Public Sector · Telecommunications

Your network carries the world's data.
Who has access to your operations?

Telecom operators routing billions of calls and messages rely on US-controlled OSS/BSS platforms, network management tools, and cloud infrastructure. Under the CLOUD Act, every layer of that operational stack is accessible to US authorities — without ever notifying you.

Book a sovereign briefing → See the exposure
No US jurisdiction NIS2 essential entity compliant GDPR · ePrivacy · PDPL · CITC aligned
60%
Of global telecom BSS/OSS infrastructure is controlled by US hyperscalers — subject to CLOUD Act compelled disclosure regardless of where the data centres are located
72h
Maximum window under NIS2 for telecom operators — classified as essential entities — to notify competent authorities of a significant incident affecting network integrity
0
Legal mechanisms under GDPR Article 48 that permit a US CLOUD Act order to be complied with lawfully — the conflict with EU data protection law remains unresolved
SAR 5M
Maximum PDPL fine per violation for telecom operators failing CITC and NCA data residency mandates — doubled for repeat offences, with criminal liability for sensitive subscriber data
The six risks

Why telecom sovereignty
cannot wait

Critical

Network operations exposed to US jurisdiction

When OSS/BSS platforms, network management consoles, and incident ticketing systems run on Azure, AWS, or Google Cloud, the entire operational intelligence of a telecom operator sits under US jurisdiction. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel disclosure of network topology, performance data, and operational communications — with gag orders that prevent the operator from ever being notified.

CLOUD Act § 2713 · Extraterritorial compelled disclosure
High Risk

Call Detail Records: subscriber surveillance by proxy

CDRs are the most sensitive data a telecom operator holds — subscriber identity, call parties, timestamps, cell tower locations, IMSI numbers. When billing and mediation platforms run on US-controlled cloud, these records are permanently accessible under a CLOUD Act order. This exposes the operator to a fundamental contradiction: they are legally obligated to protect subscriber data under GDPR and the ePrivacy Directive, yet their infrastructure makes that protection structurally impossible.

GDPR Art. 5 + ePrivacy Directive · Confidentiality of electronic communications
Structural

5G slice configuration and security metadata

5G network slicing allows operators to create dedicated virtual networks — for governments, critical infrastructure, financial institutions. The configuration, security policies, and slice management data for these sovereign deployments are often orchestrated via US-controlled cloud platforms. An adversary with access to slice metadata can map which critical entities use which logical network segments — a strategic intelligence asset of the highest order, now accessible via CLOUD Act compelled disclosure.

NIS2 Art. 21 · ICT supply-chain risk for essential entities
High Risk

Roaming data and inter-carrier exposure

International roaming creates a complex web of subscriber data flows between operators across jurisdictions. When the platforms managing roaming agreements, fraud detection, and inter-carrier settlement run on US-hosted infrastructure, a CLOUD Act order can expose subscriber data from multiple countries simultaneously — including users who have never interacted with a US company and whose national laws explicitly prohibit this transfer. GDPR Article 48 offers no valid legal pathway for this disclosure.

GDPR Art. 48 · No lawful basis for transfer via CLOUD Act
Compliance

CITC, NCA and SAMA: Saudi sovereign mandates

Saudi telecom operators — STC, Zain, and Mobily — face a dual regulatory burden. CITC mandates that subscriber data remains within the Kingdom of Saudi Arabia. The National Cybersecurity Authority (NCA) requires sovereign cybersecurity infrastructure for all licensed operators. Under the PDPL (enforced by SDAIA since September 2024), Article 29 treats remote access to data stored in Saudi Arabia by a foreign authority as a data export — triggering maximum fines of SAR 5M per violation, doubled for repeat offences.

PDPL Art. 29 · Remote access treated as cross-border data transfer
Operational

NIS2 essential entity obligations for operators

NIS2 Directive Article 3 explicitly classifies providers of electronic communications networks and services as essential entities — the highest category of obligation. Article 21 requires essential entities to implement ICT supply-chain risk management measures covering all platforms used in their operations, including internal communications. A telecom operator using Microsoft Teams or Zoom for their Security Operations Centre (SOC) communications must document this as a supply-chain risk — one that, practically speaking, cannot be adequately mitigated.

NIS2 Art. 3 + Art. 21 · Essential entity supply-chain accountability
The regulatory paradox

What telecom operators must guarantee vs. what US cloud exposes

Every subscriber data protection obligation a telecom operator is legally bound by applies with equal legal force to their operational infrastructure — and US cloud infrastructure undermines all of it.

What US cloud exposes

Your operations, subscriber data, and network intelligence are accessible without your knowledge

  • CDRs and subscriber PII compelled without notification under CLOUD Act gag orders
  • Network topology and 5G slice configuration exposed to foreign intelligence
  • SOC communications and incident response plans accessible during active incidents
  • Roaming and inter-carrier data disclosed across multiple jurisdictions simultaneously
  • Microsoft's French subsidiary confirmed in 2025: sovereignty cannot be guaranteed against US authorities
VS
What AMVLET provides

Sovereign communications infrastructure that operates entirely outside US jurisdiction

  • End-to-end encrypted operational communications for NOC, SOC, and executive channels
  • No US jurisdiction — no CLOUD Act applicability to any AMVLET infrastructure
  • Cryptographic keys held exclusively by your organisation — zero AMVLET access
  • Cross-border federation with partner operators via sovereign, encrypted channels
  • NIS2 essential entity compliant — full supply-chain risk documentation available
Five regulatory layers

Every layer of the telecom regulatory stack
has a CLOUD Act exposure problem

AMVLET is purpose-built to address all five layers simultaneously — the only sovereign communications platform built for telecom operators.

Layer
Regulator
Who it covers
Framework
01
Data Protection
EDPB · national DPAs · ICO
31 national Data Protection Authorities coordinating GDPR and ePrivacy enforcement — covering all subscriber data, CDRs, and electronic communications metadata held by EU-operating telecom operators
All telecom operators with EU subscribers or EU data centres, regardless of corporate HQ location
GDPR + ePrivacy
02
Network Security
ENISA · BSI · ANSSI · NCSC
National cybersecurity agencies and CERTs overseeing NIS2 compliance for essential entities — telecom operators are explicitly listed in Annex I as essential entities subject to the strictest ICT supply-chain obligations
All providers of electronic communications networks or services in the EU — no size threshold
NIS2
03
Financial Oversight
EBA · BaFin · FCA · AMF
European financial regulators applying DORA's ICT third-party risk requirements to telecom operators offering payment infrastructure, mobile banking, or financial data transmission services
Telecom operators classified as financial entities or critical ICT third-party providers under DORA
DORA
04
Saudi Telecom Regulation
CITC · NCA · SDAIA · SAMA
CITC mandates in-Kingdom subscriber data residency; NCA requires sovereign cybersecurity infrastructure for all licensed operators; SDAIA enforces PDPL with full prosecution authority — Article 29 treats remote access as a data export
All telecom operators licensed in Saudi Arabia — STC, Zain, Mobily, and MVNOs
PDPL
05
Government Cloud Sovereignty
EU Commission · Member State agencies
The EU Tech Sovereignty Package (May 2026) and Cloud and AI Development Act (CADA) impose restrictions on US cloud for sensitive public-sector data. A €180M sovereign cloud tender was awarded in April 2026, with more procurement frameworks requiring European providers for critical workloads
Telecom operators supplying government, defence, and critical infrastructure communications
CADA
What is actually at risk

Six categories of telecom data
exposed by US cloud infrastructure

Call Detail Records (CDRs)
Subscriber identity, call parties, timestamps, call duration, cell tower location, and IMSI numbers — the most surveillance-sensitive data class a telecom operator holds. Accessible in full via CLOUD Act if billing or mediation runs on US cloud.
Network topology and infrastructure maps
Physical and logical architecture of the network — routing paths, node locations, redundancy configurations, and interconnect points. Strategically sensitive information accessible if network management runs on US-controlled platforms.
Security Operations Centre communications
Internal SOC channels carry real-time threat intelligence, vulnerability disclosures, active incident response communications, and lawful intercept coordination. If these run on US-controlled messaging tools, the operator's security posture is itself a security vulnerability.
Subscriber PII and billing data
Full subscriber profiles — names, addresses, payment methods, contract details, device identifiers, and usage patterns — are subject to GDPR and ePrivacy protection. US cloud billing platforms make this data accessible to US authorities without subscriber notification or GDPR-compliant legal basis.
Spectrum management negotiations
Commercially and strategically sensitive regulatory filings, spectrum auction strategy documents, and frequency assignment negotiations conducted via US-hosted communications platforms are exposed to a jurisdiction with significant competitive interests in the global telecom market.
Roaming partner agreements and inter-carrier data
The commercial terms, fraud thresholds, and technical configuration of roaming agreements between operators — plus live inter-carrier subscriber data flows — are accessible if the management platform is US-controlled. This exposes subscribers and operators across multiple national jurisdictions simultaneously.
Common questions

Telecom sovereignty: what operators are asking

Does the CLOUD Act apply to European telecom operators using US-owned cloud infrastructure?+
Yes. The CLOUD Act (18 U.S.C. § 2713) applies based on the nationality of the cloud provider, not the location of the data. If a European telecom operator uses AWS, Microsoft Azure, or Google Cloud to manage any part of its operations — billing, OSS/BSS, network management, internal communications — US law enforcement can compel that US provider to disclose the data, regardless of whether the data is stored in Frankfurt, Paris, or Stockholm. The provider has no legal basis to refuse under US law. This directly conflicts with GDPR Article 48, which prohibits handing EU personal data to foreign authorities without an international agreement. As of 2026, no such agreement resolves this conflict. European operators using US hyperscalers are permanently exposed to this legal paradox.
Are telecom operators classified as essential entities under NIS2?+
Yes — explicitly. NIS2 Directive Annex I lists "providers of electronic communications networks or services" in the first category of essential entities, alongside energy, transport, water, health, and digital infrastructure. This classification applies without any size threshold: all licensed telecom operators in the EU are essential entities. As essential entities, they face the strictest obligations under Article 21, including risk management measures for their ICT supply chains, incident reporting obligations (significant incidents must be reported to ENISA within 72 hours), and accountability requirements for their technology vendors. An operator using US-controlled communications platforms for SOC or NOC operations must document this as a supply-chain risk, demonstrate that it is managed, and — given the CLOUD Act exposure — would struggle to demonstrate adequate management in any credible risk assessment.
Does hosting subscriber data in EU data centres of US hyperscalers ensure data sovereignty?+
No. This is the core misconception that regulators and operators are increasingly confronting. Physical location of data is irrelevant under the CLOUD Act — what matters is the nationality of the provider. AWS, Microsoft, and Google are US companies. A CLOUD Act order compels them to produce data from any data centre they operate, including those in Frankfurt, Dublin, or Amsterdam. In June 2025, Microsoft's French subsidiary confirmed in a Senate hearing that it cannot guarantee data sovereignty against US authorities even for its "sovereign cloud" product offerings. This is not a design flaw that can be patched — it is a structural consequence of the provider being subject to US law. The only resolution is to use infrastructure that is not subject to US jurisdiction: European or sovereign-by-design providers, self-hosted solutions, or platforms like AMVLET that are built without any US corporate structure or dependency.
What are CITC and NCA's specific requirements for data residency and sovereignty in Saudi Arabia?+
The Communications and Information Technology Commission (CITC) requires that subscriber data — including CDRs, billing records, and service usage data — remains within the Kingdom of Saudi Arabia. The National Cybersecurity Authority (NCA) mandates that licensed telecom operators implement sovereign cybersecurity infrastructure, meaning that the platforms used to manage network security, incident response, and operational communications must not be subject to foreign jurisdictional access. SDAIA enforces the Personal Data Protection Law (PDPL), and Article 29 of that law treats any remote access to data stored in Saudi Arabia by a foreign party as a cross-border data transfer — triggering the PDPL's transfer restrictions and maximum fines of SAR 5 million per violation, doubled for repeat offences. SAMA applies additional requirements for telecom operators offering financial or payment services. Together, these four authorities create a comprehensive sovereign mandate that US cloud infrastructure categorically cannot satisfy.
What does AMVLET provide specifically for telecom network operators?+
AMVLET provides a sovereign communications layer purpose-built for telecom operators who must maintain confidential internal communications — NOC, SOC, executive, and inter-operator channels — without creating CLOUD Act, GDPR, NIS2, or PDPL exposure. The platform operates entirely outside US jurisdiction, with cryptographic keys held exclusively by your organisation. Deployments are available on EU-sovereign cloud infrastructure, on your own on-premises infrastructure, or fully air-gapped for the most sensitive operational environments. AMVLET supports cross-operator federation, enabling secure communications between partner operators for roaming, interconnect, and incident coordination without routing through any US-controlled intermediary. Built-in audit trails, role-based access controls, and supervision tools support your NIS2 Article 21 supply-chain risk documentation and GDPR Article 32 security obligations. We work directly with legal and compliance teams to produce the documentation required for your regulatory obligations.

Sovereign infrastructure for the networks that connect the world.

Talk to our telecom team about a deployment aligned to your operational, regulatory, and security requirements — from NOC to board level.

Book a sovereign briefing → Explore Air-Gapped