Summary As proposed, the Cloud and AI Development Act (CADA) does not automatically void existing cloud contracts held by public bodies. Article 30 primarily governs new procurement procedures for cloud computing services used exclusively by a contracting authority. However, the status of an existing contract is not static. If a contract is renewed, significantly amended, or if a mandatory risk assessment under Article 29 determines that the current service no longer meets the required sovereignty level for preserving public order, the public body must transition to a compliant service. Crucially, Article 29(6) mandates a migration transition period of no more than 12 months once a risk assessment requires a change in assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework for cloud sovereignty in the public sector. Its application to existing contracts is governed by the interplay between the procurement obligations in Article 30 and the dynamic risk-assessment mechanism in Article 29. The proposal distinguishes clearly between the act of procuring and the continued use of services, while imposing strict timelines for alignment when risks are identified.

The Scope of Article 30: Procurement vs. Usage

Article 30 sets the binding rules for public procurement of cloud computing services. The text explicitly states that this Article "applies to contracting authorities that procure cloud computing services for their exclusive use." This phrasing is legally significant for public-sector officers managing legacy contracts. The provision targets the procurement phaseβ€”defined as new tenders, contract awards, or significant renewalsβ€”rather than the mere continued operation of a service under a contract awarded prior to CADA's entry into force.

The assurance level required depends on the nature of the activity being supported:

  • Article 30(2): Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognized at Union assurance level 1.
  • Article 30(3): Contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., national security, internal security, defence, justice, law enforcement) must only procure services recognized at Union assurance levels 2, 3, or 4.

Consequently, an existing contract awarded before CADA's application date is not immediately illegal. However, the moment that contract comes up for renewal, or if the authority seeks to significantly amend the scope, it becomes a new procurement activity subject to Article 30. At that point, the authority cannot award a contract to a provider that fails to meet the assurance level dictated by the current risk assessment.

The Trigger: Article 29 Risk Assessments

The requirement to procure specific assurance levels is not a one-time check; it is driven by the recurring risk assessments mandated by Article 29. Member States and Union entities must carry out risk assessments to:

  1. Identify public sector activities that contribute to the preservation of public order.
  2. Determine the appropriate Union assurance level (2, 3, or 4) for those activities.

For an existing contract, the critical variable is the outcome of the most recent Article 29 assessment. If a public body's risk assessment concludes that a specific activity requires Union assurance level 3, but the existing contract is with a provider recognized only at level 1, a compliance gap emerges. While the contract may technically remain valid until its natural expiry, the public body is effectively barred from renewing it under Article 30(3).

More importantly, Article 29(6) provides a specific mechanism for immediate transition when a risk assessment identifies a gap: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This 12-month clock starts when the risk assessment determines that the current service is insufficient. It overrides the remaining term of an existing contract if that term exceeds the transition period, effectively forcing a migration to a compliant provider to safeguard public order.

Transition, Renewal, and Derogations

CADA creates a "cliff edge" for renewals and significant amendments. If an existing contract is up for renewal, the new procurement procedure must fully comply with Article 30. This means tender documents must explicitly specify the required Union assurance level based on the Article 29 risk assessment.

However, the proposal acknowledges practical constraints through Article 30(4), which allows for derogations on an exceptional basis where duly justified. A contracting authority may decide not to procure a recognized service if:

  • The subject matter cannot be supplied by recognized services available in the central repository (Article 22), and no adequate alternative exists.
  • The authority launched a similar process in the previous year but received no suitable tenders.
  • Applying the requirements would require the authority to procure services at disproportionate cost.

These exceptions are narrow. Public bodies cannot rely on them to indefinitely maintain non-compliant contracts if compliant European alternatives are available in the central repository. The burden of proof for "disproportionate cost" or "lack of alternatives" rests heavily on the contracting authority.

Union Added Value and Innovation

Beyond the baseline assurance levels, Article 32 requires contracting authorities to include "Union added value" criteria in public procurement procedures for innovative cloud services and AI systems. While this applies primarily to new procurements, it influences how existing contracts might be structured if they involve innovation components. Public bodies must evaluate the tenderer's contribution to strengthening the EU digital supply chain, including the use of hardware or software designed or manufactured in the Union. This adds a layer of strategic procurement that goes beyond simple sovereignty compliance.

What this means for you

As a public-sector procurement officer or legal counsel, you must take immediate steps to align your current cloud portfolio with CADA's proposed requirements. The "grandfathering" of existing contracts is limited by the 12-month migration rule and the renewal trigger.

  1. Map Existing Contracts to Risk Assessments: Immediately review your organization's Article 29 risk assessment. Identify which cloud services are used for activities contributing to public order preservation. Cross-reference these with the Union assurance level of your current providers. If there is a mismatch (e.g., you need level 3 but have level 1), you must plan a migration within the 12-month transition period specified in Article 29(6).
  2. Prepare for Renewals: For any cloud contracts approaching renewal, ensure your tender specifications explicitly require the appropriate Union assurance level. You cannot award a new contract to a provider that does not meet the level determined by your risk assessment, unless a derogation under Article 30(4) is justified and documented.
  3. Monitor the Central Repository: Use the central repository of recognized services (Article 22) to verify the status of your current providers and identify compliant alternatives. This repository will be the primary source of truth for which services are eligible for procurement.
  4. Plan for Data Portability: If migration is required, begin assessing the technical feasibility and data portability requirements now. The 12-month transition period is strict, and delays could jeopardize service continuity or lead to non-compliance.
  5. Engage with National Competent Authorities: Since the recognition of assurance levels is handled by national competent authorities (Article 17), maintain open lines of communication with your national authority to understand the recognition status of your current providers and any upcoming changes to the list of recognized services.

Common misconceptions

"CADA forces us to cancel all existing cloud contracts immediately." This is incorrect. CADA applies to procurement activities. Existing contracts can continue until they are renewed or until a risk assessment mandates migration. However, you cannot renew a non-compliant contract without justification, and a risk assessment can trigger a mandatory migration within 12 months.

"We can keep our current non-EU provider if we have a long-term contract." Long-term contracts do not exempt public bodies from CADA obligations. If the contract is renewed or significantly amended, it becomes a new procurement subject to Article 30. Additionally, if a risk assessment determines that the current service level is insufficient for public order preservation, migration is mandatory regardless of the contract term, per Article 29(6).

"Article 30 only applies to large-scale government clouds." Article 30 applies to all contracting authorities procuring cloud computing services for their exclusive use, regardless of size. The scale of the service does not exempt the public body from the sovereignty requirements, though the required assurance level is determined by the risk assessment of the specific activity.

"We can ignore Union assurance levels if we use multi-cloud strategies." While Article 29(9) encourages considering multi-vendor or multi-cloud strategies to enhance resilience, this does not allow public bodies to bypass the minimum assurance level requirements. Each service used must meet the appropriate Union assurance level for the specific activity it supports.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.