Summary As proposed, public buyers cannot simply choose to ignore the Cloud and AI Development Act's (CADA) assurance-level requirements. Under Article 30, contracting authorities must procure cloud services recognised at Union assurance level 1, or levels 2–4 for activities preserving public order. However, Article 30(4) allows a derogation from these requirements only on an exceptional basis and where duly justified. Buyers may bypass the requirement if: (a) no adequate recognised service exists in the central repository; (b) a similar procurement within the previous year failed to yield suitable tenders; or (c) compliance would impose a disproportionate cost. These exceptions are narrow safeguards, not general loopholes.
Detail
The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a mandatory framework for the public procurement of cloud computing services to safeguard the Union's public order and reduce dependence on non-European providers. The regulation creates a "Union cloud computing sovereignty framework" comprising four assurance levels. Public sector bodies are generally prohibited from procuring cloud services that do not meet these recognised standards.
Specifically, Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised at Union assurance level 1. Conversely, Article 30(3) requires that contracting authorities whose activities are identified as contributing to the preservation of public order (including national security, defence, justice, and law enforcement) must procure services recognised at Union assurance levels 2, 3, or 4.
However, the legislation acknowledges that rigid adherence to these standards may not always be feasible in practice due to market immaturity or specific technical constraints. Therefore, Article 30(4) of the proposal provides a specific, strictly limited mechanism for contracting authorities to derogate from the assurance-level requirements. This derogation is conditional: it applies only "on an exceptional basis and where duly justified."
To rely on this exception, the contracting authority must demonstrate that at least one of the following three alternative circumstances applies:
1. Unavailability of Adequate Services
The first ground for derogation arises when the subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository (established under Article 22), and no adequate or reasonable alternative or comparable cloud computing service exists.
Crucially, the proposal includes a strict anti-circumvention clause: such an absence must not be the result of an "artificial narrowing down of the parameters of the public procurement procedure." This prevents buyers from drafting overly specific or idiosyncratic technical requirements that effectively exclude all recognised sovereign providers, thereby manufacturing a situation of "unavailability." The authority must prove that the market genuinely lacks a solution that meets the legitimate needs of the public service.
2. Failure of Previous Procurement
The second ground addresses market readiness. A derogation is permissible if the contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
This circumstance acknowledges that the market for recognised sovereign cloud services is still developing. If a public body has made a genuine attempt to procure compliant services recently and the market failed to respond with viable offers, the authority may be granted a temporary reprieve. This ensures that the sovereignty framework does not paralyse essential public services simply because the market has not yet caught up to the regulatory timeline.
3. Disproportionate Cost
The third ground permits a derogation if applying the requirements of the Regulation would require the contracting authority to procure services at a "disproportionate cost."
This clause recognises that in certain niche, legacy, or highly specialised scenarios, the premium for sovereign, assured cloud services may be economically unviable relative to the value or scale of the public service being delivered. It is not a general exemption for budget constraints; rather, it is a proportionality test. The cost of compliance must be excessive in relation to the specific context of the procurement, creating a severe imbalance that would undermine the public interest served by the project.
The Burden of Proof and Scrutiny
It is vital to note that these derogations are not blanket exemptions. The authority invoking them bears the burden of proof to demonstrate that the situation is exceptional and that the justification is sound. The proposal implies that these derogations are intended to be temporary or situational bridges, not permanent loopholes. The overarching goal of Article 30 is to ensure that the public sector progressively migrates to services that offer the necessary guarantees of data confidentiality and operational autonomy.
Furthermore, the threshold for what constitutes a "justified" exception may be scrutinised more heavily for Union assurance levels 2, 3, or 4. Given the heightened risks associated with public-order-relevant activities (such as law enforcement or defence), the margin for error is narrower. A derogation for a high-assurance level activity would require a more rigorous demonstration of necessity than one for a standard level 1 activity.
What this means for you
For public-sector procurement officers and legal counsel, the key takeaway is that you cannot opt out of the CADA assurance framework by default. You must first attempt to procure from the central repository of recognised services. If you believe you cannot meet the assurance-level requirements, you must document your justification meticulously before proceeding.
If you are considering invoking the Article 30(4) derogation, you should prepare robust evidence for one of the three grounds:
- For Unavailability: Document your exhaustive search of the central repository. Explain precisely why existing recognised services do not meet your technical needs. Crucially, review your technical specifications to ensure they are broad enough to avoid the appearance of "artificially narrowing" the market. If your specs are too unique, the derogation will likely be rejected.
- For Failed Previous Tenders: Maintain a clear audit trail of any similar procurement processes launched within the last 12 months. You must demonstrate that these processes were conducted in good faith and that the lack of suitable tenders was due to market limitations, not procedural errors on your part.
- For Disproportionate Cost: Prepare a detailed cost-benefit analysis. You must show that the cost of compliant services is not merely higher, but disproportionate to the project's value or the public interest served. A simple premium for sovereign services is expected; it only becomes a derogation ground if the cost is genuinely excessive relative to the context.
You should also engage with your national competent authority early in the process. As the body responsible for recognising assurance levels and supervising providers, they will be the first line of scrutiny for any derogation claim. Their guidance on whether your justification meets the "exceptional" and "duly justified" thresholds is critical.
Common misconceptions
"I can choose any cloud provider if I sign a data processing agreement." Incorrect. The CADA proposal goes significantly beyond standard GDPR data processing agreements. It requires formal recognition of the service at a specific Union assurance level, verified through self-assessment (Level 1) or independent third-party audits (Levels 2–4). A standard contract does not substitute for this regulatory recognition.
"The 'disproportionate cost' exception allows me to buy the cheapest option." Incorrect. "Disproportionate" does not mean "expensive." It implies a severe imbalance between the cost of compliance and the value of the service. A premium for sovereign services is an expected part of the market transition. It only becomes a derogation ground if the cost is genuinely excessive relative to the specific context, threatening the viability of the public service itself.
"I can use this derogation for all legacy systems." Incorrect. The derogation is for exceptional cases. If a recognised service exists that can support your legacy workload, you are expected to use it. The derogation is not a general waiver for technical debt or a license to maintain non-compliant systems indefinitely.
"The derogation applies automatically if no Level 4 provider exists." Incorrect. The absence of a provider at a specific level does not automatically trigger a derogation. The authority must prove that no adequate alternative exists and that the absence is not due to artificially narrow specifications. Furthermore, for public-order activities, the authority might be required to downgrade to Level 3 or 2 if Level 4 is unavailable, rather than bypassing the requirement entirely.
Official sources
Related
- When must public buyers procure level 2, 3 or 4 cloud under CADA?
- What records must a public buyer keep for CADA innovation procurement?
- What is CADA's Union assurance level 1 minimum procurement rule?
- What is the minimum cloud assurance level for an ordinary public body under CADA?
- CADA public procurement: Can non-EU cloud providers still bid?
This is general information about a draft EU regulation, not legal advice.