Summary No, the proposed Cloud and AI Development Act (CADA) does not override, replace, or suspend the EU Public Procurement Directives (Directive 2014/24/EU and Directive 2014/25/EU). Instead, as proposed in COM(2026) 502 final, CADA operates as a sector-specific supplement that layers mandatory sovereignty requirements and innovation criteria onto the existing horizontal procurement framework. Contracting authorities must continue to comply with core EU procurement principlesβ€”such as transparency, equal treatment, and non-discriminationβ€”while integrating CADA's specific mandates: (1) mandatory minimum Union assurance levels (Article 30) based on risk assessments, and (2) non-price award criteria for European added value (Article 32), which the proposal explicitly recommends capping at 15 out of 120 points (Recital 67) to ensure proportionality.

Detail

The legal architecture of CADA is designed to address specific market failures in the cloud and AI sectorβ€”namely, critical dependencies on third-country providers and the lack of a harmonised sovereignty frameworkβ€”that the general Public Procurement Directives were not designed to solve. The Explanatory Memorandum explicitly states that the proposal "supplements the Public Procurement Directives" because the horizontal acquis "sets out general principles for the design of procurement procedures" but cannot adequately account for the "many layers" of sovereignty risks and critical dependencies specific to cloud computing (Recital 49).

Consequently, CADA does not create a parallel or exclusive procurement regime. Instead, it imposes specific obligations that contracting authorities must fulfill within the procedures governed by the Directives. This interaction is governed by three core mechanisms: the mandatory assurance tier system, the European added value criteria, and the strict proportionality safeguards.

1. Mandatory Sovereignty Assurance Levels (Article 30)

Article 30 establishes a binding, tiered procurement requirement that functions as a mandatory technical specification or selection criterion within existing procurement procedures. It does not alter the procedural steps of the Directives (e.g., publication, evaluation, award) but dictates the content of the tender requirements based on the nature of the public sector activity.

The framework operates on a risk-based logic derived from the risk assessments mandated under Article 29:

  • Baseline Requirement (Article 30(2)): For Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order, the minimum requirement is to procure cloud computing services recognised as offering Union assurance level 1. This acts as a baseline floor for all public procurement of cloud services.
  • Public Order Requirement (Article 30(3)): For contracting authorities whose activities have been identified as contributing to the preservation of public orderβ€”specifically in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas of national security, internal security, external border management, defence, justice, or law enforcementβ€”the requirement is stricter. These authorities must only procure services recognised as offering Union assurance levels 2, 3, or 4.
  • Exceptional Derogations (Article 30(4)): The proposal acknowledges that rigid application could lead to market failure. It provides for derogations on an exceptional basis where:
    • The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists (provided this is not the result of artificial narrowing);
    • A similar procurement process launched within the previous year yielded no suitable tenders; or
    • Applying the requirements would impose disproportionate costs.

These provisions do not override the Directives' rules on award procedures. Rather, they define the eligibility and technical compliance thresholds that tenders must meet to be considered valid under the Directives.

2. European Added Value Criteria (Article 32)

While Article 30 sets mandatory minimums, Article 32 introduces a specific mechanism to actively steer procurement towards European sovereignty through non-price award criteria. This is distinct from the mandatory assurance levels, which act as pass/fail thresholds.

Under Article 32(1), contracting authorities procuring innovative cloud computing services and AI systems shall include non-price award criteria to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. These criteria must be:

  • Linked to the subject matter of the contract;
  • Not conferring unrestricted freedom of choice;
  • Expressly set out in the procurement documents; and
  • Ancillary and not decisive in the award of the contract (Article 32(2)).

The proposal specifies that these criteria must enable authorities to evaluate the extent to which the tenderer:

  • Contributes to strengthening the digital technology supply chain in the Union (including hardware/software designed or manufactured in the Union);
  • Has integrated technologies developed in the Union (including R&D results from Union-funded programmes);
  • Delivers innovation that strengthens security of supply; and
  • Delivers the service through critical computing, storage, and networking hardware components designed or manufactured in the Union (Article 32(3)).

3. The 15/120 Points Cap and Proportionality

A critical safeguard in the proposal is the explicit limitation on the weight of these European added value criteria to prevent them from distorting competition or violating international trade obligations.

Recital 67 of the proposal states that while contracting authorities have discretion to apply additional criteria, the European added value criterion "should not be decisive for award of the contract." To operationalise this, the recital provides a concrete benchmark: contracting authorities "could consider a maximum weighting of 15 out of 120 points to be allocated to European added value within the overall evaluation methodology."

This cap serves two purposes:

  1. Proportionality: It ensures that the European added value criterion remains "proportionate and subordinate to the core contract award criteria," such as technical quality and financial offer.
  2. Legal Certainty: It provides a clear, quantifiable limit to help authorities demonstrate compliance with the principle of non-discrimination and the requirements of the WTO Government Procurement Agreement (GPA), which the proposal explicitly respects (Recital 64).

By capping the weight, the proposal ensures that while European sovereignty is a significant factor, it does not become the sole determinant of the award, thereby preserving the integrity of the single market and the Directives' core principles.

4. Integration with Existing Procurement Law

CADA's interaction with the Public Procurement Directives is one of complementarity, not substitution. The proposal reinforces that the "many layers" of sovereignty concerns "cannot be addressed in the horizontal acquis" (Recital 49), necessitating this sector-specific overlay.

Key integration points include:

  • Procedural Compliance: All procurement activities under CADA must still follow the procedural rules of the Directives (e.g., time limits, publication requirements, standstill periods). CADA adds content requirements to these procedures.
  • Transparency: The mandatory assurance levels (Article 30) and the specific European added value criteria (Article 32) must be clearly published in the contract notice and tender documentation, ensuring bidders can understand the evaluation methodology.
  • International Commitments: The proposal explicitly acknowledges that while the Union retains the right to adopt measures necessary to protect public order (including under Article III:2(a) of the WTO GPA), these measures must be "necessary and proportionate" (Recital 64). The 15/120 cap and the "ancillary" nature of the criteria are direct responses to this requirement.
  • Derogation Logic: The derogation mechanism in Article 30(4) mirrors the "extreme difficulty" or "unforeseeable circumstances" exceptions found in the Directives, ensuring that CADA does not force authorities into impossible procurement situations.

What this means for you

For legal counsel, procurement officers, and compliance teams, the proposed CADA framework requires a dual-track approach to public procurement: maintaining strict adherence to the Public Procurement Directives while integrating specific CADA mandates.

1. Conduct Mandatory Risk Assessments (Article 29)

Before launching any tender for cloud services, your organisation must determine its risk profile.

  • Action: Conduct the risk assessment required under Article 29 to identify whether your activities contribute to the preservation of public order.
  • Impact: This determines your minimum assurance level. If you are in a "public order" sector (e.g., law enforcement, defence), you are legally bound to procure only Level 2, 3, or 4 services. If not, Level 1 is the minimum. Failure to conduct this assessment could render your procurement non-compliant with CADA.

2. Revise Tender Specifications and Evaluation Criteria

Your procurement documents must be updated to reflect CADA's specific requirements.

  • Action: Include the mandatory Union assurance level as a selection criterion or technical specification. Ensure that bidders can prove their recognition status via the central repository (Article 22).
  • Action: Introduce the European added value criteria under Article 32. Define clearly how you will evaluate the tenderer's contribution to the EU supply chain, integration of EU technologies, and use of EU-manufactured hardware.
  • Action: Apply the 15/120 Cap. When designing your scoring matrix, ensure that the weight assigned to European added value does not exceed 15 points out of a total of 120 (or a proportionate equivalent if your total score differs). Explicitly state in the tender documents that this criterion is "ancillary and not decisive."

3. Manage Derogations with Extreme Caution

If you cannot find a provider meeting the mandatory assurance level, you may invoke the derogation in Article 30(4).

  • Action: Document the justification meticulously. You must prove that no adequate alternative exists in the central repository, that previous attempts failed, or that the cost is disproportionate.
  • Risk: Derogations are "exceptional." Overuse or weak justification could lead to legal challenges from unsuccessful bidders or non-compliance findings by national authorities.

4. Align with National Strategies and SME Targets

CADA links procurement to broader national and EU strategies.

  • Action: Ensure your procurement plans align with your Member State's national cloud and AI strategy (Article 7).
  • Action: Consider the Article 33 target: Member States are encouraged to award at least 25% of their procurement for cloud and AI innovation to SMEs. While this is a monitoring target, it signals a policy direction that authorities should consider in their planning.

5. Monitor the "Sovereignty" vs. "Discrimination" Balance

While CADA aims to strengthen European sovereignty, it must not violate the principles of the Public Procurement Directives or the WTO GPA.

  • Action: Ensure that your criteria are linked to the subject matter (Article 32(2)). Avoid criteria that simply prefer "EU companies" without a link to the technology, supply chain, or innovation delivered. The focus must be on the origin of the technology and the supply chain, not just the nationality of the bidder.

Common misconceptions

"CADA replaces the EU Public Procurement Directives."

  • Reality: CADA supplements the Directives. It does not create a new legal regime or suspend the Directives. All procedural rules, time limits, and fundamental principles (transparency, equal treatment) of Directive 2014/24/EU and 2014/25/EU remain fully in force. CADA simply adds specific content requirements (assurance levels and added value criteria) to those procedures.

"European added value can be the decisive factor in awarding the contract."

  • Reality: No. Recital 67 and Article 32(2) explicitly state that the European added value criterion must be "ancillary and not decisive." The proposal recommends a maximum weighting of 15 out of 120 points to ensure that technical quality and price remain the primary drivers of the award.

"All public sector bodies must procure Union assurance level 4."

  • Reality: The required level depends entirely on the risk assessment under Article 29. Only activities identified as contributing to the preservation of public order in sensitive sectors (e.g., defence, law enforcement) are required to procure Level 2, 3, or 4. General public sector bodies are only required to procure Level 1 (Article 30(2)).

"CADA allows unrestricted preference for EU providers, ignoring WTO rules."

  • Reality: The proposal explicitly respects international commitments, including the WTO GPA (Recital 64). The criteria must be proportionate, non-discriminatory, and linked to the subject matter. The 15/120 cap and the "ancillary" nature of the criteria are specifically designed to ensure compliance with these international obligations.

"Derogations from assurance levels are easy to obtain."

  • Reality: Derogations under Article 30(4) are strictly limited to exceptional circumstances: lack of available alternatives in the repository, failed previous procurements, or disproportionate costs. They are not a general escape clause and require robust documentation.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.