Do CADA procurement rules apply during the transition period?

Summary As proposed, the Cloud and AI Development Act (CADA) would apply to new public procurement procedures for cloud computing services and AI systems starting one year after the Regulation enters into force. Existing contracts generally remain governed by their original terms during this transition, but contracting authorities must conduct risk assessments to determine if current services meet the required Union assurance levels. If a risk assessment identifies that an existing service fails to meet the necessary sovereignty criteria for a specific activity, authorities would be required to migrate to compliant providers within a reasonable transition period, not exceeding 12 months.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026, introduces a comprehensive framework for cloud and AI procurement in the public sector. To understand how these rules apply during the transition period, it is essential to distinguish between the Regulation's entry into force, its application date, and the specific obligations for ongoing versus new contracts.

Application Timing and Transitional Provisions

According to Article 48 of the proposed Regulation, CADA would enter into force on the twentieth day following its publication in the Official Journal of the European Union. However, the substantive obligations would not apply immediately. The Regulation specifies that it "shall apply from [same day and month as date of entry into force plus 1 year]." This one-year gap serves as a critical transition period for Member States and public authorities to prepare their administrative structures, designate national competent authorities, and align national procurement strategies with the new EU-wide standards.

During this initial year, public bodies are expected to prepare for the upcoming obligations, such as establishing the necessary governance frameworks for the "Cloud and AI Leadership Initiatives" and setting up the "EuroCloud Federation" structures, but they are not yet legally bound to procure under the new sovereignty criteria for new tenders.

Obligations for New Procurements

Once the one-year transition period concludes, the procurement rules outlined in Title IV of CADA become mandatory for all new contracting procedures.

Article 30 establishes the core procurement mandates based on the risk assessment results defined in Article 29. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must, as a minimum, use cloud computing services recognized as having Union assurance level 1.

For higher-risk activities, Article 30(3) imposes stricter requirements. Contracting authorities whose activities are identified as contributing to the preservation of public order—such as those in national security, defense, justice, or critical infrastructure sectors listed in Annex I or II of the NIS2 Directive—must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4.

Additionally, Article 32 introduces "Union added value" criteria. In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem. This includes assessing the use of software or hardware designed or manufactured in the Union and the integration of Union-developed technologies. These criteria must be ancillary and not decisive in the award of the contract, but they must be expressly set out in procurement documents.

Article 33 further requires Member States to monitor the procurement of innovation in cloud and AI, with an objective that at least 25% of relevant procurement be awarded to innovative small and medium-sized enterprises (SMEs).

Existing Contracts and Renewals

The treatment of existing contracts during and after the transition period is nuanced. CADA does not automatically void existing contracts. Instead, it relies on the risk assessment mechanism in Article 29 to determine compliance.

Member States and Union entities must carry out risk assessments by the date of application (one year after entry into force) and thereafter every two years. These assessments identify which public sector activities require which Union assurance levels.

If an existing contract covers a service that no longer meets the required assurance level for the specific activity (e.g., a service with only Level 1 assurance is used for an activity now deemed to require Level 3 due to a reassessment of public order relevance), Article 29(6) mandates action. It states: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This means that while existing contracts are not immediately terminated, public authorities cannot indefinitely renew or maintain contracts that fail to meet the sovereignty and security standards required for their specific use cases. The 12-month migration window provides a buffer to avoid service disruption while ensuring eventual compliance.

Derogations and Exceptions

Article 30(4) provides limited derogations from these rules on an exceptional basis. Contracting authorities may decide not to procure recognized services if:

1. The subject matter cannot be supplied by recognized services available in the central repository, and no adequate alternative exists.
2. A similar procurement process launched within the previous year yielded no suitable tenders.
3. Applying the requirements would result in disproportionate costs.

These exceptions are narrow and require due justification, ensuring that the sovereignty framework remains robust while allowing for practical flexibility in unique market situations.

What this means for you

For public-sector procurement officers, the transition period is a time for proactive inventory and risk mapping, not passive waiting.

1. Map Your Current Portfolio: Identify all active cloud and AI contracts. Classify the associated activities according to the risk assessment criteria in Article 29. Determine if your current use cases fall under "public order preservation" (requiring Levels 2-4) or general administrative use (requiring Level 1).
2. Verify Assurance Levels: Check if your current providers have been, or can be, recognized under the Union assurance levels. If a provider is not yet recognized, assess their ability to undergo the conformity self-assessment (Level 1) or independent third-party audit (Levels 2-4) required by Articles 17-20.
3. Plan for Migration: If your current contract does not meet the required assurance level for your activity, begin planning a migration strategy immediately. You have a maximum of 12 months from the determination of non-compliance to migrate. Ensure your contracts include clear data portability and exit clauses to facilitate this move without service interruption.
4. Update Procurement Templates: Revise your standard tender documents to include the "Union added value" criteria mandated by Article 32. Ensure your evaluation methodologies account for these non-price criteria, keeping in mind they must be ancillary and linked to the subject matter.
5. Monitor SME Participation: As per Article 33, structure your innovation procurement procedures to facilitate SME participation, aiming for the 25% award target. This may involve dividing contracts into lots or using pre-commercial procurement strategies.

Common misconceptions

• "CADA applies immediately upon publication." Incorrect. As per Article 48, there is a one-year gap between entry into force and application. This transition period allows authorities to prepare.

• "All existing cloud contracts are automatically compliant." Incorrect. Compliance is determined by the risk assessment in Article 29. If a contract serves a high-risk activity (e.g., defense, justice) but the provider only holds Level 1 assurance, the contract is non-compliant with Article 30(3) and must be migrated within 12 months.

• "Union added value criteria are the primary factor in awarding contracts." Incorrect. Article 32(2)(d) explicitly states that these criteria must be "ancillary and not decisive in the award of the contract." Technical and financial criteria directly connected to performance requirements remain primary.

• "Private sector entities are subject to the same procurement rules." Incorrect. Article 30 applies to "contracting authorities" and "Union entities." Private sector entities in critical sectors (under NIS2) may conduct similar impact assessments under Article 31, but they are not bound by the same mandatory procurement levels unless specified by future delegated acts or national implementation of impact assessment requirements.

Related

• CADA Article 39: Which procedural rules apply to specific contracts?
• CADA procurement rules: Legal basis, WTO safeguards and the Financial Regulation
• What is a contracting authority under CADA procurement rules?
• CADA and US Hyperscalers: Public Procurement Rules Explained
• CADA Cloud Procurement in Healthcare: Assurance Levels & Rules

This is general information about a draft EU regulation, not legal advice.