Does a public sector body that builds its own cloud become a CSP under CADA?

Summary Yes — under the proposed Cloud and AI Development Act (CADA), a public sector body that builds and operates its own cloud can be a cloud computing service provider (CSP). Article 2(2) defines a CSP functionally as any legal entity providing a cloud computing service, and it does not exclude public bodies. As proposed, that would bring the in-house cloud within the sovereignty framework, but CADA also offers the EuroCloud Federation (Articles 34–35) as a route for public bodies to share capacity on a cost-only basis rather than as commercial market transactions.

Detail

Whether a public sector body is a CSP under CADA would turn on the function it performs, not its legal nature. The starting point is Article 2.

Article 2(2) defines a "cloud computing service provider" as "a legal entity which provides a cloud computing service," with no carve-out for public bodies. If a public authority develops, hosts and manages cloud infrastructure and makes those resources available for use — even only to its own departments or subsidiary bodies — it would be providing a "cloud computing service" as defined in Article 2(1) (via the NIS2 Directive). Functionally, it would act as a CSP. Article 2(6) defines a "public sector body" by reference to Directive (EU) 2019/1024.

The sovereignty framework and internal provision

Article 16 would establish a Union cloud computing sovereignty framework of four assurance levels. A public body running its own cloud would need its service to meet the assurance level appropriate to the data it processes — for sensitive activities identified in a risk assessment under Article 29, that could mean Union assurance level 2, 3 or 4.

Crucially, CADA would provide a way for public bodies to share internally built capacity outside ordinary market procedures. Articles 34–38 establish the European public sector cloud federation (the EuroCloud Federation), which would facilitate voluntary sharing of data centre services and cloud computing services among Union entities and public sector bodies.

Article 35 sets the conditions: a member (the "sharing entity") may share services with another member (the "using entity") where it owns the hardware through which the service is made available and provides that service (directly or through a controlled intermediate entity). Under Article 35(5), the sharing entity may charge a fee, but "[t]he amount of the fee shall be limited to the costs that the sharing entity incurs in relation to the sharing of the service and shall not constitute a pecuniary interest within the meaning of Article 2 of Directive 2014/24/EU and Regulation (EU, Euratom) 2024/2509." In other words, cost-recovery sharing within the federation would not be a commercial transaction triggering an ordinary tender.

Procurement and Union added value

Even outside the federation, Article 32 would require Member States’ contracting authorities to apply "Union added value" criteria when procuring cloud computing services and AI. This would encourage public bodies to weigh a tenderer’s contribution to the European cloud ecosystem in their procurement decisions.

What this means for you

For public-sector procurement officers and IT directors, recognising that your organisation may be a CSP under CADA has three practical implications.

1. Sovereignty compliance is internal too: Do not assume an in-house cloud is automatically "sovereign." Map your internal service against the Annex II criteria. If it relies on subcontractors or data flows outside the Union, it may not meet the higher assurance levels. Use the risk assessment under Article 29 to set the minimum level for your data.
2. Leverage the EuroCloud Federation: With surplus capacity, consider joining the federation under Article 34 to share resources with other public bodies on a cost-recovery basis (Article 35), avoiding the overhead of commercial procurement.
3. Audit and transparency: If your internal cloud seeks recognition at Union assurance level 2, 3 or 4, it would face independent third-party audits under Article 20 and ongoing transparency obligations (Article 23), including notifying material changes to the national competent authority. Internal IT would need to be audit-ready, just like a commercial provider.

Common misconceptions

Misconception 1: "Public clouds are exempt from CADA sovereignty rules." Incorrect. The framework would apply to cloud computing services used by Union entities and public sector bodies regardless of whether the provider is commercial or public. A public body providing services to another public body would still need the relevant assurance level.

Misconception 2: "Sharing internal cloud capacity with another ministry is a public contract." Not where it is done through the EuroCloud Federation. Article 35(5) provides that the cost-only sharing fee shall not constitute a pecuniary interest within the meaning of Article 2 of Directive 2014/24/EU and Regulation (EU, Euratom) 2024/2509 — enabling cost-based sharing without a full tender.

Misconception 3: "Only commercial vendors are CSPs." Incorrect. Article 2(2) defines a CSP by function. A public body operating its own cloud would be a CSP — though CADA would treat such bodies differently in procurement contexts, encouraging cooperation via the EuroCloud Federation.

Related

• What is the difference between a public sector body and a Union entity under CADA?
• What is a public sector body under CADA?
• What the public sector body definition means for buyers under CADA
• Is a state-owned company a public sector body under CADA?
• How is a public sector body different from a contracting authority under CADA?

This is general information about a draft EU regulation, not legal advice.