Does CADA favour EU startups over non-EU AI providers?

Summary As proposed, the Cloud and AI Development Act (CADA) does not explicitly ban non-EU AI providers or mandate a preference for EU startups in a way that violates international trade rules. Instead, it establishes a sovereignty framework requiring public authorities to procure cloud services meeting specific "Union assurance levels" based on risk assessments. Crucially, Article 32 mandates that contracting authorities include "Union added value" criteria—such as using hardware or software designed in the EU—but explicitly requires these criteria to be "ancillary and not decisive" in the award of the contract. While this creates a procurement signal favouring EU supply chains, Recital 64 clarifies that the Union maintains an open market subject to international commitments, including the WTO Government Procurement Agreement (GPA), limiting restrictions to what is necessary and proportionate to protect public order.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, seeks to address the Union's dependence on non-European cloud and AI providers. A central question for legal counsel and market participants is whether the Act constitutes protectionism that unfairly advantages EU-based startups over non-EU providers. The text reveals a nuanced architecture: it uses procurement as a strategic lever to strengthen the European ecosystem while embedding strict legal safeguards to ensure compliance with international trade obligations.

The Procurement Signal: Article 32 and Union Added Value

The primary mechanism through which CADA signals a preference for European supply chains is Article 32, titled "Union added value." This article introduces a mandatory requirement for public procurement procedures involving innovative cloud computing services and AI systems.

Under Article 32(1), contracting authorities "shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem."

Article 32(3) specifies the exact dimensions of this evaluation. Contracting authorities must assess the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded programmes.
• The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

However, the proposal places a critical legal constraint on the weight of these criteria. Article 32(2) stipulates that these non-price award criteria must be:

• Linked to the subject matter of the contract.
• Not conferring unrestricted freedom of choice on the contracting authority.
• Expressly set out in the procurement documents or in the contract notice.
• "Ancillary and not decisive in the award of the contract."

This "ancillary and not decisive" requirement is the legal firewall preventing CADA from becoming a blanket protectionist measure. It means that while an EU startup using EU-designed components may receive bonus points, a non-EU provider can still win the contract if their technical and financial offer is superior. The proposal reinforces this in Recital 67, which states: "The criterion relating to European added value should not be decisive for award of the contract and should be applied in a manner that preserves the primacy of technical and financial criteria directly connected to the performance requirements."

Recital 67 further provides a quantitative guide, noting that contracting authorities "could consider a maximum weighting of 15 out of 120 points to be allocated to European added value within the overall evaluation methodology." This ensures that the "Union added value" factor remains subordinate to core contract award criteria.

The Sovereignty Framework: A Higher Barrier for High-Risk Sectors

Beyond the "added value" criteria, CADA introduces a Union cloud computing sovereignty framework with four assurance levels (Article 16). This framework creates a more significant barrier to entry for non-EU providers in specific high-risk sectors.

Public sector bodies must conduct risk assessments (Article 29) to determine the required assurance level. For activities identified as contributing to the preservation of public order—such as national security, defence, justice, or law enforcement—Article 30(3) mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

The criteria for these levels, detailed in Annex II, are stringent regarding establishment and control:

• Level 2: Requires the provider and subcontractors to be established in the Union, with infrastructure, assets, and personnel located in the Union.
• Level 3: Adds requirements for personnel to be Union citizens (conditional on public body requirements) and imposes strict controls on third-country influence.
• Level 4: Requires a "high" level of European cybersecurity certification and prohibits third-country control entirely, with no derogation possible.

For non-EU providers, qualifying for these levels is challenging. Article 18 allows for a derogation for Level 3 only if the Commission adopts an implementing act recognising a third country as providing sufficient assurances. This requires the third country to have no laws compelling data access or service disruption and to maintain an open market to Union services. Without such a recognition, a non-EU provider is effectively excluded from public contracts deemed critical to public order.

International Obligations: WTO GPA Limits and Public Order

The proposal is explicitly designed to operate within the bounds of international trade law. Recital 64 addresses the Union's commitment to the World Trade Organization Agreement on Government Procurement (GPA). It states: "The Union maintains an open and non-discriminatory framework for market access, in accordance with the TFEU and subject to international commitments. Those include commitments under the World Trade Organization (WTO) Agreement on Government Procurement (GPA)..."

However, Recital 64 also invokes the public order exception. It notes that "under Article III:2(a) of the WTO GPA, the Union retains the right... to adopt or maintain measures necessary to protect public morals, order or safety." The proposal argues that "identifying and addressing risks such as critical dependencies, unauthorised access to Union data, technology leakage, sabotage and espionage by third-country actors is fundamental for preserving Union public order."

Consequently, the restriction of public procurement to Union-assured services is framed not as discrimination, but as a "necessary and proportionate" measure to protect public order. This legal framing is essential for the proposal's validity under international law. It distinguishes between general market access (where the GPA applies fully) and specific public-order-relevant procurements (where the public order exception may apply).

For general public sector activities not identified as contributing to public order, Article 30(2) requires a minimum of Union assurance level 1. Level 1 criteria (Annex II) are less restrictive regarding establishment, allowing for providers established in the Union but potentially with more flexible data localisation rules, though still requiring that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise.

Impact on Startups and SMEs

While the sovereignty framework may appear to favour large EU incumbents with the resources to meet complex compliance requirements, CADA includes specific measures to support startups and SMEs.

Article 33 requires Member States to monitor their procurement of innovation and pursue the objective that "at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs." This creates a direct incentive for public authorities to engage with EU startups, provided they can meet the baseline sovereignty requirements.

Furthermore, the proposal promotes open source solutions (Article 41) and the reuse of software developed by public sector bodies (Article 42), which can lower barriers to entry for startups building on public assets. The establishment of the EuroCloud Federation (Article 34) also aims to facilitate the sharing of public sector data centre services, potentially providing startups with access to infrastructure they might not otherwise afford.

What this means for you

For in-house counsel and compliance officers at non-EU AI and cloud providers, CADA presents a complex strategic landscape.

1. Assess Eligibility for Union Assurance Levels: Determine if your services can meet the criteria for Union assurance level 1. If you target high-risk public sector contracts (national security, defence, etc.), you will likely need to qualify for levels 2, 3, or 4. This may require establishing a separate legal entity in the EU, locating infrastructure and personnel exclusively in the EU, and ensuring no third-country control over operations.
2. Review Procurement Strategies: Understand that "Union added value" will be a factor in tenders. While Article 32(2) ensures these criteria are "ancillary and not decisive," they can tip the balance in close competitions. Consider partnering with EU-based firms or integrating EU-developed technologies to strengthen your bid's added value score.
3. Monitor Third-Country Recognition: Keep a close watch on Commission decisions regarding third-country recognition under Article 18. If your home country is not recognised as providing sufficient safeguards, your providers may be excluded from higher assurance levels. Engage with your government to ensure it meets the criteria for adequacy and non-interference.
4. Prepare for Risk Assessments: Public sector buyers will conduct risk assessments (Article 29) to determine the required assurance level. Be prepared to demonstrate how your services mitigate risks related to data access, service disruption, and third-country influence.
5. Leverage SME Targets: If you are an innovative SME, ensure your value proposition highlights your contribution to the European ecosystem. Article 33 mandates a 25% target for SMEs, which could provide a significant advantage if you can demonstrate compliance with the baseline sovereignty requirements.

Common misconceptions

"CADA bans non-EU providers from the EU market." This is incorrect. CADA does not ban non-EU providers. It requires public sector bodies to procure services meeting specific sovereignty standards. Non-EU providers can still compete, particularly for lower-risk contracts or if they can meet the stringent criteria for Union assurance levels through local establishment and operational separation.

"Union added value criteria are decisive for winning contracts." This is a misconception. Article 32(2) explicitly states that these criteria must be "ancillary and not decisive." They are one factor among many, and a superior technical or financial offer from a non-EU provider can still win the contract. Recital 67 reinforces this by suggesting a maximum weighting of 15 out of 120 points.

"CADA violates WTO GPA obligations." The proposal argues that its measures are justified under the public order exception of the WTO GPA. By framing sovereignty requirements as necessary to protect public order against risks like unauthorised data access and service disruption, the EU seeks to maintain compliance with its international commitments while pursuing strategic autonomy. Recital 64 explicitly cites Article III:2(a) of the WTO GPA as the legal basis for these measures.

"Only large EU incumbents will benefit." While large incumbents may have an easier time meeting complex sovereignty requirements, CADA includes specific targets for SME procurement (Article 33) and promotes open source and public sector software reuse, which can benefit agile EU startups.

Related

• How does CADA reduce research dependence on non-EU cloud providers?
• When can AI startups start benefiting from CADA support?
• What sovereign-cloud market opportunity does CADA create for startups?
• What CADA compliance burden do AI startups face?
• How does CADA reduce cloud costs and lock-in for startups?

This is general information about a draft EU regulation, not legal advice.