Can a provider be excluded from a CADA tender for lacking recognition?

Summary Under the proposed Cloud and AI Development Act (CADA), public contracting authorities would be legally barred from procuring cloud computing services from providers that lack the specific Union assurance level recognition required for the tender. Article 30 mandates that procurement is restricted exclusively to services formally recognised under Article 17 and listed in the central repository under Article 22. Consequently, a provider without the correct recognition status would be effectively excluded from the tender, unless the contracting authority invokes a narrow, exceptional derogation due to market unavailability or disproportionate cost.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a strict sovereignty framework designed to mitigate risks associated with dependence on third-country cloud providers. A core mechanism of this framework is the "Union cloud computing sovereignty framework," which categorises services into four assurance levels (Level 1 to Level 4). To participate in public sector tenders, cloud computing service providers must obtain formal recognition that their service meets the criteria for the specific assurance level required by the procuring entity.

The Mandatory Procurement Rule

Article 30 of the CADA proposal establishes rigid procurement obligations for public sector bodies and Union entities. The article distinguishes between two categories of public sector activities based on risk assessments conducted under Article 29:

1. Standard Public Sector Activities: For activities that do not contribute to the preservation of public order in critical sectors (such as national security, defence, or justice), Article 30(2) stipulates that Union entities and public sector bodies "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."
2. Critical Public Order Activities: For activities identified in risk assessments as contributing to the preservation of public order in sectors listed in Annex I or II of the NIS2 Directive, or in areas of national security, internal security, external border management, defence, justice, or law enforcement, Article 30(3) imposes stricter requirements. These contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

In both scenarios, the use of the word "shall" creates a binding obligation. A cloud service provider that has not undergone the recognition process under Article 17, or whose service has not been listed in the central repository maintained by the Commission under Article 22, cannot legally be awarded the contract. The text of Article 30(4) explicitly reinforces this by stating that derogations apply only where the subject matter "cannot be supplied by recognised cloud computing services available in the central repository."

The Recognition Process Under Article 17

Recognition is not automatic; it is a formal administrative procedure. Article 17 outlines the path where a cloud computing service provider must submit an application to the national competent authority of its establishment.

• For Union assurance level 1, providers must submit an EU statement of conformity (a self-assessment under Article 19).
• For levels 2, 3, and 4, providers must submit an audit report and a "positive" audit opinion from an independent auditing organisation (under Article 20).

Once the national competent authority validates the evidence, the service is recognised across the Union. This recognition is then recorded in the central repository established under Article 22. Contracting authorities are expected to verify the status of a provider against this repository. If a provider is not listed, or listed at a lower assurance level than required by the tender, they are ineligible. The repository serves as the definitive source of truth for compliance; absence from it effectively disqualifies a provider.

Limited Derogations

Article 30(4) provides a derogation from these strict procurement rules, but only on an "exceptional basis and where duly justified." A contracting authority may decide not to procure a recognised service only if one of the following circumstances applies:

• The subject matter of the tender cannot be supplied by recognised services available in the central repository, and no adequate or reasonable alternative or comparable cloud computing service exists, provided such absence is not the result of an artificial narrowing down of the parameters of the public procurement procedure.
• The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
• Applying the requirements of this Regulation would require the contracting authority to procure services at "disproportionate cost."

These derogations are narrow and require justification. They do not allow public bodies to freely choose non-recognised providers for convenience, preference, or standard commercial reasons; they are emergency valves for genuine market failures. Therefore, for the vast majority of tenders, lacking recognition is a definitive barrier to entry.

What this means for you

If you are a cloud service provider or data centre operator targeting the European public sector, your commercial strategy must now align with the CADA recognition timeline.

1. Audit Early: Do not wait for tenders to open. If you aim for Level 2, 3, or 4 assurance, you must engage an independent auditing organisation well in advance. The audit process under Article 20 is rigorous, requiring evidence on data localisation, personnel citizenship, cybersecurity certifications, and supply chain transparency.
2. Verify Repository Status: Ensure that once you receive your recognition decision from the national competent authority, your service is correctly listed in the central repository (Article 22). Public buyers will likely use this repository as the primary filter for eligible bidders. If you are not in the repository, you are invisible to compliant procurement processes.
3. Monitor Risk Assessments: Understand the risk assessments being conducted by Member States under Article 29. If a public body determines its activities require Level 3 assurance (e.g., due to national security relevance), your Level 1 or Level 2 recognition will be insufficient, effectively excluding you from that specific tender.
4. Prepare for Transition: If you currently hold contracts with public bodies, be aware that Article 29(6) requires migration to compliant services within a reasonable transition period not exceeding 12 months if a risk assessment mandates a higher assurance level. Lack of recognition will eventually lead to contract termination or non-renewal.

Common misconceptions

Misconception 1: "I can still win the tender if I offer a better price or superior technology." Under CADA, technical superiority or lower cost does not override the legal requirement for recognition. Article 30 is a mandatory gatekeeper. Unless the contracting authority successfully invokes the narrow derogation for disproportionate cost or market unavailability, a non-recognised provider is legally excluded regardless of the quality of their offer. The regulation prioritises sovereignty and public order over pure market competition in these specific contexts.

Misconception 2: "Recognition in one Member State is not enough; I need recognition in every country." This is incorrect. Article 17(7) states that once a service is recognised by the competent authority of the provider's establishment, and no other Member State raises a reasoned objection within the review period, the service "shall be recognised throughout the Union at the appropriate Union assurance level." The recognition is EU-wide, not national. A single recognition decision grants access to all public tenders across the Union.

Misconception 3: "The central repository is just for information; buyers can choose others." The repository established under Article 22 is not merely informational; it is the operational tool for compliance. Article 30(4)(a) explicitly references the "central repository referred to in Article 22" when defining the conditions under which a derogation might be granted (i.e., if no service is available in the repository). Buyers are expected to source from this list, and the absence of a provider from the list is the primary trigger for the "market unavailability" derogation.

Misconception 4: "I can self-declare compliance and bid." Self-declaration is only permitted for Union assurance level 1 (Article 19). For levels 2, 3, and 4, independent third-party audits are mandatory (Article 20). Furthermore, even for Level 1, the self-assessment must be formalised as an EU statement of conformity and submitted to the competent authority for recognition (with an automatic recognition derogation only for SMEs). A provider cannot simply claim compliance in a tender document; they must hold formal recognition status and be listed in the repository.

Related

• How is deemed compliance under Article 39 different from running your own tender?
• How do I bid on a CADA tender as a provider?
• How can a provider get listed in the CADA central repository?
• Can a non-EU provider partner with an EU SME to bid under CADA?
• CADA Public Tenders: What Recognition Do Providers Need?

This is general information about a draft EU regulation, not legal advice.