This study guide is for candidates preparing for the Administrators (AD7) in the field of clouds and networks: EPSO/AD/429/26 - 3, the third profile in the EPSO ICT competition.
It accompanies EU Training’s field-related Clouds and Networks practice questions and brings together the main topics and free learning resources used when creating the question set.
The 2026 EPSO ICT AD7 competition has four separate fields. This guide focuses only on Field 3: Clouds and Networks.
The field-related multiple-choice test is taken in your language 2. It contains 30 questions, lasts 40 minutes and has a pass mark of 15/30. Because this test is used for ranking, your goal should not be just to simply hit the pass mark. You need to prepare for applied cloud and network questions under time pressure.
At AD7 level, Clouds and Networks is not about memorising product names or vendor-specific features. The profile is aimed at experienced ICT professionals who understand how cloud and network designs behave when real requirements, outages, security risks, cost limits and governance constraints appear.
The practice questions are designed to test applied judgement. You may see questions on remote access, VPNs, DNS, DHCP, load balancing, segmentation, landing zones, guardrails, shared responsibility, private endpoints, conditional access, firewalls, WAFs, SIEM triage, policy as code, image security, incident response and FinOps.
A strong candidate should be able to distinguish:
- bandwidth issues from latency, jitter or packet loss
- public access from controlled private access
- authentication from authorisation
- policy documentation from enforced guardrails
- cloud provider responsibility from customer responsibility
- more resources from better architecture
- a cost report from a real cost-control action
Use this guide as a study route. Start with the official EPSO competition notice, then work through the topic areas below and focus most on the areas where your practice results are weakest.
The EPSO ICT AD7 Notice of Competition
Always start with the official EPSO Notice of Competition. It is the only legally binding source for the competition rules, test structure, eligibility requirements and field duties.
For Clouds and Networks, the Notice describes a broad technical and operational role. It covers designing and operating cloud and network infrastructures, managing identity, security and network protection services, ensuring service performance, availability, resilience and incident management, and contributing to architecture, standards, service governance and provider management.
NoC link: https://eur-lex.europa.eu/eli/C/2026/2425/oj
The practice questions follow that scope. They begin with enterprise network services and core connectivity, then move into cloud service models, landing zones, hybrid networking, zero trust, perimeter security, monitoring, DevSecOps, continuity, incident handling, FinOps and provider governance.
A frequent trap in this profile is choosing a real technical measure for the wrong layer of the problem. More bandwidth may not fix jitter. A public endpoint may be easy but wrong where the requirement is controlled private access. A policy document may describe the rule but still fail to enforce it.
As you practise, keep asking:
- Which layer is the problem really in?
- Is this a network, identity, cloud, security, cost or governance issue?
- Is the traffic public, private, inbound, outbound, solicited or unsolicited?
- What does the shared-responsibility model leave with the customer?
- Does the measure prevent the issue, detect it, or only report it afterwards?
- Is the proposed answer enforcing the control or just documenting it?
The aim is not to memorise cloud vocabulary. It is to recognise the cloud and network judgement EPSO may test under time pressure.
Main topic areas
The Clouds and Networks practice set contains 200 questions across ten topic areas. These areas reflect the breadth of the EPSO profile, so the questions are not limited to one provider, one platform or one network technology.
Use this section as a study map. For each topic, focus on the practical distinction being tested, not just the terminology.
Enterprise network and telecommunications services
This area covers VPNs, VoIP, Wi-Fi, LANs, guest networks, roaming, VLANs, multicast, remote access and user-device access.
The key is to match the configuration to the actual business need. Real-time voice and video care about latency, jitter and packet loss. Remote access depends on scope, identity and device posture. Guest Wi-Fi needs isolation. Raw bandwidth alone often hides the real cause of poor service quality.
Core network services and connectivity
This area covers DNS, DHCP, IPAM, routing, load balancing, NAT, IPv6, SDN, segmentation and failover.
Focus on what each service actually does. DNS resolves names. DHCP leases addresses. IPAM records authoritative allocation. NAT translates addresses. Load balancers distribute requests and may health-check. VLANs divide broadcast domains, but filtering is still needed for containment.
Cloud service and deployment models, landing zones and guardrails
This area covers IaaS, PaaS, SaaS, shared responsibility, multi-account structures, policy guardrails, logging, tagging, cost limits, landing-zone inheritance and exceptions.
Use the shared-responsibility model carefully. Providers take on more responsibility as you move from IaaS to SaaS, but customer responsibility for identity, access, configuration and data never disappears. Landing zones should give teams a governed starting point, not a set of isolated cloud experiments.
Cloud networking and hybrid integration
This area covers VNET and VPC design, private endpoints, peering, hub-and-spoke networks, hybrid links, NAT gateways, DNS integration and overlapping address space.
A useful habit is to draw the traffic path. Ask where the traffic enters, which address space it uses, what DNS name resolves to, which firewall or security group sees it, and whether the route is resilient. Many wrong answers ignore one step in that chain.
Zero Trust, IAM, authentication and privileged access
This area covers MFA, authentication factors, device posture, conditional access, least privilege, federation, service accounts, privilege escalation, break-glass access and access recertification.
Do not reduce zero trust to MFA. A strong answer considers current signals, resource-specific access, device state, least privilege and continuous evaluation. A successful login in the past does not prove trust forever.
Perimeter and application security
This area covers firewalls, proxies, reverse proxies, WAFs, secure exposure, inbound and outbound filtering, partner access and public-facing applications.
The main distinction is exposure versus control. A login screen is not enough if the whole server surface is public. A firewall rule should match the specific source, destination and port needed. A WAF helps with application-layer threats, but it does not replace secure design.
Monitoring, detection, response and vulnerability management
This area covers SIEM, SOAR, XDR, alert quality, triage, log retention, vulnerability prioritisation, false positives and response workflows.
Focus on what makes an alert actionable. A flood of raw events is not useful detection. A silent rule may be broken. A critical vulnerability on an exposed system that is already being exploited should follow an emergency path, not a routine monthly cycle.
DevSecOps, infrastructure as code and container security
This area covers policy as code, infrastructure-as-code plans, secrets, image scanning, signatures, runtime permissions, canaries, feature flags and CI/CD traceability.
Ask what each control proves. Scanning finds weaknesses. Signing helps prove provenance and integrity. A plan shows intended changes. A canary limits exposure. A secrets manager reduces the spread of static credentials. The right answer depends on the risk in the question.
Availability, performance, continuity and incident handling
This area covers availability calculations, failover, single points of failure, SLO thinking, business timing of outages and recovery design.
Do not look only at the headline availability percentage. A high percentage may still hide bad timing if outages occur during critical business windows. A redundant component in the same failure domain is weak redundancy. A recovery plan that takes longer than the RTO does not meet the requirement, even if the restore succeeds.
FinOps, provider governance, documentation and stakeholder reporting
This area covers right-sizing, idle resources, committed-use discounts, tagging, cost attribution, provider performance, governance and reporting to non-technical stakeholders.
Treat cost as an operational signal. A rising cloud bill without service growth may point to waste. Committing to a discount before right-sizing can lock that waste in. Tags are not administrative decoration; they support ownership, cost-centre accountability and meaningful reporting.
How to read the questions
The Clouds and Networks questions are deliberately layered. You may need to recognise a networking issue inside a cloud scenario, an identity issue inside a security question, or a governance problem inside a cost symptom.
The correct answer is usually the one that addresses the right layer of the problem. A technically valid measure can still be wrong if it solves a different issue.
When reviewing missed questions, write down the decisive distinction in one line. For example:
- bandwidth versus latency
- public versus private access
- authentication versus authorisation
- inherited policy versus local exception
- preventive control versus detective control
- provider responsibility versus customer responsibility
- routing problem versus DNS problem
- policy document versus enforced guardrail
- service availability versus business availability
Practise spotting the decisive word in the question. Words such as public, private, unsolicited, inherited, current, transitive, immutable, standing, live, critical or after the fact can decide the answer.
For calculation questions, make sure you do not stop at the number. Write the formula, calculate the result, then explain what it means operationally.
Free learning resources for Clouds and Networks
The resources below are free to read or study. They were selected because they support the kinds of questions covered in EU Training’s Clouds and Networks practice questions.
You do not need to read everything from start to finish. Thoroughly read the Notice of Competition first, especially the qualifications and duties required for your profile, then use these other resources based on your weaker areas.
Official competition source
EU Careers ICT AD7 Notice of Competition
Start here. This is the official source for the competition and should be used to check the field profile, duties and selection context. Keep an eye on your EPSO profile page too for important updates and test date announcements.
NoC link: https://eur-lex.europa.eu/eli/C/2026/2425/oj
EPSO profile page link: https://eu-careers.europa.eu/en/job-opportunities/clouds-and-networks
Networking refresher
Microsoft Learn: fundamentals of computer networking
A useful refresher on TCP/IP, DNS, ports, network devices and basic communication concepts. Good if you need to revisit core network terms before tackling cloud and hybrid scenarios.
Link: https://learn.microsoft.com/en-us/training/modules/network-fundamentals/
Cisco Networking Basics
A free Cisco Networking Academy course on devices, media, protocols, addressing and basic network operation. A free account may be needed, but there is no course paywall.
Link: https://www.netacad.com/courses/networking-basics?courseLang=en-US
Cloudflare Learning Center
Clear explanatory material on DNS, DDoS, WAF, CDN, load balancing, VPN, TLS, proxies and network performance. Useful for plain-English network concepts and security basics.
Link: https://www.cloudflare.com/learning/
Cloud models, architecture and landing zones
NIST SP 800-145: The NIST Definition of Cloud Computing
Useful for the essential characteristics of cloud computing, service models and deployment models.
Link: https://csrc.nist.gov/pubs/sp/800/145/final
Microsoft Cloud Adoption Framework
Useful for cloud strategy, landing zones, governance, management and adoption. Especially relevant for questions on guardrails and controlled cloud environments.
Link: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/
AWS Well-Architected Framework
Free architecture guidance on operational excellence, security, reliability, performance, cost optimisation and sustainability. Use it as a vendor-specific but concept-rich reference.
Link: https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
Google Cloud Well-Architected Framework
Useful for secure, resilient, efficient and cost-optimised cloud topology guidance.
Link: https://docs.cloud.google.com/architecture/framework
Zero trust, identity and access security
NIST SP 800-207: Zero Trust Architecture
Useful for identity, device posture, resource-specific access and continuous evaluation.
Link: https://csrc.nist.gov/pubs/sp/800/207/final
CISA Zero Trust Maturity Model
A practical maturity model covering identity, devices, networks, applications and data as pillars of zero-trust adoption.
Link: https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf
Application and perimeter security
OWASP Top 10
Useful for understanding the main web application security risks, especially where infrastructure decisions affect public exposure, WAFs and application-layer protection.
Link: https://owasp.org/www-project-top-ten/
OWASP Cheat Sheet Series
Practical guidance on authentication, secrets, logging, access control, TLS, file uploads and other application-security topics.
Link: https://cheatsheetseries.owasp.org/
Cloud cost, operations and resilience
FinOps Framework
Useful for cloud cost management, accountability, allocation, optimisation and collaboration between finance, IT and business teams.
Link: https://www.finops.org/framework/
Google Site Reliability Engineering books
Useful for reliability, monitoring, incident response, SLOs, availability and error budgets. Strong background for operations and resilience questions.
Link: https://sre.google/books/
Quick recap
The points below recap the most useful practice habits from this guide. Use them after each question block to make sure you are reviewing actively, not just checking your score.
- Work through one topic area at a time.
- After each question block, write down the distinction that decided the answer.
- For plausible wrong answers, note why they were tempting but incorrect.
- For calculations, write the formula, do the maths, then explain what the result means.
- For action-based questions, ask who owns the decision, control or escalation.
- Check whether the answer addresses the right layer of the problem.
- Focus on the cloud or network principle behind the answer, not just the correct option.