Does CADA create new procurement obligations or just guidance?

Summary The proposed Cloud and AI Development Act (CADA) establishes binding legal obligations for public procurement, moving decisively beyond non-binding guidance. As proposed, Article 30 mandates minimum Union assurance levels for all public cloud contracts based on risk assessments, while Article 32 requires contracting authorities to include specific non-price award criteria for innovative cloud and AI purchases to foster European ecosystem development. Furthermore, Article 33 imposes binding monitoring and reporting duties on Member States, establishing a legally mandated objective to award at least 25% of relevant cloud and AI procurement to innovative SMEs. These provisions create direct statutory duties for Member States, Union entities, and contracting authorities.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a fundamental shift in EU public procurement policy. It transitions the regulatory landscape from voluntary best practices and soft law instruments to a framework of enforceable statutory requirements. For in-house counsel, compliance officers, and procurement specialists, the critical distinction is that CADA's procurement provisions are codified in the enacting articles of the Regulation proposal, creating direct legal duties that must be integrated into national procurement strategies and tender procedures.

1. Binding Minimum Assurance Levels (Article 30)

Article 30 of the CADA proposal establishes mandatory procurement requirements that are directly linked to the sovereignty risk assessments conducted under Article 29. This is not advisory guidance; it dictates the minimum technical and sovereignty standards public bodies must enforce when purchasing cloud computing services. The article uses mandatory language ("shall use," "shall only procure"), leaving no discretion for contracting authorities to ignore the sovereignty framework once a risk assessment is complete.

• Baseline Requirement: Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure cloud computing services that have been recognised under Article 17 as having Union assurance level 1. This establishes a Union-wide baseline of safeguards for the public sector.
• High-Risk Requirement: Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (specifically in sectors falling under Annex I or II of Directive (EU) 2022/2555, and in areas of national security, internal security, external border management, defence, justice, or law enforcement) must only procure cloud computing services that have been recognised as having Union assurance levels 2, 3, or 4.

These obligations are conditional on the risk assessment outcome. If a Member State or Union entity determines that an activity contributes to public order, the procurement of lower assurance levels becomes legally impermissible. The article does provide for derogations in exceptional circumstances under Article 30(4), such as when the subject matter cannot be supplied by recognised services, no adequate alternative exists, or compliance would require disproportionate cost. However, these exceptions are narrowly defined, require due justification, and do not negate the general binding nature of the rule.

2. Mandatory Non-Price Criteria for Innovation (Article 32)

Article 32 introduces a specific, mandatory obligation for procurement procedures involving innovative cloud computing services and AI systems. The text explicitly states that contracting authorities shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria are not optional "nice-to-haves" or discretionary elements; they are statutory requirements for innovation procurements. Article 32(3) specifies that these non-price criteria must enable contracting authorities to evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded programmes.
• The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2) imposes strict constraints on how these criteria are applied to ensure they remain proportionate and do not distort competition. The criteria must be:

• Linked to the subject matter of the contract.
• Not conferring unrestricted freedom of choice on the contracting authority.
• Expressly set out in the procurement documents or in the contract notice.
• Ancillary and not decisive in the award of the contract.

This last point is vital: while the EU-added-value criteria must be present and scored, the primary award criteria must remain linked to the contract's performance requirements (technical and financial quality). The non-price criteria cannot be the sole or deciding factor in the award decision.

3. Binding Monitoring, Reporting, and the 25% SME Objective (Article 33)

Article 33 shifts the focus to oversight, strategic targets, and the promotion of SME participation. It imposes binding monitoring and reporting obligations on Member States regarding their use of procurement for innovation in cloud and AI.

• Reporting Duties: Under Article 33(1) and (3), Member States must monitor and report annually to the Commission on their use of procurement of innovation. This reporting must include data on the size of economic operators participating, SME participation trends (including the number of contracts awarded to SMEs and their share of total contract value), and measures taken to improve SME access to public procurement procedures.
• The 25% Target: Article 33(4) states that Member States shall pursue as an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.

While the word "objective" suggests a target rather than a strict per-contract quota, the use of "shall pursue" creates a binding duty on Member States to actively work toward this goal. This is reinforced by Article 33(4), which requires Member States to include plans on how they intend to achieve this objective in their national cloud and AI strategies (as required by Article 7). Failure to pursue this objective, or to include a plan for it in the national strategy, could be viewed as non-compliance with the Regulation's broader goals, potentially triggering scrutiny during Commission reviews and evaluations.

What this means for you

For in-house counsel, compliance officers, and procurement professionals, CADA transforms procurement from a purely commercial exercise into a rigorous regulatory compliance checkpoint. The implications are immediate and actionable:

1. Audit Your Current Contracts and Risk Assessments: Review existing cloud contracts against the risk assessment requirements of Article 29. If your authority handles data or performs activities identified as contributing to the preservation of public order, ensure your current provider holds Union assurance level 2, 3, or 4. If not, you face a mandatory migration path. Article 29(6) stipulates that where migration to another cloud computing service is required, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months.
2. Update Procurement Templates for Innovation: Draft new tender documents for innovative cloud and AI services to explicitly include the non-price criteria mandated by Article 32. Ensure these criteria are clearly separated from and subordinate to the core technical/financial performance criteria. Your evaluation methodology must demonstrate that the EU-added-value criteria are ancillary and not decisive, as required by Article 32(2)(d), to avoid legal challenges regarding unrestricted freedom of choice or distortion of competition.
3. Implement Tracking Mechanisms for SMEs: Set up internal reporting systems to track SME participation in cloud and AI procurements. You will need to provide annual data to your national authority for reporting to the Commission under Article 33(3). Document all measures taken to facilitate SME access (e.g., division into lots, simplified procedures), as this evidence will be crucial for demonstrating compliance with the "pursuit" of the 25% objective.
4. Prepare for National Strategy Alignment: Ensure your procurement strategies align with your Member State's national cloud and AI strategy. Under Article 7, these national strategies must include measures to support the deployment of data centre capacity and, under Article 33(4), specific plans for achieving the 25% SME procurement objective. Procurement officers must be aware that their local actions contribute to a national metric that the Commission will monitor.

Common misconceptions

"CADA is just guidance for public buyers." Incorrect. The use of "shall" in Articles 30, 32, and 33 creates binding legal obligations. These are not recommendations or soft law; they are statutory requirements that Member States must transpose and enforce. Non-compliance can lead to penalties under national laws transposing the Regulation's enforcement provisions (Title IV, Chapter I).

"The 25% SME target is a strict quota for every contract." Incorrect. Article 33(4) frames the 25% figure as an objective that Member States must "pursue." It is an aggregate target for national procurement strategies, not a mandatory threshold for individual tenders. However, authorities must demonstrate active efforts to reach it through their national plans and annual reporting.

"EU-added-value criteria can be the deciding factor in a bid." Incorrect. Article 32(2)(d) explicitly states that non-price award criteria related to EU added value must be ancillary and not decisive in the award of the contract. The primary award criteria must remain linked to the contract's performance requirements (technical and financial quality). Using EU-added-value as the sole or deciding factor would violate the Regulation.

"Article 30 allows for broad discretion to ignore sovereignty levels." Incorrect. While Article 30(4) provides for derogations, they are strictly limited to exceptional circumstances: (a) no adequate alternative exists in the central repository; (b) a similar procurement failed to receive suitable tenders; or (c) compliance would require disproportionate cost. These exceptions require "duly justified" decisions and do not allow for routine bypassing of the assurance levels.

Related

• CADA Procurement: Level 1 vs Level 2-4 Obligations Explained
• How does the Article 29 risk assessment determine procurement obligations under CADA?
• Will small public bodies be able to afford CADA procurement fees?
• Why does CADA add a Union added value criterion to procurement?
• Who pays for CADA procurement fees? Article 40 explained

This is general information about a draft EU regulation, not legal advice.