CADA procurement compliance checklist for public buyers

Summary Under the proposed Cloud and AI Development Act (CADA), public buyers must shift from purely technical procurement to a sovereignty-first approach. As proposed, you must conduct a mandatory risk assessment (Article 29) to determine if your activity contributes to "public order." If it does, you are restricted to procuring cloud services recognised at Union assurance levels 2, 3, or 4; otherwise, level 1 is the mandatory baseline (Article 30). Additionally, for innovative tenders, you must include non-decisive "Union added value" criteria (Article 32) and actively monitor SME participation against a 25% target (Article 33). You may also leverage the Commission's central purchasing framework, subject to cost-recovery fees (Articles 37–40).

Detail

The proposed Cloud and AI Development Act (CADA) fundamentally alters the public procurement landscape for cloud computing services and AI systems. It introduces a structured compliance framework where sovereignty and strategic autonomy are not optional considerations but legal prerequisites. For procurement officers, this means integrating a four-pillar compliance process: risk assessment, assurance-level selection, innovation criteria, and monitoring.

1. The Mandatory Risk Assessment (Article 29)

The procurement journey begins not with a tender notice, but with a risk assessment. Under Article 29(1), Member States and Union entities must carry out risk assessments to identify public sector activities that use cloud computing services and determine whether they "contribute to the preservation of public order."

This assessment is not a generic security review; it is a specific sovereignty evaluation. It must cover:

• Sectors: Activities in sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
• Data Sensitivity: The sensitivity, criticality, and magnitude of non-personal and personal data processed, including the risk of unlawful access by third countries or legal entities established in third countries.
• Continuity Risks: The risk and consequent impact on public order of possible service disruption.

Article 29(3) mandates that the Commission will issue implementing acts specifying the methodology, templates, and elements to be taken into account. Crucially, if the Commission concludes that a Member State's identified assurance level is inappropriate or fails to address public order concerns, it may adopt implementing acts to specify the required level.

If the risk assessment determines that a migration to a different cloud service is necessary, Article 29(6) requires that the migration occur within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and data portability.

2. Procuring Based on Assurance Levels (Article 30)

The outcome of the Article 29 risk assessment acts as a binding filter for procurement under Article 30. The regulation establishes a binary requirement based on the "public order" determination:

• Standard Procurement (Level 1): For public sector activities not identified as contributing to the preservation of public order, contracting authorities must use cloud computing services recognised as having Union assurance level 1 (Article 30(2)). This serves as the Union-wide baseline.
• Critical Procurement (Levels 2–4): For activities identified as contributing to the preservation of public order (e.g., defence, critical infrastructure, law enforcement), contracting authorities must only procure services recognised as having Union assurance level 2, 3, or 4 (Article 30(3)).

Derogations: Article 30(4) provides a narrow safety valve. On an exceptional basis and where duly justified, authorities may decide not to procure a recognised service if:

1. The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists (provided this is not the result of artificial narrowing of parameters).
2. A similar procurement process launched within the previous year received no suitable tenders.
3. Applying the requirements would require the authority to procure services at disproportionate cost.

3. Union Added Value in Innovative Procurement (Article 32)

For procurements involving innovative cloud computing services and AI systems, Article 32(1) introduces a mandatory quality evaluation component. Contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria are strictly regulated to ensure they remain ancillary:

• They must be linked to the subject matter of the contract.
• They must not confer unrestricted freedom of choice.
• They must be expressly set out in the procurement documents.
• Crucially, they must be "ancillary and not decisive in the award of the contract" (Article 32(2)(d)).

Article 32(3) specifies that these criteria must enable authorities to evaluate:

• The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union (e.g., using software or hardware designed or manufactured in the Union).
• The integration of technologies developed in the Union, including R&D results from Union-funded programmes.
• Whether the innovation contributes to strengthening security of supply.
• Whether the service is delivered through critical computing, storage, and networking hardware components designed and/or manufactured in the Union, or from third countries that strengthen security of supply.

4. Monitoring, Reporting, and SME Support (Article 33)

CADA imposes a proactive duty on Member States to foster innovation and SME participation. Article 33(1) obliges Member States to monitor and report on their use of procurement of innovation in cloud and AI.

Key obligations include:

• SME Target: Member States must pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)).
• Annual Reporting: Member States must inform the Commission yearly on SME participation trends, including the number of contracts awarded to SMEs, their share of total contract value, and cross-border participation (Article 33(3)).
• Active Measures: Union entities and contracting authorities must promote preliminary market consultations, matchmaking between public buyers and European SMEs, and the development of contract clauses favourable to innovative SMEs (Article 33(5)).

5. The Commission's Central Purchasing Route (Articles 37–40)

To assist authorities lacking resources or expertise, CADA establishes a common procurement framework. Article 37 empowers the Commission to act as a central purchasing body for Member States' contracting authorities and Union entities.

• Mechanism: The Commission can conclude framework contracts or operate dynamic purchasing systems on behalf of participating entities. It may also act as a wholesaler, acquiring services and reselling them to authorities.
• Fees: This service is not free. Article 40(1) states that costs arising from these procurement activities shall be jointly financed by participating entities through fees levied by the Commission. These fees are set to cover direct and indirect costs and are collected as internal assigned revenues.
• Dynamic Access: Article 39(5) allows participating entities to request to join a dynamic purchasing system throughout its validity period, subject to Commission approval, provided their requests do not exceed 50% of the initial estimated quantities.

What this means for you

As a public-sector procurement officer, your workflow must evolve to integrate sovereignty checks before drafting technical specifications.

1. Execute the Risk Assessment First: Do not draft tender specifications until you have completed the risk assessment required by Article 29. You must explicitly determine if your use case contributes to "public order." If it does, you are legally restricted to Union assurance levels 2, 3, or 4. If not, you must still ensure the provider meets level 1.
2. Draft "Union Added Value" Criteria: When procuring innovative solutions, you must explicitly include non-price award criteria as per Article 32. Ensure these are clearly defined in your tender documents but remember they must be ancillary and not decisive. Focus your evaluation on supply chain resilience and the origin of hardware/software components.
3. Design for SMEs: Actively structure your tenders to facilitate SME participation. Consider dividing contracts into lots and promoting preliminary market consultations. You are expected to track and report your progress toward the 25% SME award target.
4. Evaluate Central Purchasing: If your authority lacks the resources for complex cloud/AI procurement, evaluate joining the Commission's central purchasing framework. Be prepared to pay the associated fees outlined in Article 40, which are designed to be cost-recovery based.
5. Document Everything: Maintain rigorous records of your risk assessments, the assurance level selected, the justification for any derogations, and your SME participation metrics. You will need to report this data annually to the Commission.

Common misconceptions

• "Union added value criteria are the primary deciding factor." Incorrect. Article 32(2)(d) explicitly states that Union added value criteria must be "ancillary and not decisive in the award of the contract." They complement, but do not replace, core technical and financial criteria.
• "All public sector procurements require the highest sovereignty levels." Incorrect. Article 30(2) mandates Union assurance level 1 for activities not identified as contributing to public order. Levels 2–4 are reserved strictly for high-risk, public-order-critical activities identified through the Article 29 risk assessment.
• "SMEs are automatically exempt from sovereignty requirements." Incorrect. While Article 33 encourages SME participation, SMEs providing cloud services must still meet the relevant Union assurance levels (1–4) to be eligible for procurement. However, Article 17(3) notes that EU statements of conformity for Level 1 by SMEs are directly and automatically recognised in all Member States without prior recognition by the evaluating authority, simplifying their market entry.
• "Central purchasing by the Commission is free for Member States." Incorrect. Article 40(1) clearly states that costs are jointly financed by participating entities through fees levied by the Commission. These fees are set to cover the costs incurred by the Commission in carrying out the procurement activities.

Related

• CADA Procurement Compliance: Who is Responsible in a Public Body?
• How does CADA procurement affect public administration IT buyers?
• Will small public bodies be able to afford CADA procurement fees?
• When must public buyers procure level 2, 3 or 4 cloud under CADA?
• What sectors count as preserving public order for CADA procurement?

This is general information about a draft EU regulation, not legal advice.