Does CADA procurement apply to data centre services too?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) procurement framework extends to data centre services, but the mechanism differs significantly from cloud services. While Article 30 mandates specific "Union assurance levels" strictly for cloud computing services procured for exclusive use, Chapter IV explicitly empowers the Commission to act as a central purchasing body for data centre services, cloud computing services, software, and AI systems. Therefore, data centre services are not subject to the mandatory sovereignty assurance levels of Article 30 but are fully eligible for the voluntary joint procurement mechanisms coordinated by the Commission under Article 39.

Detail

The proposed CADA (COM(2026) 502 final) establishes a dual-track procurement regime. One track imposes mandatory sovereignty requirements on public bodies for specific services, while the other creates a voluntary framework for the Commission to aggregate demand across the Union. Understanding whether data centre services fall under these regimes requires a precise reading of the definitions and scopes in Article 30 and Chapter IV.

Article 30: The Mandatory Sovereignty Track for Cloud Only

Article 30 establishes the core obligation for contracting authorities and Union entities regarding the procurement of cloud services. The scope of this article is explicitly limited. Article 30(1) states:

"This Article applies to contracting authorities that procure cloud computing services for their exclusive use."

The article mandates that these authorities procure services recognized under the Union assurance levels. Specifically:

• Article 30(2) requires a minimum of Union assurance level 1 for activities not identified as contributing to public order.
• Article 30(3) requires Union assurance levels 2, 3, or 4 for activities identified as contributing to the preservation of public order (e.g., law enforcement, defence, national security).

Crucially, the text of Article 30 refers exclusively to "cloud computing services." It does not list "data centre services" in its operative provisions. The definition of "cloud computing service" in Article 2(1) references Directive (EU) 2022/2555 (NIS2), defining it as a digital service enabling "on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources."

Consequently, the mandatory procurement of "bare-metal" data centre infrastructure, colocation services, or physical hosting facilities does not trigger the Union assurance level requirements of Article 30. These services fall outside the strict sovereignty procurement mandate, even though they are critical infrastructure.

Chapter IV: The Commission's Central Purchasing Power

In contrast, Chapter IV of the proposal (titled "Procurement of data centre services, cloud computing services, software and AI systems by the Commission") establishes a broader scope for joint procurement. This chapter is designed to allow the Commission to act as a central purchasing body to leverage collective buying power.

Article 37(1) grants the Commission the authority to carry out procurement activities for itself, Union entities, and contracting authorities of Member States. The scope of these activities is explicitly defined in Article 37(3), which states that the Commission may act as a central purchasing body by:

"(a) procuring data centre services, cloud computing services, software and AI systems on behalf of, or in the name of, one or more contracting authorities of Member States and partner organisations selected by the Commission..."

This explicit inclusion of "data centre services" alongside cloud computing services confirms that data centres are a primary target for the Commission's joint procurement efforts. Under Article 39(1), a participating entity that acquires these services through the Commission is deemed to have fulfilled its obligations under applicable Union public procurement law.

The Legislative Distinction

The separation of data centre services from the mandatory Article 30 regime reflects a deliberate legislative choice. The sovereignty framework (Title IV, Chapter I) focuses on the control of data processing, the location of infrastructure, and the citizenship of personnel to prevent third-country interference. While data centres provide the physical location, the "cloud computing service" definition in CADA focuses on the virtualized, elastic, and on-demand nature of the resource.

By placing data centre services in Chapter IV rather than Article 30, the proposal treats them as a commodity where the primary goal is market efficiency, cost reduction, and strategic capacity building (via the Commission's aggregation), rather than the strict, mandatory sovereignty compliance required for the actual processing of sensitive public data in the cloud. Data centre services are thus integrated into the market-shaping mechanisms of the Act without being subjected to the rigid assurance-level procurement mandates that apply to cloud services.

What this means for you

For public-sector procurement officers and legal counsel, this distinction dictates the compliance path for different infrastructure tenders.

1. Mandatory Sovereignty Checks (Article 30)

If your organization is procuring cloud computing services (IaaS, PaaS, SaaS) for exclusive use:

• You must conduct a risk assessment under Article 29 to determine if the activity contributes to public order.
• If it does, you must procure only from providers recognized at Union assurance levels 2, 3, or 4.
• If it does not, you must procure at least Union assurance level 1.
• Data centre services (e.g., colocation, physical rack space) do not trigger these mandatory assurance level requirements under Article 30.

2. Voluntary Joint Procurement (Chapter IV)

If your organization needs data centre services:

• You cannot rely on Article 30 to force a specific sovereignty level.
• However, you can participate in the Commission's central purchasing activities under Chapter IV.
• By joining the framework contracts or dynamic purchasing systems established by the Commission under Article 39, you can access data centre services that have been aggregated and negotiated at the EU level.
• Participation is voluntary, but Article 39(1) ensures that purchasing through the Commission satisfies your public procurement obligations.

3. Strategic Planning

When designing your digital infrastructure strategy, you may need to split your procurement:

• Cloud Layer: Procure sovereign cloud services separately, ensuring compliance with Article 30 and the relevant assurance levels.
• Physical Layer: Procure data centre services either through national procedures or, preferably, through the Commission's joint procurement framework to benefit from economies of scale.
• Monitoring: Keep an eye on the Commission's procurement platform for available data centre service contracts, as these will be the primary mechanism for EU-wide data centre procurement under CADA.

4. Compliance Nuance

While data centre services are exempt from Article 30's assurance levels, they are not exempt from all CADA obligations. If you are a data centre operator, you may be subject to the acceleration zone and strategic project provisions in Title III, which aim to simplify permitting and deployment. Additionally, if the data centre services support AI systems, broader ecosystem requirements may still apply.

Common misconceptions

"Data centre services are subject to Union Assurance Levels." This is incorrect under the current proposal. Article 30 mandates assurance levels only for "cloud computing services." Data centre services are excluded from this specific mandatory procurement rule. While they are critical infrastructure, the mandatory sovereignty procurement obligation applies to the service of cloud computing, not the physical facility itself, unless the facility is bundled into a cloud service definition.

"Chapter IV replaces national procurement rules entirely." Participating in the Commission's joint procurement does not automatically exempt you from all national procurement laws for all purchases. Article 39(1) states that a participating entity is deemed to have fulfilled its obligations under applicable Union public procurement law only when it acquires supplies or services through the Commission. You must still adhere to the terms of the Commission's agreement and ensure your participation is properly documented. For purchases made outside this framework, national rules apply.

"Cloud computing services includes all data hosting." The definition of "cloud computing service" in CADA (referencing NIS2) requires "on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources." Simple data hosting, colocation, or physical rack space in a data centre does not necessarily meet this definition. Therefore, do not assume that all IT infrastructure procurement falls under Article 30. Carefully classify your services to determine if they are cloud computing services or data centre services.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Article 33: How often must Member States report innovation procurement data?
• CADA Article 33: How Member States Report Innovation Procurement Data
• CADA vs Data Act: How Procurement and Switching Work Together
• How does CADA change public procurement of cloud services?
• Does CADA procurement apply to Union institutions and bodies?

This is general information about a draft EU regulation, not legal advice.