Do national strategies use public procurement to drive cloud and AI?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States are legally required to embed public procurement measures directly into their national cloud and AI strategies. Article 7(2)(f) explicitly mandates that these strategies must include "measures to support the development of cloud and AI capabilities and promote excellence and innovation, including through public procurement measures, and public procurement of innovation measures set out in Article 33." This creates a binding bridge between high-level strategic planning (Title II) and the operational demand-side rules in Title IV. As proposed, national strategies would not be optional policy documents but would serve as the primary vehicle for implementing the Regulation's procurement obligations, ensuring public spending actively drives the adoption of sovereign, innovative European cloud and AI solutions rather than reinforcing existing dependencies on third-country providers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dual-track approach to strengthening the EU's digital ecosystem: supply-side measures to boost capacity and demand-side measures to drive adoption. A critical innovation of the proposal is the legal requirement to align national strategic planning with specific public procurement mechanisms. This alignment ensures that the purchasing power of the public sector is systematically leveraged to achieve the Regulation's objectives of technological sovereignty and innovation.

The Mandate for National Strategies under Article 7

Article 7 of the CADA proposal imposes a strict deadline and content requirement on Member States. Within one year of the Regulation's entry into force, each Member State must establish a national cloud and AI strategy. These strategies are not merely aspirational; they must contain specific, actionable measures to achieve the Regulation's objectives.

Crucially, Article 7(2)(f) mandates that these national strategies must include:

"measures to support the development of cloud and AI capabilities and promote excellence and innovation, including through public procurement measures, and public procurement of innovation measures set out in Article 33;"

This provision creates a direct legal bridge between the strategic planning phase (Title II) and the demand-side execution phase (Title IV). It ensures that national strategies cannot ignore the leverage that public authorities hold through their purchasing power. By requiring these measures to be explicitly documented in the national strategy, the Commission aims to ensure transparency, accountability, and consistent implementation across the Union. The strategy becomes the blueprint for how a Member State intends to use its public contracts to shape the market.

Linking Strategy to Procurement of Innovation (Article 33)

The specific reference to Article 33 in the national strategy requirement is significant. Article 33 establishes a dedicated framework for "procurement of innovation" in cloud computing services and AI systems. It requires Member States to monitor and report on their use of such procurement, with a specific objective to ensure that at least 25% of relevant cloud and AI procurement innovation procedures are awarded to Small and Medium-sized Enterprises (SMEs).

By linking Article 7(2)(f) to Article 33, CADA ensures that national strategies must address not just the volume of cloud and AI procurement, but the quality and innovativeness of that procurement. Strategies would be required to outline how public authorities will:

1. Identify Barriers: Systematically identify barriers to SME participation in innovation procurement procedures.
2. Design Accessible Strategies: Design simplified, proportionate procurement strategies, such as dividing contracts into lots, to facilitate SME access to public markets.
3. Monitor and Report: Track participation trends and report annually to the Commission on SME engagement, including the number of contracts awarded, their share of total contract value, and cross-border participation rates.

This linkage transforms the national strategy from a static document into a dynamic management tool for market shaping, ensuring that public procurement actively fosters a diverse and innovative European supplier base.

Broader Procurement Obligations in Title IV

While Article 7 sets the strategic direction, Title IV of the CADA proposal contains the binding operational obligations that national strategies must support and operationalise. The strategy must explain how the Member State will ensure compliance with these Title IV measures:

• Sovereignty Frameworks (Articles 16–24): National strategies must align with the Union cloud computing sovereignty framework, which defines four levels of assurance. Public procurement decisions must respect the risk assessments conducted under Article 29, which determine the appropriate assurance level (1 through 4) for specific public sector activities. The strategy must detail how contracting authorities will procure services that meet these levels.
• Union Added Value (Article 32): Contracting authorities are required to include non-price award criteria in their tenders that evaluate a tenderer's contribution to the European cloud and AI ecosystem. This includes the use of software or hardware designed or manufactured in the Union, and the integration of technologies developed in the Union. National strategies must outline how authorities will apply these criteria effectively, ensuring they are "expressly set out in the procurement documents" and linked to the subject matter of the contract.
• Open Source Promotion (Articles 41–44): Strategies should also reflect the obligation to encourage the use of open-source solutions and facilitate the reuse of software developed by public bodies. This further reduces vendor lock-in and promotes technological autonomy, aligning with the broader goal of reducing dependencies on third-country providers.

Deadlines, Monitoring, and Compliance

Member States must adopt their national cloud and AI strategies by the date specified in Article 7(1), which is one year after the Regulation's entry into force. These strategies must be notified to the Commission within three months of adoption. The Commission will monitor the adoption and revision of these strategies, and the European Artificial Intelligence Board (AI Board) will assist in coordinating these efforts to ensure consistency across the Union.

Failure to align national strategies with these procurement requirements could lead to inconsistencies in the internal market, undermining the CADA's goal of a unified, sovereign cloud ecosystem. While the CADA itself does not specify direct financial penalties for the content of national strategies, non-compliance with the underlying procurement rules (such as failing to apply Union added value criteria or ignoring sovereignty risk assessments) may trigger enforcement actions by national competent authorities under the broader regulatory framework. The strategy serves as the public commitment to these obligations.

What this means for you

For in-house counsel, procurement officers, and compliance teams in public sector bodies or entities engaging in public procurement, the CADA proposal signals a shift from voluntary best practices to mandatory strategic alignment.

1. Review National Strategy Alignment: Ensure that your organization's procurement plans are explicitly supported by your Member State's national cloud and AI strategy. Verify that the strategy includes the required measures under Article 7(2)(f) regarding public procurement of innovation. If the strategy is silent on these points, it may indicate a gap in the Member State's implementation of CADA.
2. Prepare for Innovation Procurement Monitoring: If you are involved in procuring innovative cloud or AI solutions, be prepared to report on SME participation as required by Article 33. This includes tracking the number of contracts awarded to SMEs and their share of the total contract value. Your internal data collection processes may need to be updated to meet these reporting standards.
3. Integrate Union Added Value Criteria: Update your tender documentation to include the non-price award criteria specified in Article 32. This involves evaluating tenderers on their contribution to the European digital supply chain, including the use of EU-designed hardware and software. These criteria must be "ancillary and not decisive" but must be expressly set out in the procurement documents.
4. Conduct Sovereignty Risk Assessments: Align your procurement requirements with the risk assessments mandated by Article 29. Determine the appropriate Union assurance level for your specific use case (e.g., law enforcement vs. general administration) and ensure that your procurement documents reflect these sovereignty requirements.
5. Engage with the AI Board and National Authorities: Stay informed about guidance from the European Artificial Intelligence Board and national competent authorities regarding the implementation of these strategies. Early engagement can help mitigate compliance risks and ensure that your procurement processes are robust against future regulatory scrutiny.

Common misconceptions

• "National strategies are just policy documents with no legal force." While the strategies themselves are national instruments, their content is mandated by EU law (Article 7). Failure to include the required procurement measures means the Member State is not fulfilling its obligations under the CADA proposal, which can have implications for the harmonization of the internal market and the effective implementation of procurement rules.

• "Public procurement of innovation only applies to large tech companies." Article 33 explicitly targets the inclusion of SMEs in innovation procurement. The goal is to lower barriers for smaller, innovative European providers, not just to facilitate deals with established hyperscalers. National strategies must outline measures to support SME participation, with a target of at least 25% of innovation procedures awarded to SMEs.

• "Sovereignty requirements only apply to high-security government data." The CADA sovereignty framework applies to all public sector procurement of cloud computing services. While higher assurance levels (2, 3, and 4) are reserved for activities contributing to public order (as determined by risk assessments under Article 29), all public bodies must procure at least Union assurance level 1 services (Article 30).

• "Union added value criteria are optional or secondary." While Article 32 states that these criteria should not be decisive (i.e., they cannot override technical and financial suitability), they are mandatory non-price award criteria. They must be expressly set out in procurement documents and linked to the subject matter of the contract. Ignoring them constitutes a failure to comply with the Regulation's demand-side measures.

Related

• How do national strategies promote AI in industry and public services under CADA?
• Who coordinates national cloud and AI strategies across the EU under CADA?
• What role do quantum computers play in national cloud and AI strategies under CADA?
• CADA Article 7: The AI Board's role in national cloud and AI strategies
• What does a national cloud and AI strategy mean for public-sector buyers?

This is general information about a draft EU regulation, not legal advice.