Can a public body buy non-recognised cloud under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public bodies generally cannot procure cloud computing services that lack the required Union assurance level. As proposed, contracting authorities must procure services recognised under Article 17, with a mandatory baseline of Union assurance level 1 for general activities (Article 30(2)). For activities contributing to public order, authorities must procure services recognised at levels 2, 3, or 4 (Article 30(3)). Non-recognised services can only be procured through a strict, exceptional derogation under Article 30(4), which requires documenting specific grounds such as the non-existence of adequate alternatives, a failed tender within the previous year, or disproportionate costs.

Detail

The CADA proposal establishes a mandatory sovereignty framework for public sector cloud procurement to mitigate risks associated with dependence on third-country providers. The core mechanism is the requirement to procure only "recognised" services—those that have undergone conformity self-assessments (for Level 1) or independent third-party audits (for Levels 2–4) and are listed in the central repository maintained by the Commission (Article 22).

The General Rule: Mandatory Recognition

Article 30 establishes the procurement obligations for contracting authorities and Union entities. The rule is binary: you must buy recognised services, or you must justify a specific exception. The proposal does not allow for a "best value" trade-off where a non-recognised service is chosen simply because it offers better features or lower prices.

1. Default Requirement (Level 1): For all public sector activities not identified as contributing to the preservation of public order, Article 30(2) mandates the use of cloud computing services recognised as offering Union assurance level 1. This serves as the baseline for all public cloud spending.
2. Public Order Requirement (Levels 2–4): If a risk assessment conducted under Article 29 determines that a public sector activity contributes to the preservation of public order (e.g., in sectors covered by the NIS2 Directive, national security, defence, justice, or law enforcement), Article 30(3) requires the procurement of services recognised at Union assurance level 2, 3, or 4. The specific level depends on the sensitivity and criticality determined in the risk assessment.

The Derogation: When Can You Buy Non-Recognised Cloud?

Article 30(4) provides a narrow derogation from these rules. A contracting authority may decide not to procure a recognised service (i.e., buy a non-recognised service) only on an exceptional basis and where duly justified. The proposal lists three specific grounds for this derogation. These grounds are not cumulative; satisfying one is sufficient, provided the "exceptional basis" and "duly justified" thresholds are met.

1. No Adequate Alternative Exists (Article 30(4)(a)): The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository. Crucially, this applies only if no adequate or reasonable alternative or comparable cloud computing service exists, and this absence is not the result of an "artificial narrowing down of the parameters of the public procurement procedure." This prevents authorities from writing technical specifications that only a specific non-recognised provider can meet.
2. Previous Failed Tender (Article 30(4)(b)): The contracting authority launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants. This ground is time-bound and evidence-based, requiring proof that a genuine attempt to procure recognised services was made recently and failed.
3. Disproportionate Cost (Article 30(4)(c)): Applying the requirements of the Regulation would require the contracting authority to procure services at a disproportionate cost. This is not a general cost-saving clause; the cost difference must be truly disproportionate to the value or necessity of the service, not merely higher than a non-recognised alternative.

Documentation and Justification

While the proposal does not prescribe a specific administrative form for Article 30(4) derogations in the enacting text, the phrase "duly justified" imposes a strict evidentiary burden on the contracting authority. The authority must document the rationale internally and be prepared to demonstrate that the derogation is exceptional and that the specific conditions in Article 30(4) are met.

• For "No Adequate Alternative": The authority must document that the technical specifications were drafted broadly enough to allow recognised providers to bid. If the specifications were tailored to exclude recognised providers, the derogation is invalid.
• For "Disproportionate Cost": The authority must provide evidence of the cost impact, likely through a comparative analysis showing that the cost of the recognised service is unreasonable relative to the budget or the service's utility.
• For "Failed Tender": The authority must retain records of the previous year's procurement process, proving that no suitable tenders were received.

Furthermore, Article 30 applies to contracting authorities that procure cloud computing services for their exclusive use. This distinction is important; if services are shared or part of a broader multi-cloud strategy, the risk assessment under Article 29 and the subsequent procurement rules still apply to the specific lot or service being procured.

Interaction with Risk Assessments

The ability to use a derogation is closely tied to the risk assessment mandated by Article 29. Member States and Union entities must carry out these risk assessments every two years (or whenever necessary) to identify which activities require higher assurance levels. If a risk assessment concludes that an activity requires Level 3, and no Level 3 service is available, the authority might consider the derogation under Article 30(4)(a). However, the Commission may review these risk assessments (Article 29(5)) and specify the required Union assurance levels if it deems the Member State's assessment inadequate.

What this means for you

For public-sector procurement officers, the CADA proposal fundamentally changes how cloud tenders are structured. You can no longer treat cloud services as generic IT commodities where the lowest price or best technical feature wins regardless of the provider's sovereignty status.

1. Check the Repository First: Before drafting a tender, check the central repository (Article 22) for services recognised at the required assurance level. If a recognised service exists, you generally must procure it.
2. Conduct a Risk Assessment: Ensure your organisation's risk assessment under Article 29 is up to date. This determines whether you need Level 1 (general) or Levels 2–4 (public order). You cannot use a derogation to bypass a Level 2–4 requirement unless the Article 30(4) conditions are strictly met.
3. Document Derogations Rigorously: If you believe you need a non-recognised service, you must document why.
   • Example: If you claim no adequate alternative exists, ensure your technical specifications were broad enough to allow recognised providers to bid. If your specs were too narrow, the derogation is invalid.
   • Example: If you claim disproportionate cost, be prepared to show a cost-benefit analysis comparing the recognised option to the non-recognised option, demonstrating that the cost difference is truly disproportionate, not merely inconvenient.
4. Avoid Artificial Narrowing: The proposal explicitly warns against "artificial narrowing down of the parameters" to justify a derogation. Procurement officers must design tenders that are open to all recognised providers unless there is a genuine technical reason to exclude them.

Common misconceptions

Misconception 1: "I can buy non-recognised cloud if it's cheaper." Reality: Cost is only a valid ground for derogation if it is disproportionate (Article 30(4)(c)). Mere cost savings do not justify bypassing the sovereignty framework. The primary goal is security and autonomy, not cost efficiency.

Misconception 2: "If I didn't get bids last time, I can always buy non-recognised cloud." Reality: Article 30(4)(b) requires a similar procurement process within the previous year that yielded no suitable tenders. This is a temporary, evidence-based exception, not a permanent loophole. You must demonstrate that you tried to procure recognised services and failed.

Misconception 3: "SMEs are exempt from these rules." Reality: While Article 17(3) provides a streamlined recognition process for SMEs (automatic recognition of their Level 1 conformity statements), the procurement obligation in Article 30 applies to all contracting authorities. They must still buy recognised services, but the pool of recognised providers may include more SMEs due to this streamlined process.

Misconception 4: "I can choose any level I want." Reality: The required level is dictated by the risk assessment under Article 29. You cannot voluntarily choose Level 4 for a low-risk activity, nor can you choose Level 1 for a high-risk public order activity without a valid derogation (which is unlikely to be granted for public order risks due to the severity).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA public procurement: Can non-EU cloud providers still bid?
• Can a public body combine CADA derogation grounds?
• CADA Procurement Compliance: Who is Responsible in a Public Body?
• What is the minimum cloud assurance level for an ordinary public body under CADA?
• CADA Procurement vs AI Act: How Public Bodies Must Buy Cloud & AI

This is general information about a draft EU regulation, not legal advice.