Summary No. As proposed, the Cloud and AI Development Act (CADA) does not apply only to the public sector. The most binding procurement rules target public authorities and Union entities, but the framework also directly regulates cloud computing service providers and data-centre operators, and it lets private entities in critical sectors carry out voluntary risk assessments. Public bodies would face mandatory assurance levels; private NIS2 entities have a voluntary route. CADA is a proposal and not yet in force.
Detail
A frequent assumption is that CADA is purely a public-procurement directive. In fact its scope spans the cloud and AI value chain, distinguishing mandatory obligations for the public sector from voluntary or indirect ones for the private sector and direct obligations on providers and operators.
Public sector: mandatory procurement rules For public-sector bodies, Article 30 sets binding rules on which cloud services they may procure:
- Baseline: Union entities and public-sector bodies whose activities are not identified as contributing to the preservation of public order must use cloud services recognised as having at least Union assurance level 1 (Article 30(2)).
- Higher assurance for critical activities: Contracting authorities whose activities are identified as contributing to public order — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice, or law enforcement — must only procure services recognised as having Union assurance level 2, 3, or 4 (Article 30(3)).
This creates a tiered, mandatory procurement system for the public sector.
Private sector: voluntary impact assessments CADA does not impose the same mandatory procurement obligations on private companies, but it recognises that private critical-infrastructure entities face similar dependency and continuity risks. Article 31 allows entities referred to in Annex I of the NIS2 Directive that are not public-sector bodies to carry out assessments similar to the public-sector risk assessments under Article 29.
- Voluntary nature: under Article 31(1), these entities may carry out such assessments.
- Commission guidance: the Commission may issue guidance on methodology and mitigation measures for private entities in sectors of high criticality (Article 31(2)).
- Potential for mandatory measures: under Article 31(3), where duly justified and in consultation with Member States, the Commission may adopt delegated acts requiring impact assessments and risk-mitigation measures for non-public entities in sectors of high criticality. For now, the route is primarily voluntary.
Providers and data-centre operators: direct scope CADA also directly regulates the supply side. Providers seeking to offer services to the public sector must obtain recognition under the assurance framework — conformity self-assessment for level 1 (Article 19) or independent third-party audits for levels 2–4 (Article 20), recognised under Article 17. Separately, Title III establishes the framework for accelerated data-centre deployment, obliging Member States to designate "data centre acceleration zones" (Article 10) and streamline permitting (Article 13). Data-centre operators are directly affected by these provisions.
What this means for you
For public-sector procurement officers, CADA adds a layer of due diligence. You would need to:
- Conduct risk assessments: Determine which activities contribute to public order (Article 29); this sets whether you procure level 1 or levels 2–4.
- Verify assurance levels: Procure only from services recognised in the central repository at the required level (Article 22).
- Plan for migration: Where your provider does not meet the required level, plan migration within a reasonable transition period not exceeding 12 months (Article 29(6)).
For private critical-infrastructure entities, while not mandated to procure specific assurance levels, you should consider the voluntary impact assessments under Article 31 to:
- identify and mitigate third-country dependency risks;
- align with public-sector standards, helping competitiveness for public-private work;
- prepare for possible future delegated acts requiring formal assessments for high-criticality sectors.
Common misconceptions
"CADA is only a public-procurement law." The mandatory procurement tiers are a headline feature, but CADA also sets the technical and audit criteria for cloud sovereignty (Annex II), creates the provider recognition mechanism (Articles 16–23), and establishes the data-centre deployment framework (Title III). Providers and operators are directly regulated.
"Private companies are exempt from all CADA rules." Private NIS2 entities are expressly addressed in Article 31, and any private provider wanting to sell to the public sector must meet the assurance and audit requirements. Ignoring CADA could mean losing access to the public-sector market.
"The private-sector route is purely advisory with no enforcement." Article 31 currently frames private-sector assessment as voluntary, but Article 31(3) empowers the Commission to adopt delegated acts requiring such assessments for high-criticality sectors where justified — so the burden could grow over time.
Related
- Does CADA apply to public sector bodies and contracting authorities?
- Why does CADA focus so heavily on the public sector?
- What does CADA mean for public-sector cloud buyers?
- How does CADA support the public sector's move to cloud?
- Who does the Cloud and AI Development Act (CADA) apply to?
This is general information about a draft EU regulation, not legal advice.