Summary The proposed Cloud and AI Development Act (CADA) does not impose a blanket ban on non-European hyperscalers, but it structurally incentivizes public buyers to prefer sovereign, EU-aligned cloud services for critical operations. Under Article 30(3), public bodies whose activities contribute to the preservation of public order must procure cloud services recognised at Union assurance levels 2, 3, or 4. These levels impose strict criteria on infrastructure location, personnel citizenship, and third-country control. Furthermore, Article 32 empowers contracting authorities to include "Union added value" as a non-price award criterion, tilting competitive evaluations toward providers that strengthen the European digital ecosystem. This creates a de facto preference for sovereign options without explicitly prohibiting third-country providers who can meet the rigorous assurance standards.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a significant shift in how the European Union approaches public procurement of digital infrastructure. As proposed, the regulation aims to reduce the EU's critical dependence on a limited number of third-country cloud providers while ensuring the security of public data and operational continuity. For public-sector procurement officers, the most relevant mechanisms are found in Title IV of the proposal, specifically regarding the Union cloud computing sovereignty framework and procurement criteria.

The Sovereignty Framework and Public Order Requirements

CADA establishes a four-tier "Union assurance level" system (Levels 1 through 4) to categorize cloud computing services based on their sovereignty, security, and resilience characteristics. These levels are detailed in Annex II of the proposal and range from basic establishment requirements (Level 1) to stringent controls on data localization, personnel citizenship, and third-country influence (Levels 3 and 4).

The core mechanism driving procurement preferences is Article 30, which mandates specific assurance levels based on the nature of the public body's activities.

  1. Baseline Requirement (Level 1): Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must, as a minimum, use cloud computing services recognised as offering Union assurance level 1. This ensures a baseline of trust and compliance across all public procurement.
  2. Public Order Requirement (Levels 2–4): Article 30(3) imposes stricter obligations on bodies dealing with sensitive or critical functions. It mandates that contracting authorities whose activities contribute to the preservation of public order—specifically in sectors listed in Annex I or II of the NIS2 Directive, as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement—shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4.

This provision effectively creates a market barrier for many non-European hyperscalers that cannot meet the stringent sovereignty criteria of Levels 2–4. For instance, Annex II requires that for Levels 2 and 3, the infrastructure, assets, and personnel must be located in the Union, and for Level 3, personnel must be Union citizens (unless a public body explicitly requires otherwise). Furthermore, Annex II generally prohibits providers subject to the control of a third country from achieving Level 3 or 4, unless the Commission has adopted a specific implementing act under Article 18 (formerly referenced as Article 19 in some drafts, but corrected here to the final text's Article 18) identifying that third country as providing sufficient assurances.

Consequently, public buyers in these critical sectors are compelled to prefer providers who can demonstrate these higher levels of sovereignty, which are often EU-based or have established substantial, legally separated EU entities that meet the "Union added value" criteria.

Union Added Value in Procurement

Beyond the mandatory assurance levels, CADA introduces tools to actively favor the European cloud and AI ecosystem during the evaluation phase of tenders. Article 32 outlines the use of "Union added value" criteria in public procurement procedures for innovative cloud computing services and AI systems.

Under Article 32(1), contracting authorities shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. Article 32(3) specifies that these criteria should assess:

  • The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including research and development results stemming from Union-funded programmes.
  • The delivery of the service using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2)(d) clarifies that these criteria must be "ancillary and not decisive in the award of the contract." This means that while public buyers can and should tilt the evaluation toward providers offering higher Union added value, they cannot use these criteria to exclude a technically superior or more cost-effective offer from a non-EU provider if that provider meets the mandatory assurance level requirements. The preference is a weighted advantage, not an automatic disqualification. The proposal suggests a maximum weighting of 15 out of 120 points for European added value to ensure proportionality.

Risk Assessments Drive the Preference

The obligation to procure Level 2–4 services is not arbitrary; it is tied to Article 29, which requires Member States and Union entities to conduct risk assessments. These assessments identify which public sector activities contribute to the preservation of public order. By linking procurement requirements to these risk assessments, CADA ensures that the preference for sovereign cloud is proportionate to the sensitivity of the data and the criticality of the service. Public buyers must therefore first determine the sensitivity of their operations before applying the stricter procurement rules of Article 30(3).

What this means for you

For public-sector procurement officers, CADA introduces a structured, risk-based approach to cloud sourcing that requires careful planning and documentation.

  1. Conduct Mandatory Risk Assessments: Before issuing any tender for cloud services, you must complete the risk assessment mandated by Article 29. Determine if your activities fall under the preservation of public order (e.g., justice, defence, critical infrastructure). This classification dictates your minimum assurance level requirement.
  2. Define Assurance Levels in Tenders: If your activities are classified as contributing to public order, your tender documents must explicitly require that bidders hold recognition for Union assurance levels 2, 3, or 4. You cannot accept bids from providers who only meet Level 1 criteria for these sensitive use cases.
  3. Utilize Union Added Value Criteria: In your evaluation methodology, incorporate the "Union added value" criteria from Article 32. Assign appropriate weight to factors such as the use of EU-designed hardware or software, and the strengthening of the EU supply chain. Ensure these criteria are clearly defined in the procurement documents to avoid legal challenges, remembering they must remain ancillary to technical and financial performance.
  4. Verify Recognition Status: Rely on the central repository of recognised cloud computing services (established under Article 22) to verify that bidders hold the necessary Union assurance level recognition. Do not accept self-declarations for Levels 2–4; require proof of independent audit and recognition by a national competent authority.
  5. Prepare for Transition: If you currently use non-compliant cloud services for critical functions, Article 29(6) provides a reasonable transition period (not exceeding 12 months) to migrate to compliant providers once a risk assessment determines a higher assurance level is needed.

Common misconceptions

"CADA bans US hyperscalers from the EU public sector." This is incorrect. CADA does not explicitly ban providers based on their country of origin. Instead, it bans services that do not meet specific sovereignty and security criteria. A non-European hyperscaler can still compete if it establishes a legally separate EU entity, locates all infrastructure and personnel within the Union, and undergoes independent audits to achieve Union assurance levels 2, 3, or 4. However, the cost and complexity of meeting these criteria—particularly the requirement for Union citizenship of personnel at Level 3 and the prohibition on third-country control at Level 4—may make it difficult for some third-country providers to compete effectively in the sovereign segment.

"Union added value allows public buyers to ignore price and quality." No. Article 32(2)(d) explicitly states that Union added value criteria are "ancillary and not decisive." Public buyers must still prioritize technical quality and financial viability. The Union added value serves as a tie-breaker or a weighted factor, not a substitute for core performance requirements.

"All public bodies must use Level 4 cloud services." No. The assurance level is proportional to the risk. Most general administrative activities will only require Level 1 or 2. Level 4 is reserved for the most sensitive data and critical operations, as determined by the national risk assessment under Article 29.

"CADA replaces the AI Act." No. The AI Act regulates the safety and fundamental rights of AI systems, while CADA regulates the infrastructure (cloud and data centres) beneath them. A public body deploying a high-risk AI system must comply with the AI Act for the system itself, and CADA for the cloud infrastructure hosting it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.