Summary Yes. Under the proposed Cloud and AI Development Act (CADA), EU agencies and bodies such as ENISA (the EU Agency for Cybersecurity) and the European Central Bank (ECB) would be "Union entities." Article 2(7) of the proposal defines Union entities as the Union institutions, bodies, offices and agencies set up by or pursuant to the TEU, the TFEU or the Euratom Treaty. As Union entities, they would be subject to CADA's risk-assessment duties (Article 29) and to procuring cloud computing services at the appropriate Union assurance level (Article 30).

Detail

Whether a particular organisation falls within CADA's scope turns on the definitions in Article 2 of the proposal. The distinction between Member State public authorities and EU-level bodies matters because CADA, as proposed, would apply a common set of duties to both.

The definition of Union entities Article 2(7) of the CADA proposal defines a "Union entity" as:

"'Union entities' means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community;"

The definition is broad. It captures the core institutions of the EU as well as the decentralised agencies and bodies established under the Treaties or secondary law.

Application to ENISA and the ECB Both would qualify:

  1. ENISA (EU Agency for Cybersecurity) is an agency set up under Union law. As an agency established pursuant to the Treaties, it falls within Article 2(7).
  2. European Central Bank (ECB) is established by the Treaties (the TFEU) as the central bank of the euro area. As a Union institution/body created under the founding Treaties, it is a Union entity under Article 2(7).

Obligations for Union entities under CADA Being a Union entity would trigger duties around the procurement of cloud computing services. The proposal aims to increase resilience and reduce dependence on third-country providers for sensitive public-sector activity.

  • Risk assessments (Article 29). Member States and Union entities would carry out risk assessments to identify the public sector activities that contribute to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement — and to determine which Union assurance level (2, 3 or 4) is appropriate (Article 29(1)). The first assessment would be due by one year after entry into force, and thereafter every two years or whenever necessary.
  • Procurement (Article 30). Union entities and public sector bodies whose activities have not been identified as contributing to public order would have to use services recognised under Article 17 as having Union assurance level 1 (Article 30(2)). Contracting authorities, including Union entities, whose activities have been so identified would have to procure only services recognised as having Union assurance level 2, 3 or 4 (Article 30(3)). Article 30 applies to Union entities without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509.
  • Open source (Article 41). Union entities and public sector bodies would be required to encourage open-source solutions and, in the cases the proposal specifies, to make software they hold available for reuse under an open-source licence via a repository connected to the EU Open Source Solutions Catalogue.

It is worth noting that a Union entity may also fall under sector-specific rules. The ECB and financial entities, for instance, are subject to the Digital Operational Resilience Act (DORA). CADA, as proposed, would add a sovereignty-focused layer rather than replace such rules.

What this means for you

For procurement and IT teams within EU agencies such as ENISA or the ECB, classification as a Union entity would mean cloud procurement could not be treated as a purely technical or cost decision.

  1. Plan for mandatory risk assessments. As proposed, you would carry out a risk assessment by one year after entry into force, and every two years thereafter (Article 29(1)). The result would dictate whether Union assurance level 1 suffices or whether levels 2-4 are required.
  2. Verify recognition before award. Procure services recognised under Article 17 at the required level. The Commission would maintain a central repository of recognised cloud computing services under Article 22 that you can consult.
  3. Plan for migration. Where a risk assessment requires migration to another service, it would have to occur within a reasonable transition period not exceeding 12 months (Article 29(6)).
  4. Consider joint procurement. The Commission may carry out procurement activities for itself, for Union entities and for Member State contracting authorities, and may act as a central purchasing body (Article 37). Participating could offer economies of scale while meeting CADA's criteria.

Common misconceptions

"Only Member States are subject to CADA." Incorrect. Article 2(7) expressly includes Union institutions, bodies, offices and agencies, so EU bodies such as ENISA, Frontex or the ECB would be bound by the risk-assessment and procurement obligations.

"The AI Act already covers all AI-related procurement." The AI Act (Regulation (EU) 2024/1689) is a product-safety and fundamental-rights regulation for AI systems; it does not regulate cloud infrastructure, data-centre location or provider sovereignty. CADA, as proposed, would fill that gap with Union assurance levels and risk assessments. A Union entity could be subject to both.

"ENISA is exempt because it works on cybersecurity." ENISA's cybersecurity mandate does not exempt it. As the explanatory material to the proposal notes, certification under the Cybersecurity Act addresses technical cybersecurity but is not suited to addressing sovereignty concerns — which is why CADA introduces a separate sovereignty framework. ENISA, as a Union entity, would procure under the same rules.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.