Does CADA Apply to EU Institutions, Bodies and Agencies?

Summary Yes. As proposed, the Cloud and AI Development Act (CADA) would apply to Union institutions, bodies, offices, and agencies, collectively defined as "Union entities" in Article 2(7). These entities would be subject to core sovereignty and procurement obligations alongside national public-sector bodies, including risk assessments for cloud services (Article 29), a baseline requirement for Union assurance level 1 (Article 30), and the promotion of open-source solutions. They could also participate, on a voluntary basis, in the proposed EuroCloud Federation to share computing resources.

Detail

As proposed, CADA aims to strengthen the EU's cloud and AI ecosystem by reducing dependencies on third-country providers and enhancing technological sovereignty. A core part of this framework is its application to the EU's own administrative structures. Under Article 2(7), CADA defines "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

By explicitly including these bodies in scope, the proposal is designed so that the EU leads by example, adhering to the same standards it expects from Member States. The obligations placed on Union entities appear across the proposal's autonomy provisions, covering risk assessment, public procurement, and open-source promotion.

Risk Assessments and Assurance Levels

Under Article 29, Union entities (together with Member States) would carry out risk assessments to determine the cloud computing sovereignty required for their activities. As proposed, these assessments would be conducted:

• By one year after entry into force, and
• Thereafter every two years, or whenever necessary.

Their purpose would be to identify public-sector activities that contribute to the preservation of public order — particularly in sectors falling under Annex I or II of the NIS2 Directive, and in national security, internal security, external border management, defence, justice or law enforcement — and to determine which Union assurance level (2, 3, or 4) is appropriate. Where Union entities and Member States share responsibilities, they may, where appropriate, consider carrying out the assessment jointly.

Article 30 would translate these assessments into procurement mandates:

• Baseline: Union entities whose activities have not been identified as contributing to the preservation of public order would have to use cloud computing services recognised as having Union assurance level 1.
• Higher assurance: Where activities are identified as contributing to public order, contracting authorities (including those acting on their behalf) would only procure services recognised as offering Union assurance level 2, 3, or 4.

This is intended so that even standard administrative functions within EU bodies are not hosted on infrastructure lacking a baseline of EU-aligned sovereignty guarantees, while sensitive operations receive enhanced protection.

Promotion of Open Source

As proposed, CADA would emphasise open source as a lever for sovereignty. Article 41 would require the Union and Member States to take the necessary measures to encourage Union entities and public-sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence when building their cloud and AI stack — taking into account functionalities, security, total cost, and other duly justified criteria. This is intended to reduce vendor lock-in, support auditability, and lower costs.

Furthermore, Article 42 would provide that when a Union entity or public-sector body makes software it owns available for reuse under an open-source licence, it must do so using a catalogue or repository connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue) maintained by the Commission under Article 43. This is designed to centralise access to reusable public-sector software and reduce duplication across the EU administration.

Participation in the EuroCloud Federation

To optimise resource usage, Article 34 would establish the European public sector cloud federation (EuroCloud Federation), open to the voluntary participation of Union entities and public-sector bodies, which may request the Commission to join.

The EuroCloud Federation would facilitate the sharing of public-sector data centre services and cloud computing services. Article 35 sets out the conditions for this sharing, allowing a "sharing entity" to provide services to a "using entity" within the federation where it owns the underlying hardware. This would enable Union entities to leverage capacity from other public-sector bodies. The Commission would establish a platform for the federation (including a catalogue and a service platform) and specify the participation procedure by implementing acts.

What this means for you

For procurement officers and IT leaders within EU institutions, agencies, and bodies, CADA would introduce a structured, compliance-driven approach to cloud and AI procurement.

1. Conduct Risk Assessments: Initiate risk assessments for your organisation's cloud usage by one year after entry into force (Article 29). The outcome would dictate whether you can use standard level 1 services or require stricter level 2-4 services because of the public-order relevance of your activities.
2. Update Procurement Specifications: Align tender documents with the Union assurance levels. For non-critical activities, require services recognised at level 1; for public-order activities, restrict tenders to level 2, 3, or 4 services.
3. Prioritise Open Source: Review software development and procurement strategies to favour open-source solutions. If your entity releases software for reuse, make it available via a catalogue connected to the EU OSS Catalogue (Articles 42-43).
4. Explore EuroCloud Federation: Evaluate whether your entity has capacity to share via the EuroCloud Federation, or could benefit from accessing shared capacity from other public-sector bodies.

Common misconceptions

• "Union entities are exempt from sovereignty rules." Incorrect. As proposed, CADA explicitly includes Union entities in scope (Article 2(7)). They would be subject to the same risk-assessment and assurance-level requirements as national public-sector bodies.
• "All Union entities must use Level 4 services." Incorrect. The framework is risk-based. Most administrative activities would only require Union assurance level 1. Higher levels (2-4) would be reserved for activities identified as contributing to the preservation of public order, such as those in security or justice.
• "Open source is mandatory for all software." Incorrect. Article 41 would have the Union and Member States encourage open-source use; it is not an absolute mandate for every piece of software. However, under Article 42, if you do make software available for reuse, it must be done through a catalogue connected to the EU OSS Catalogue.

Related

• Does CADA apply to public sector bodies and contracting authorities?
• Who does the Cloud and AI Development Act (CADA) apply to?
• When does CADA enter into force and start to apply?
• What is the Apply AI Strategy and how does CADA support it?
• Does CADA only apply to the public sector?

This is general information about a draft EU regulation, not legal advice.