Does CADA Article 30 apply to all cloud purchases or only exclusive-use ones?

Summary Under the proposed Cloud and AI Development Act (CADA), the strict sovereignty procurement obligations in Article 30 apply only to cloud computing services procured for a contracting authority's exclusive use. If your organization is participating in shared, federated, or joint procurement initiatives—such as the EuroCloud Federation or Commission-led central purchasing—those transactions fall outside the scope of Article 30. Instead, they are governed by the specific legal frameworks established in Chapter IV (Articles 37–40) and the applicable public procurement rules clarified in Article 39. Understanding this distinction is critical to avoiding regulatory overlap and ensuring compliance with the correct procedural regime.

Detail

The scope of Article 30 is precisely delimited in the proposal to prevent regulatory duplication with CADA's mechanisms for collaborative public sector purchasing. The legislative text draws a clear line between standalone national contracts and pooled procurement strategies.

The "Exclusive Use" Boundary in Article 30(1)

The scope limitation is explicit in the first paragraph of the article. Article 30(1) states: "This Article applies to contracting authorities that procure cloud computing services for their exclusive use. Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, this Article also applies to Union entities that procure cloud computing services for their exclusive use."

This provision establishes a binary condition:

1. Exclusive Use: If a public authority negotiates a direct contract with a cloud provider for services used solely by that authority (or Union entity), Article 30 is the governing rule. This triggers the mandatory requirement to procure services recognized at the specific Union assurance level (1, 2, 3, or 4) determined by the risk assessment under Article 29.
2. Non-Exclusive/Shared Use: If the procurement involves shared resources, federation, or joint purchasing, the "exclusive use" condition is not met. Consequently, the direct mandates of Article 30 do not apply to the procedural steps of the tender itself.

The Alternative Regime: Chapter IV (Articles 37–40)

For scenarios where public sector bodies pool resources to gain leverage, efficiency, or interoperability, CADA provides a dedicated legal pathway in Title IV, Chapter IV. This chapter establishes a framework for the Commission to act as a central purchasing body or wholesaler.

• Article 37 empowers the Commission to carry out procurement activities for data centre services, cloud computing services, software, and AI systems on behalf of Union entities and contracting authorities of Member States. It explicitly defines "participating entities" to include these authorities when they join such schemes.
• Article 38 details the arrangements for these activities, including the establishment of a Steering Committee and the necessity of an agreement between the Commission and participating Member States.
• Article 39 clarifies the applicable public procurement framework. It states that a participating entity is deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services by means of contracts awarded by the Commission under this Chapter.

Because these shared procurement activities are governed by their own specific legal regime within CADA, they are excluded from the direct scope of Article 30. This exclusion prevents double-regulation and ensures that sovereignty criteria are applied through the centralized procurement process rather than through individual national tenders that might fragment the market.

Sovereignty Requirements: Procedural vs. Substantive

It is a common misconception that falling outside Article 30 means falling outside the sovereignty framework entirely. This is incorrect. While the procedural rules of Article 30 (e.g., the specific tendering mandates for exclusive use) do not apply to shared procurement, the substantive sovereignty requirements remain binding.

The cloud services procured through the Commission's central purchasing activities under Chapter IV must still meet the Union assurance levels determined by the relevant risk assessments.

• Article 29 requires Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for their activities.
• Article 30(2) and Article 30(3) mandate that entities procure services meeting the assurance level identified in their risk assessment.

When procuring through the Chapter IV framework, the Commission and the participating entities must ensure that the services awarded meet these assurance levels. The distinction is procedural: Article 30 governs the direct tender process for exclusive use, while Chapter IV governs the centralized tender process for shared use. In both paths, the outcome must be the acquisition of services that meet the sovereignty criteria defined in Annex II.

Penalties and Enforcement

Non-compliance with the obligations under Article 30, including the failure to procure services with the required Union assurance level, is subject to penalties under Article 24. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers. While Article 24 focuses heavily on provider penalties, the procurement obligations for public bodies are enforced through the broader public procurement directives and the specific CADA framework.

For shared procurement under Chapter IV, enforcement mechanisms are tied to the agreement established under Article 38 and the Steering Committee's oversight. If a participating entity fails to adhere to the assurance levels agreed upon in the centralized framework, the consequences are managed through the specific governance mechanisms of the common procurement arrangement rather than the direct penalty regime of Article 24 applied to individual exclusive-use contracts.

What this means for you

For in-house counsel, procurement officers, and compliance teams in the public sector, the "exclusive use" distinction dictates your compliance workflow and legal strategy:

1. Direct Contracts (Exclusive Use): If you are issuing a tender for cloud services used only by your agency, you must apply Article 30. This means:

   • Verifying that bidders hold the appropriate Union assurance level (1, 2, 3, or 4) based on your risk assessment under Article 29.
   • Ensuring the tender explicitly requires services recognized under Article 17.
   • Considering the Union added value criteria under Article 32 as part of the quality evaluation.

2. Shared/Federated Procurement: If you are joining the EuroCloud Federation or participating in a Commission-led joint procurement, you are operating under Articles 37–40. Your obligations shift:

   • You do not need to run a separate Article 30-compliant tender for the same services.
   • Your primary duty is to participate in the centralized process and ensure that the services selected by the Commission meet your specific assurance level requirements as documented in your Article 29 risk assessment.
   • You rely on the Article 39 deeming provision to satisfy general public procurement law obligations.

3. Risk Assessment Alignment: Regardless of the procurement path, your Article 29 risk assessment remains the foundation. You must clearly document which assurance level your activities require. This documentation will be scrutinized whether you are tendering directly or participating in a shared framework. If your risk assessment identifies a need for Level 3 or 4, the shared procurement mechanism must be capable of delivering that level.

4. Contractual Terms:

   • For exclusive use, ensure contracts explicitly reference the Union assurance level and the recognition status under Article 17.
   • For shared procurement, ensure that the agreement with the Commission or the EuroCloud Federation clearly allocates responsibilities for monitoring compliance with these assurance levels and defines the recourse if the centralized service fails to meet the required level.

Common misconceptions

"Article 30 applies to all public cloud spending." Incorrect. The text of Article 30(1) is explicit: it applies only to procurement for "exclusive use." Shared, federated, and joint procurements are governed by Chapter IV. Applying Article 30 to a joint procurement would be a misapplication of the regulation.

"Shared procurement exempts me from sovereignty requirements." Incorrect. While the procedure is different, the cloud services must still meet the Union assurance levels determined by your risk assessment. The sovereignty framework is universal; the procurement mechanism is not. The Commission, acting as a central purchasing body, is obligated to procure services that meet the assurance levels required by the participating entities.

"I can choose between Article 30 and Chapter IV for the same service." Incorrect. The scope is determined by the nature of the procurement, not the preference of the authority. If the service is procured for the authority's exclusive use, Article 30 applies. If the service is part of a centralized or federated effort under the CADA's common procurement framework, Chapter IV applies. Attempting to use Article 30 for a shared service would bypass the specific governance and efficiency mechanisms designed for joint procurement.

"Article 30 covers the EuroCloud Federation." Incorrect. The EuroCloud Federation is established under Article 34 and governed by the sharing rules in Article 35 and the common procurement framework in Chapter IV. It is a distinct mechanism from the exclusive-use procurement mandates of Article 30.

Related

• CADA Procurement: Article 30 Exclusive Use vs. Chapter IV Joint Procurement
• CADA Article 30: What 'Exclusive Use' Means for Cloud Procurement
• CADA Article 39: Which procedural rules apply to specific contracts?
• CADA Article 33: How public buyers use matchmaking and market consultations
• Who pays for CADA procurement fees? Article 40 explained

This is general information about a draft EU regulation, not legal advice.