Summary As proposed, the Cloud and AI Development Act (CADA) would create a dual-track procurement system for cloud and AI. Member States would still procure directly under Articles 30-33, applying the Union assurance levels and EU-added-value criteria. In parallel, the Commission could act as a central purchasing body under Article 37, letting Member States join centralised procurement to pool buying power. National procurement remains the default; the common framework offers economies of scale and reduced administrative burden, but participants would accept the Commission's governance (Article 38) and fee structure (Article 40). CADA is a proposal, not yet in force.
Detail
The CADA proposal would establish two routes to public procurement of cloud and AI services: direct national procurement by Member States, and centralised procurement run by the European Commission. The aim is to balance national sovereignty requirements with the efficiencies of scale.
National procurement: the default path (Articles 30-33)
Under the proposal, the primary route for public-sector bodies to acquire cloud services would be direct procurement, governed by Articles 30, 32 and 33 and tied to the Union sovereignty framework.
Sovereignty requirements (Article 30). Contracting authorities would procure cloud services according to the risk assessment of their activities:
- Union assurance level 1. Entities whose activities are not identified as contributing to the preservation of public order would use services recognised at Union assurance level 1 (Article 30(2)).
- Union assurance levels 2-4. Entities whose activities are identified as contributing to public order — in the sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — would procure only services recognised at level 2, 3 or 4 (Article 30(3)).
- Derogations. Article 30(4) would allow exceptional, duly justified derogations — for example where no adequate recognised service exists in the central repository, where a similar procurement in the previous year drew no suitable tenders, or where applying the requirements would mean procuring at disproportionate cost.
EU added value (Article 32). When procuring innovative cloud services and AI systems, contracting authorities would include non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem — for example use of software or hardware designed or manufactured in the Union, integration of Union-developed technologies, and strengthening of supply-chain security. As proposed, these criteria must be linked to the subject matter, set out in the procurement documents, and "ancillary and not decisive" in the award (Article 32(2)).
Innovation and SME participation (Article 33). Article 33 would impose monitoring and reporting obligations on Member States. As proposed, Member States "shall pursue as objective that at least 25%" of their cloud and AI procurement be awarded to innovative SMEs (Article 33(4)), and include plans to achieve this in their national strategies under Article 7.
The common procurement framework (Article 37)
Article 37 would empower the Commission to act as a central purchasing body, helping Member States overcome limits in budget, expertise and purchasing power.
Scope and mechanism. The Commission could procure data-centre services, cloud computing services, software and AI systems for: itself and Union entities; contracting authorities of Member States; and partner organisations selected by the Commission. These would be the "participating entities." The Commission could procure on their behalf by concluding framework contracts or operating dynamic purchasing systems, and could also act as a wholesaler — acquiring services and reselling them (or, in exceptional circumstances, donating them) to contracting authorities (Article 37(3)).
Governance and participation (Article 38). The framework would operate under an agreement between the Commission and at least two Member States. A Steering Committee, made up of the Commission and one representative per participating Member State, would provide strategic oversight, while the Commission would remain responsible for the operational management of procurement — including the launch of procedures and the award of contracts (Article 38(3)). Notably, a contracting authority's participation would not be conditional on its Member State participating (Article 38(7)).
Legal effect and fees (Articles 39-40).
- Compliance. Under Article 39, a participating entity would be deemed to have fulfilled its obligations under applicable Union public procurement law when it acquires services through contracts awarded by the Commission as a central purchasing body — simplifying compliance for national authorities.
- Fees. Article 40 would let the Commission levy fees to cover the costs of these procurement activities, with revenues constituting internal assigned revenues within the meaning of the EU Financial Regulation.
Comparison: centralised vs national procurement
| Feature | National procurement (Arts. 30-33) | Common procurement framework (Art. 37) |
|---|---|---|
| Lead authority | National contracting authority | European Commission |
| Primary goal | Meet national needs; ensure sovereignty compliance | Pool buying power; reduce administrative burden |
| Sovereignty control | Direct control over assurance-level selection via national risk assessment | Still bound by Art. 30 assurance levels; selection mediated by Commission procedures |
| Added-value criteria | National authority sets EU-added-value weighting (Art. 32) | Commission sets criteria in tender specifications, standardising the assessment |
| Cost structure | Contract value + national administrative costs | Contract value + Commission service fees (Art. 40) |
| Flexibility | High; tailored to national context | Lower; standardised across participating entities |
What this means for you
For public-sector procurement officers, CADA would introduce a strategic choice: manage cloud and AI procurement directly, or opt into the Commission's centralised framework.
- Assess your sovereignty needs first. Before choosing a path, carry out (or rely on) the risk assessment required by Article 29. If your activities relate to public order, you would be legally bound to procure level 2, 3 or 4. Confirm that any centralised framework you join can deliver services at the required level.
- Weigh administrative capacity against fees. If you lack specialised procurement expertise for complex AI systems, the Article 37 framework could offer a ready-made route — but you would pay service fees (Article 40) and accept the Commission's standardised terms and governance (Article 38).
- Plan for the SME objective. Whichever path you take, Article 33 would have Member States pursue the objective of awarding at least 25% of cloud and AI procurement to innovative SMEs. If using the centralised framework, check that the Commission's specifications support SME participation, for example through division into lots.
- Use the central repository. Whether procuring nationally or centrally, source recognised services from the central repository established under Article 22, and check the listed assurance levels to ensure compliance with Article 30.
Common misconceptions
"The common procurement framework replaces national procurement." No. As proposed, it would be optional and complementary. Article 37 says the Commission may carry out procurement activities; Member States retain the right to procure directly under Articles 30-33. The framework is for entities that wish to pool resources, not a single mandatory EU-wide contract.
"Joining the common framework exempts you from sovereignty requirements." No. Article 30's assurance-level requirements would apply to all public-sector bodies. Even when procuring through the Commission, the services awarded must meet the assurance level set by the national risk assessment. The Commission would act as a purchasing body, not a regulator overriding national sovereignty determinations.
"The Commission can impose any service it chooses." No. The Commission's procurement would be bound by the same public-procurement rules and sovereignty criteria as national authorities, and the Steering Committee (Article 38) would provide strategic oversight aligned with participating Member States' needs. The Commission could not force a Member State to buy a service that does not meet its assurance-level requirements.
Related
- CADA voluntary recognition vs mandatory procurement levels
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA Union added value criteria vs lowest-price procurement: what changes?
- CADA public-order-relevant vs ordinary cloud procurement
- Open-source-first vs proprietary-first procurement under CADA
This is general information about a draft EU regulation, not legal advice.