Does CADA affect procurement thresholds under the EU Directives?

Summary No, the proposed Cloud and AI Development Act (CADA) does not alter, replace, or introduce new financial procurement thresholds. The monetary triggers for public procurement procedures remain exclusively governed by Directive 2014/24/EU (public sector) and Directive 2014/25/EU (utilities). CADA introduces a parallel, mandatory sovereignty framework that dictates what can be procured based on the risk and criticality of the activity, not the contract value. Contracting authorities must apply the financial thresholds of the Directives to determine if EU procedures apply, and simultaneously apply CADA's Article 30 to determine the required Union assurance level (1, 2, 3, or 4) for the service. Additionally, Article 32 introduces "Union added value" as a non-decisive award criterion, while Article 39 provides a deemed-compliance route for entities participating in Commission-led joint procurement.

Detail

The interaction between the proposed CADA and the established EU public procurement framework is one of strict complementarity. CADA is designed to address the "sovereignty gap" in the cloud and AI ecosystem, focusing on the security, resilience, and origin of the services procured. It does not seek to rewrite the procedural or financial architecture of the Single Market's procurement rules.

CADA Does Not Introduce Financial Thresholds

A critical distinction for legal and procurement teams is that CADA contains no provisions establishing new monetary values to trigger public procurement obligations. The regulation is silent on financial thresholds. Consequently, the determination of whether a procurement procedure for cloud computing services must follow the full rigour of EU rules (e.g., publication in the Official Journal of the European Union, minimum standstill periods) depends entirely on the thresholds set out in Directive 2014/24/EU and Directive 2014/25/EU.

If a contract value falls below the relevant Directive threshold, the full procedural requirements of the Directives may not apply. However, this does not automatically exempt the contracting authority from CADA's sovereignty obligations. As proposed, CADA's requirements for public sector bodies are triggered by the nature of the activity (specifically, whether it contributes to the preservation of public order), not by the contract's financial value. Therefore, even a low-value contract for a critical public-order activity would be subject to CADA's assurance level requirements, even if it falls below the Directive's financial threshold for full EU procurement procedures.

Conversely, if a contract exceeds the Directive thresholds, the standard procurement procedures apply. CADA then overlays mandatory technical and sovereignty requirements, dictating the minimum assurance level the service must possess.

The Sovereignty Overlay: Article 30 and Risk Assessments

While CADA does not change when a procurement procedure must be launched, it strictly dictates what can be procured. This is governed by Article 30 of the CADA proposal, which establishes a mandatory minimum baseline for cloud services based on risk assessments conducted under Article 29.

Article 30(2) sets the baseline: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must, as a minimum requirement, use cloud computing services recognised as offering Union assurance level 1.

For activities identified as contributing to the preservation of public order, the requirements are significantly stricter. Article 30(3) mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." This applies to sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and areas including national security, internal security, external border management, defence, justice, or law enforcement.

Crucially, this obligation is triggered by the criticality of the activity. A low-value contract for a critical defence application would still require a Level 2, 3, or 4 service, whereas a high-value contract for a non-critical administrative task would only require Level 1. This decoupling of value and sovereignty requirements is a defining feature of the proposal.

The Deemed-Compliance Route: Article 39

For the European Commission acting as a central purchasing body, CADA provides a specific mechanism to streamline procedural compliance. Article 39 sets out the applicable public procurement framework for procurement activities carried out by the Commission on behalf of Member States and Union entities.

Article 39(1) establishes a "deemed compliance" route. It states that a participating entity (such as a Member State contracting authority) "shall be deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services by means of contracts awarded by the Commission under this Chapter." This includes contracts concluded through framework agreements or dynamic purchasing systems operated by the Commission.

This provision is significant for in-house counsel as it simplifies the procedural burden for entities participating in Commission-led joint procurement. By using the Commission's procurement framework, these entities are legally considered to have met their obligations under the 2014 Directives. However, this deemed compliance applies to the procedure, not the substance. The underlying services procured through this route must still meet the sovereignty criteria of Article 30 relevant to the specific needs of the participating entities.

Award Criteria and Added Value: Article 32

While CADA does not set financial thresholds, it influences the evaluation of tenders through Article 32, which introduces "Union added value" as a non-price award criterion.

Article 32(1) requires contracting authorities to include, as part of the quality evaluation of the tender, non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. These criteria may include strengthening the digital technology supply chain in the Union, integrating Union technologies, or delivering services using hardware components designed or manufactured in the Union.

Article 32(2) provides essential guardrails: these non-price award criteria must be "ancillary and not decisive in the award of the contract." They must be linked to the subject matter, expressly set out in the procurement documents, and must not confer unrestricted freedom of choice on the contracting authority. This ensures that while CADA encourages European industrial capacity, it does not distort the core principles of the Single Market by allowing non-technical factors to override performance and price.

What this means for you

For in-house counsel, procurement officers, and legal teams, the practical implication is a dual-compliance obligation that requires a two-step analysis for every cloud procurement.

1. Step 1: Determine Procedural Triggers (The Directives). Continue to monitor the financial thresholds of Directive 2014/24/EU and Directive 2014/25/EU. These thresholds determine whether the full EU procurement procedure (publication, standstill, etc.) is mandatory. CADA does not alter these triggers.

2. Step 2: Determine Sovereignty Requirements (CADA). Regardless of the contract value, conduct the risk assessment mandated by Article 29 to determine if your activity contributes to the preservation of public order.

   • If No: You must procure at least Union assurance level 1.
   • If Yes (e.g., defence, law enforcement, critical infrastructure): You must procure Union assurance level 2, 3, or 4.
   • Note: This requirement applies even if the contract value is below the Directive's financial threshold.

3. Step 3: Draft Tender Documents. Ensure your procurement documents explicitly state the required Union assurance level as a mandatory technical specification. You cannot award a contract to a provider that does not meet this level, even if they are the lowest bidder. Additionally, consider including "Union added value" criteria under Article 32, ensuring they are weighted as ancillary and not decisive.

4. Step 4: Consider Joint Procurement. If you are a Member State authority, consider participating in Commission-led procurement activities under Articles 37–40. Using the Commission's framework can provide deemed compliance with the procedural aspects of the 2014 Directives, reducing administrative burden. However, you remain responsible for ensuring the selected service meets the specific sovereignty needs identified in your risk assessment.

Common misconceptions

"CADA replaces the Public Procurement Directives." No. CADA complements them. The Directives govern the procedure and financial thresholds; CADA governs the sovereignty and security standards of the services procured. Both apply concurrently.

"CADA introduces new financial thresholds for cloud services." No. CADA contains no financial thresholds. The triggers for public procurement procedures remain exclusively those set by Directive 2014/24/EU and Directive 2014/25/EU.

"Small-value contracts are exempt from CADA sovereignty rules." No. CADA's obligations for public sector bodies are based on the criticality of the activity (public order relevance), not the contract value. A small contract for a critical defence system still requires a high-assurance level service (Level 2, 3, or 4).

"Union added value criteria can be the deciding factor in an award." No. Article 32(2) explicitly states that non-price award criteria related to European added value must be "ancillary and not decisive." Technical and financial criteria directly connected to performance requirements must remain primary.

"If I use the Commission's procurement, I don't need to check assurance levels." No. While Article 39 provides deemed compliance for the procedure, the service procured must still meet the assurance level required by Article 30 for your specific activity. The Commission's procurement framework is designed to facilitate this, but the obligation to procure the correct level remains with the entity.

Related

• How does CADA relate to the 2014 Procurement Directives?
• How does CADA procurement affect public administration IT buyers?
• How does CADA affect AI system procurement specifically?
• Does CADA replace the 2014 Procurement Directives? Sovereignty vs. Procedure
• Will small public bodies be able to afford CADA procurement fees?

This is general information about a draft EU regulation, not legal advice.