Can a contracting authority skip the assurance level required by a CADA risk assessment?

Summary Under the proposed Cloud and AI Development Act (CADA), a contracting authority cannot arbitrarily skip the Union assurance level mandated by its risk assessment. The framework is designed to be mandatory: if a risk assessment identifies an activity as contributing to the preservation of public order, the authority must procure services recognised at Union assurance levels 2, 3, or 4. However, Article 30(4) provides a narrow, exceptional derogation. This allows authorities to procure non-recognised services only where: (1) no adequate recognised alternative exists in the central repository; (2) a previous tender failed to attract suitable participants; or (3) compliance would impose a disproportionate cost. Crucially, any such derogation must be on an exceptional basis and duly justified.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigid link between sovereignty risk and public procurement. The mechanism operates in two distinct stages: first, a mandatory risk assessment under Article 29 determines the required assurance level for specific public sector activities; second, Article 30 translates that determination into a binding procurement obligation.

As proposed, the default rule is absolute. If a risk assessment concludes that an activity contributes to the preservation of public order (e.g., law enforcement, defence, or critical infrastructure), the contracting authority is legally bound to procure only cloud computing services recognised at Union assurance levels 2, 3, or 4. For activities not identified as public-order-relevant, the baseline requirement is Union assurance level 1. This structure is intended to eliminate the fragmentation of national approaches and prevent public bodies from defaulting to non-sovereign providers due to legacy habits or market pressure.

However, the Commission acknowledged that the market for sovereign cloud services is still evolving. A rigid application of these rules without a safety valve could paralyse essential public services if no compliant provider is available. Consequently, Article 30(4) introduces a derogation mechanism. This is not a general waiver but a "last resort" provision designed to address specific market failures or technical impossibilities.

The Exceptional Derogation under Article 30(4)

Article 30(4) explicitly states that, "by derogation from paragraphs 2 or 3," a contracting authority may decide not to procure recognised services "on an exceptional basis and where duly justified." This derogation applies only if one or more of the following three specific circumstances are met:

1. Absence of Adequate Alternatives: The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository (established under Article 22). The regulation imposes a strict condition: this absence must not be the result of an "artificial narrowing down of the parameters of the public procurement procedure." This prevents authorities from drafting overly restrictive technical specifications solely to exclude sovereign providers and justify the use of non-compliant, third-country services. Furthermore, the authority must demonstrate that "no adequate or reasonable alternative or comparable cloud computing service exists."
2. Failure of Previous Procurement: The contracting authority has launched a similar procurement process within the previous year but "did not receive any suitable tenders or suitable participants." This condition acknowledges that the market may not yet have sufficient suppliers meeting the sovereignty criteria for niche or highly specialized services. It requires evidence of a genuine attempt to procure compliant services that failed due to market limitations, not due to the authority's own procedural choices.
3. Disproportionate Cost: Applying the requirements of the regulation would require the contracting authority to procure services at a "disproportionate cost." This clause is designed to protect public budgets from extreme price premiums that might arise in a nascent market. However, the term "disproportionate" implies a high threshold; a simple price difference or a standard market premium is insufficient. The authority must demonstrate that the cost impact is severe enough to fundamentally undermine the public interest or specific budgetary constraints.

Procedural and Evidentiary Requirements

The phrase "duly justified" in Article 30(4) imposes a heavy burden of proof on the contracting authority. While the text lists the conditions, the broader context of CADA implies strict procedural hygiene. An authority invoking this derogation must maintain a comprehensive audit trail, likely including:

• Evidence of Market Search: Proof that the central repository was thoroughly searched and that no recognised service met the technical needs. The repository is publicly available and regularly updated by the Commission and national competent authorities; failure to check it would invalidate a "no alternative" claim.
• Specification Review: Documentation showing that the procurement parameters were broad enough to allow competition from sovereign providers. This is critical to refute any allegation of "artificial narrowing."
• Cost-Benefit Analysis: For the "disproportionate cost" argument, a detailed financial comparison between the recognised sovereign options and the non-recognised alternative. This must demonstrate that the cost difference is not merely higher, but disproportionate in the context of the specific public service.

It is vital to note that this derogation applies strictly to the procurement phase. It does not exempt the authority from the underlying risk assessment obligations under Article 29. The risk assessment remains the foundational document that triggers the initial requirement for assurance levels 2, 3, or 4. The derogation is a mechanism to address supply-side constraints, not a tool to bypass the security or sovereignty concerns identified in the risk assessment.

Relationship with the Central Repository

The derogation is tightly coupled with the Central Repository of recognised cloud computing services under Article 22. An authority cannot claim that no recognised service exists unless it has verified the contents of this repository. The repository serves as the single source of truth for recognised services across the Union. Therefore, the burden of proof lies entirely with the contracting authority to demonstrate that the repository lacks a suitable solution for their specific use case at the time of the tender.

What this means for you

For in-house counsel, compliance officers, and procurement specialists in the public sector, the proposed CADA framework shifts the burden of proof significantly. You can no longer default to global hyperscalers for critical functions without a rigorous, documented justification.

1. Documentation is your primary defense If you anticipate needing to use the Article 30(4) derogation, begin documenting your market analysis immediately. Keep detailed records of all interactions with the central repository. If you draft technical specifications, ensure they are neutral and not tailored to exclude sovereign providers. Any claim that a lack of suppliers is due to "artificial narrowing" will be scrutinized by national competent authorities and potentially the Commission.

2. Monitor the Central Repository The validity of your derogation hinges on the state of the Central Repository at the time of procurement. You must demonstrate that you checked the repository and found no adequate alternative. Regularly monitor updates to the repository, as new providers may achieve recognition, potentially invalidating a previous "no alternative" claim for future tenders.

3. Cost Justification Must Be Robust If you rely on the "disproportionate cost" argument, prepare a detailed economic analysis. "Disproportionate" is a high legal bar. Simple price differences will not suffice; you must show that the cost impact is severe enough to justify compromising on sovereignty assurances. Consult with your financial and legal teams to define what constitutes "disproportionate" in your specific jurisdiction and sector, keeping in mind that this is a derogation from a mandatory rule.

4. Review Legacy Contracts Article 30 applies to new procurements. However, as legacy contracts expire, you will need to reassess them against the new risk assessment requirements. If a current provider does not hold a Union assurance level, you cannot automatically renew the contract. You must either migrate to a recognised provider or invoke the Article 30(4) derogation with full justification. Note that Article 29(6) requires migration within a reasonable transition period not exceeding 12 months if a risk assessment requires it.

5. Penalties and Enforcement While Article 24 focuses on penalties for cloud computing service providers, contracting authorities face indirect risks. Failure to comply with procurement rules can lead to contract annulment, financial corrections from the European Commission, or reputational damage. National competent authorities will monitor compliance, and the Commission will review risk assessment results. Non-compliance could trigger corrective actions or require mandatory migration.

Common misconceptions

Misconception 1: The derogation is a permanent waiver for specific vendors. The derogation is exceptional and case-specific. It does not grant a blanket exemption for a specific provider or technology. Each procurement must be justified individually based on the current market conditions and the specific requirements of the tender. A justification valid for one contract does not automatically apply to the next.

Misconception 2: "Disproportionate cost" means any price premium. Courts and regulators interpret "disproportionate" strictly. A 10-20% price increase for a sovereign service is likely not disproportionate. The argument must demonstrate that the cost is so high that it fundamentally undermines the public interest or budgetary constraints, beyond normal market fluctuations. The regulation does not define a specific percentage, leaving it to the authority to prove the severity of the impact.

Misconception 3: You can skip the risk assessment if you plan to use the derogation. The risk assessment under Article 29 is mandatory regardless of the procurement outcome. The derogation applies to the procurement obligation resulting from the risk assessment. You cannot avoid the assessment by claiming you will use a non-sovereign provider. The assessment determines the need for sovereignty; the derogation addresses the ability to meet that need.

Misconception 4: The derogation applies to private sector entities. Article 30 specifically addresses "contracting authorities" and "Union entities." Private sector entities operating in sectors of high criticality (listed in Annex I of the NIS2 Directive) are subject to Article 31, which allows for similar impact assessments but does not provide the same explicit derogation language for procurement. Private entities must manage their risks internally, though they may face indirect pressure to align with public sector standards.

Related

• How does a CADA risk assessment determine the required Union assurance level?
• Can a CADA risk assessment require a higher assurance level over time?
• Can a CADA risk assessment lower the assurance level for an activity?
• Can the Commission override a Member State's CADA risk assessment conclusion?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?

This is general information about a draft EU regulation, not legal advice.