Does CADA apply to public sector bodies and contracting authorities?

Summary Yes. As proposed, the Cloud and AI Development Act (CADA) places direct obligations on public sector bodies, Union entities and contracting authorities. Under the proposal, public bodies whose activities are not identified as contributing to the preservation of public order would have to use cloud services recognised at Union assurance level 1, while those whose activities are so identified would be restricted to levels 2, 3 or 4 — based on mandatory risk assessments. Public buyers would also have to apply "Union added value" award criteria when procuring innovative cloud and AI services. CADA is a proposal (COM(2026) 502 final) and is not yet in force.

Detail

A central pillar of the CADA proposal is the regulation of public-sector procurement of cloud computing. As proposed, it would impose binding obligations on public bodies and contracting authorities to ensure that cloud supporting public functions is sovereign, secure and resilient.

Who is covered

CADA's definitions are set out in Article 2:

• Public sector body — defined in Article 2(6) by reference to Article 2(1) of Directive (EU) 2019/1024, broadly covering state, regional and local authorities and bodies governed by public law.
• Contracting authorities — defined in Article 2(22) by reference to Directive 2014/24/EU, covering the state, regional and local authorities, bodies governed by public law, and associations of such authorities or bodies.
• Union entities — defined in Article 2(7) as the Union institutions, bodies, offices and agencies.

Article 1 frames the Regulation's subject matter, which as proposed includes "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" (Article 1(1)(c)) and "fostering the adoption of cloud computing services across the public sector" (Article 1(1)(e)).

Mandatory risk assessments (Article 29)

Before the procurement duties bite, public authorities must determine how sensitive their use is. Article 29(1) would oblige Member States and Union entities, by one year after entry into force and thereafter every two years (or whenever necessary), to carry out risk assessments that:

1. identify public sector activities using cloud services that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in national security, internal security, external border management, defence, justice or law enforcement; and
2. determine which Union assurance level — 2, 3 or 4 — is appropriate for those activities.

When assessing, Article 29(2) requires authorities to consider at least the sensitivity, criticality and magnitude of the data processed (including impact on public order and on data subjects' rights), the risk and impact of unlawful access by a third country, and the risk and impact of service disruption. The Commission would specify the methodology and templates by implementing acts (Article 29(3)).

Procurement obligations (Article 30)

The risk assessment outcome drives procurement rules under Article 30:

1. Baseline — level 1. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised under Article 17 as having Union assurance level 1.
2. Critical activities — levels 2, 3 or 4. Under Article 30(3), contracting authorities whose activities have been so identified (in NIS2 sectors or in national security, internal security, external border management, defence, justice or law enforcement) must only procure services recognised as having Union assurance level 2, 3 or 4.

Article 30(4) allows limited derogations on an exceptional basis where duly justified — for example, where the subject matter cannot be supplied by any recognised service in the central repository and no reasonable alternative exists; where a similar procurement in the previous year drew no suitable tenders; or where applying the requirements would mean procuring at disproportionate cost.

Union added value criteria (Article 32)

Article 32(1) would require contracting authorities, in public procurement procedures for innovative cloud computing services and AI systems, to include — as part of the quality evaluation — non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem.

Under Article 32(3), those criteria must let authorities evaluate the extent to which the tenderer: strengthens the EU digital technology supply chain (including using software or hardware designed or manufactured in the Union); has integrated Union-developed technologies, including R&D results from Union-funded programmes; delivers innovation that strengthens security of supply; and delivers the service through critical computing, storage and networking hardware components designed and/or manufactured in the Union. Article 32(2) requires the criteria to be linked to the subject matter, expressly set out in the procurement documents, not to confer unrestricted freedom of choice, and to be "ancillary and not decisive" in the award. Recital 67 suggests authorities "could consider a maximum weighting of 15 out of 120 points" for European added value to keep it proportionate.

What this means for you

For public-sector procurement officers, CADA would turn cloud procurement into a structured, compliance-driven process rather than a purely commercial one.

1. Engage with risk assessments. You would need to adhere to your Member State's or Union entity's risk assessment under Article 29 and document whether your specific use contributes to public order. If it does, level 1 would be off-limits and you would need a level 2, 3 or 4 service.
2. Update tender documents. Future tenders should specify the required Union assurance level and integrate the Article 32 "Union added value" criteria into the quality evaluation.
3. Verify recognition. Before awarding, you would check that the provider's service is recorded in the central repository the Commission maintains under Article 22 at the required assurance level.
4. Plan for migration. Where a risk assessment requires moving to another service, Article 29(6) sets a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability.

Common misconceptions

• "CADA replaces the Public Procurement Directives." No. As proposed, it supplements them with sector-specific assurance-level requirements and award criteria layered on top of standard procedures.
• "Only high-security agencies are affected." No. Levels 2–4 are reserved for public-order activities, but all in-scope public bodies would have to procure at least Union assurance level 1 under Article 30(2).
• "EU added value criteria are optional." Under Article 32(1), contracting authorities "shall include" such criteria for innovative cloud and AI procurements, though they keep discretion over how to weight them within the bounds of Article 32(2).
• "CADA is already in force." No. It is a proposal (COM(2026) 502 final), not yet adopted by the Parliament and Council, and the text may change.

Related

• Does CADA only apply to the public sector?
• Why does CADA focus so heavily on the public sector?
• What does CADA mean for public-sector cloud buyers?
• How does CADA support the public sector's move to cloud?
• Does CADA Apply to EU Institutions, Bodies and Agencies?

This is general information about a draft EU regulation, not legal advice.