Does CADA procurement apply to public universities?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) applies to public universities because they qualify as "contracting authorities" and "public sector bodies" under EU law. All cloud computing services procured by these institutions must meet a minimum Union assurance level 1 under Article 30(2). However, if a university's activities involve research or operations contributing to "public order," a mandatory risk assessment under Article 29 may require the procurement of services with higher assurance levels (2, 3, or 4) to safeguard data sovereignty and operational autonomy.

Detail

To understand how CADA affects public universities, it is necessary to first establish who falls under the scope of the regulation. CADA defines "public sector body" by referencing Article 2, point (1), of Directive (EU) 2019/1024. Public universities, as entities governed by public law and often controlled by the state or regional authorities, fall squarely within this definition. Consequently, when a public university purchases cloud computing services or AI systems for its own use, it acts as a "contracting authority" subject to the autonomy and procurement rules laid out in Title IV of the proposed regulation.

The core of the procurement requirement is found in Article 30 of the CADA proposal. This article establishes a tiered system of mandatory assurance levels based on the nature of the public sector activity.

The Baseline: Union Assurance Level 1

For the majority of standard university operations, Article 30(2) sets a clear baseline. It states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having a Union assurance level 1.

Union assurance level 1 is the entry tier of the CADA sovereignty framework (detailed in Annex II of the proposal). To qualify for this level, a cloud provider must:

• Be established in the Union.
• Ensure that infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Demonstrate compliance with state-of-the-art cybersecurity standards.
• Provide full transparency regarding subcontractors and ensure that any third-country control does not compromise operational autonomy.

For a public university, this means that routine administrative cloud services, standard student information systems, or general-purpose research computing that does not touch sensitive national security or critical infrastructure data must still be sourced from providers that guarantee data residency and operational control within the EU. This prevents the default use of global hyperscalers that may route data outside the Union or remain subject to third-country laws that could compel data access.

The Exception: Public Order and Higher Assurance Levels

The regulatory requirement shifts significantly when a university's activities are deemed to contribute to the preservation of "public order." Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to public order must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4.

What constitutes "public order" in a university context? Article 29(1) clarifies that risk assessments must identify public sector activities that contribute to public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in areas such as:

• National security and defense.
• Internal security and law enforcement.
• Critical infrastructure (including critical digital infrastructure).
• Healthcare and essential public services.

Many public universities conduct research in these sensitive areas. For example, a university department developing autonomous vehicle algorithms, processing genomic data for national health security, or collaborating with defense agencies on cybersecurity tools would likely be classified as engaging in activities relevant to public order. In these cases, the baseline Level 1 is insufficient.

The Role of the Risk Assessment (Article 29)

The mechanism that determines which tier applies to a specific university project is the risk assessment mandated by Article 29. Member States and Union entities must carry out these risk assessments to:

1. Identify which public sector activities contribute to the preservation of public order.
2. Determine which Union assurance level (2, 3, or 4) is appropriate for those specific activities.

Article 29(2) specifies that these assessments must consider the sensitivity, criticality, and magnitude of both personal and non-personal data processed. It also requires an evaluation of the risk of unlawful access by third countries and the risk of service disruption.

For a public university, this implies that procurement officers cannot simply apply a blanket rule. They must collaborate with research leaders and legal counsel to map their specific projects against the national risk assessment guidelines. If a university is involved in "frontier AI" research or holds classified information, the risk assessment may dictate Union assurance level 4, which imposes the strictest criteria, including requirements that personnel involved in service provision be Union citizens and that there be no third-country control over the provider or its subcontractors.

Derogations and Exceptions

Article 30(4) provides limited derogations. A contracting authority may decide not to procure a recognized assurance level service if:

• The subject matter cannot be supplied by recognized services available in the central repository, and no adequate alternative exists.
• A similar procurement process was launched within the previous year with no suitable tenders.
• Applying the requirements would result in disproportionate cost.

However, these exceptions are narrow and require justification. They are not intended to allow universities to bypass sovereignty requirements due to convenience or established vendor lock-in with non-compliant providers.

What this means for you

For procurement officers at public universities, CADA introduces a structured compliance workflow that must be integrated into your sourcing strategies.

1. Audit Current Contracts: Review all existing cloud and AI service contracts. Identify any providers that do not meet the criteria for Union assurance level 1 (e.g., those with data centers outside the EU or lacking EU establishment). Plan for migration or renegotiation before the regulation's application date.
2. Map Research Activities: Work with department heads to categorize research projects. Distinguish between general academic research (likely Level 1) and sensitive research in defense, health, or critical infrastructure (likely Level 2–4). This mapping is essential for satisfying the Article 29 risk assessment requirements.
3. Update Tender Documents: Revise your procurement templates to include the mandatory assurance level requirements. For general services, specify Union assurance level 1. For sensitive projects, reference the specific higher level determined by your national risk assessment.
4. Monitor the Central Repository: The Commission will maintain a central repository of recognized services (Article 22). Use this repository to identify compliant vendors early in the procurement process to avoid delays.
5. Engage with National Competent Authorities: Since the specific thresholds for "public order" activities are defined at the Member State level through risk assessments, stay informed about your national authority's guidance. Your national strategy and risk assessment results will dictate the exact assurance levels required for your institution's specific use cases.

Common misconceptions

• "CADA only applies to government ministries, not universities." This is incorrect. CADA applies to all "public sector bodies" and "contracting authorities," which includes public universities, hospitals, and research institutes.
• "Level 1 is too low for academic research; we need Level 4 for everything." CADA adopts a proportionate approach. Most general administrative and non-sensitive research activities only require Level 1. Level 4 is reserved for the most critical activities involving classified information or high-risk public order functions. Over-classifying can limit market competition and increase costs unnecessarily.
• "We can ignore CADA if we are already GDPR compliant." GDPR compliance is necessary but not sufficient. GDPR focuses on personal data protection, while CADA focuses on operational autonomy, data sovereignty, and protection against third-country interference. A provider can be GDPR-compliant but fail to meet CADA's Union assurance levels if it is subject to third-country control or stores data outside the Union.
• "Open source software is exempt from these rules." While CADA promotes open source (Article 41), the cloud services hosting or processing that software are still subject to the assurance level requirements. The infrastructure and service provider must meet the relevant Union assurance level, regardless of the software stack used.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• CADA Article 32: What is the Union added value criterion in public procurement?
• What is the minimum cloud assurance level for public-sector procurement under CADA?
• How CADA opens public procurement to AI startups: Article 32 explained
• How does CADA change public procurement of cloud and AI overall?

This is general information about a draft EU regulation, not legal advice.