrastructure provider and a potential cloud service supplier, understanding this timeline is essential for compliance planning.

Staged Deadlines for Member States

While the general application date is one year after entry into force, the proposal imposes earlier, staged deadlines on Member States to ensure the regulatory framework is operational. These deadlines directly impact the telecom sector's ability to deploy infrastructure and the public sector's ability to procure services.

• Data Centre Acceleration Zones (6 Months): Under Article 10(1), Member States must designate at least one data centre acceleration zone within their territory by the date of entry into force plus six months. This is the earliest major deadline. For telecom operators involved in data centre construction or colocation, this timeline dictates when the streamlined permitting regimes and grid connection incentives will become available.
• National Cloud and AI Strategies (1 Year): Under Article 7(1), Member States must establish national cloud and AI strategies by the date of entry into force plus one year. These strategies must include measures to accelerate data centre deployment and support the uptake of cloud services, aligning with the CADA objectives.
• Designation of Competent Authorities (1 Year): Under Article 25(1), Member States must designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework by the date of entry into force plus one year. These authorities will be the primary point of contact for cloud providers seeking recognition of their Union assurance levels.
• Single Information Points (1 Year): Under Article 12, Member States must designate single information points to assist data centre operators with permitting procedures. This must be completed within the initial implementation phase to facilitate the accelerated deployment of data centres.
• Risk Assessments (1 Year): Under Article 29(1), Member States and Union entities must carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must be completed by the date of entry into force plus one year and repeated every two years thereafter.

The Telecom Sector: Parallel Application with NIS2

A critical aspect of the CADA timeline for the telecom sector is its relationship with the NIS2 Directive (Directive (EU) 2022/2555). NIS2 is already in force and imposes strict cybersecurity risk management obligations on telecom operators, who are classified as essential entities.

CADA does not replace NIS2. Instead, it adds a layer of sovereignty assurance. The proposal explicitly acknowledges this in the explanatory memorandum, noting that CADA complements the Cybersecurity Act and NIS2 by addressing non-technical risks, such as extraterritorial data access and operational continuity.

The link between the two regimes is operationalized through Article 29(1) and Article 30(3).

• Article 29(1) requires risk assessments to identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive. The telecom sector is explicitly listed in these annexes.
• Article 30(3) mandates that contracting authorities procuring cloud services for activities identified in the risk assessment (including those in the telecom sector) must only procure services recognised as offering Union assurance levels 2, 3, or 4.

This means that while NIS2 ensures the technical security of telecom networks, CADA ensures the sovereign integrity of the cloud infrastructure supporting them. Telecom operators providing cloud services to public bodies must therefore prepare for dual compliance: meeting NIS2's cybersecurity standards and CADA's sovereignty criteria (such as Union establishment, data localisation, and personnel requirements).

Procurement Obligations and Transition

Once the one-year application date arrives, the procurement rules in Article 30 become fully effective.

• Baseline Requirement: All public sector bodies must procure at least Union assurance level 1 cloud services.
• Critical Functions: For activities contributing to public order (including telecoms under NIS2), the requirement rises to levels 2, 3, or 4.

Article 29(6) provides a safety valve for migration. If a risk assessment requires a migration to a different cloud service, the Member State or Union entity must migrate within a reasonable transition period that "shall not exceed 12 months," taking into account technical feasibility and data portability. This suggests that even after the one-year application date, entities may have up to an additional year to migrate critical services to compliant providers, provided the risk assessment was completed on time.

What this means for you

For telecom operators, public procurement officers, and legal counsel in the sector, the CADA timeline demands immediate preparation:

1. Map the Six-Month Window: If your organisation is involved in data centre deployment, monitor the designation of data centre acceleration zones by your Member State. This occurs six months after entry into force and will unlock streamlined permitting.
2. Prepare for the One-Year Risk Assessment: Public sector bodies must complete their risk assessments under Article 29 within one year. Telecom operators supplying these bodies should anticipate requests for evidence regarding their Union assurance levels (e.g., proof of Union establishment, data localisation, and personnel citizenship).
3. Audit for Dual Compliance: Ensure your cloud offerings meet both NIS2 cybersecurity requirements and the proposed CADA sovereignty criteria. The criteria for Union assurance levels 2, 3, and 4 (Annex II) include specific requirements for cybersecurity certification (at least "substantial" for levels 2 and 3, "high" for level 4) and personnel screening.
4. Plan for Migration: If you are a public body relying on non-compliant cloud services, initiate the migration planning now. While Article 29(6) allows a 12-month transition period after the risk assessment, the clock starts ticking once the assessment is completed (one year after entry into force).
5. Engage with Competent Authorities: Once designated (one year after entry into force), national competent authorities will manage the recognition of cloud services. Establishing a dialogue early can clarify the evidence required for recognition.

Common misconceptions

"CADA replaces NIS2 for telecom operators." No. CADA and NIS2 are complementary. NIS2 focuses on technical cybersecurity risk management and incident reporting. CADA focuses on sovereignty, data localisation, and the control of infrastructure by third countries. Telecom operators must comply with both.

"Obligations start immediately upon publication." No. Article 48 clearly states a one-year application delay. However, preparatory obligations for Member States (like designating acceleration zones) begin within six months of entry into force.

"All cloud services must meet the highest sovereignty level." No. The requirement depends on the risk assessment. Only services used for activities contributing to the preservation of public order (which includes telecoms under NIS2) require levels 2, 3, or 4. Other public sector procurement requires only level 1.

"The transition period is indefinite." No. Article 29(6) limits the migration transition period to a maximum of 12 months after the risk assessment identifies a need for migration.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• When do CADA obligations start for the healthcare sector?
• When do CADA obligations start applying to the financial sector?
• When do CADA obligations start for energy and utilities?
• When do CADA provisions affect the automotive sector?
• When can AI startups start benefiting from CADA support?

This is general information about a draft EU regulation, not legal advice.