Does CADA procurement apply to Union institutions and bodies?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly applies to Union institutions, bodies, offices, and agencies (collectively, "Union entities") when they procure cloud computing services and AI systems for their exclusive use. Article 30(1) of the proposal mandates that these entities adhere to the same Union assurance levels as Member State contracting authorities, subject to risk assessments under Article 29. This ensures that EU-level procurement aligns with the strategic autonomy objectives of the regulation, without prejudice to existing financial rules on sensitive procurement found in Article 136 of Regulation (EU, Euratom) 2024/2509.

Detail

The proposed Cloud and AI Development Act (CADA) aims to reduce the EU's dependence on non-European cloud providers and strengthen technological sovereignty. A critical component of this strategy is regulating how public money is spent on digital infrastructure. While much attention is often paid to national public procurement, CADA explicitly brings Union entities into its scope to ensure a unified standard of security and autonomy across the entire EU public sector.

Scope of Application: Article 30(1)

Under Article 30(1) of the CADA proposal, the rules on public procurement apply to contracting authorities that procure cloud computing services for their exclusive use. The text explicitly extends this scope to the EU level: "Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, this Article also applies to Union entities that procure cloud computing services for their exclusive use."

This provision ensures that when the Commission, the European Parliament, the Council, or EU agencies (such as ENISA, Frontex, or the European Central Bank) purchase cloud services for their own internal operations, they are bound by CADA's sovereignty requirements. The reference to Article 136 of Regulation (EU, Euratom) 2024/2509 (the Financial Regulation) acknowledges that certain procurement procedures may already be classified as "sensitive" under EU financial rules. However, CADA adds a specific, mandatory layer of technical and sovereignty compliance on top of those existing procedural safeguards. It does not replace the Financial Regulation but operates alongside it to ensure that "sensitive" procurement also meets the new "sovereign" criteria.

The Role of Risk Assessments (Article 29)

CADA does not impose a blanket requirement for the highest level of sovereignty for every cloud contract. Instead, it relies on a risk-based approach defined in Article 29. Union entities, like Member States, must conduct risk assessments to determine which public sector activities contribute to the preservation of public order.

These assessments must identify activities in sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement. The risk assessment determines the appropriate Union assurance level (UAL) required for the procurement. The Commission is empowered to provide guidance on the methodology and, if a Union entity's assessment is deemed inadequate, to specify the required assurance level via implementing acts (Article 29(3) and (5)).

Union Assurance Levels and Procurement Obligations

Based on these risk assessments, Union entities must procure cloud services that meet specific "Union assurance levels," detailed in Annex II of the proposal.

• Standard Procurement (UAL 1): According to Article 30(2), Union entities whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having at least Union assurance level 1. This baseline level requires, for example, that the provider is established in the Union and that customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body.
• High-Risk Procurement (UAL 2, 3, or 4): Article 30(3) mandates a stricter standard for high-risk activities. If a Union entity's activities are identified as contributing to the preservation of public order (e.g., defence-related cloud infrastructure or law enforcement data processing), they "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." These higher levels impose cumulative criteria, such as requiring that personnel involved in service provision are Union citizens (conditional at L2, mandatory at L3/L4), that infrastructure and assets are located in the Union, and that the provider is not subject to the control of a third country.

Exceptions and Derogations

The proposal allows for derogations under Article 30(4). Union entities may decide not to procure recognised services if:

1. The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists (provided this is not due to artificial narrowing of parameters).
2. A similar procurement process launched within the previous year yielded no suitable tenders.
3. Applying the requirements would result in disproportionate costs.

Enforcement and Oversight

While Union entities are not subject to national fines in the same way private companies are, the proposal establishes a robust oversight mechanism. Article 24 outlines penalties for cloud computing service providers who infringe on the sovereignty framework, including the right for recipients (including Union entities) to seek compensation for damage or loss. Furthermore, Article 25 requires Member States to designate competent authorities, but for Union entities, the European Data Protection Supervisor (EDPS) and other relevant bodies play a key supervisory role. The Commission is also empowered to monitor compliance and can adopt implementing acts to specify required assurance levels if a Union entity's risk assessment is deemed inadequate (Article 29(5)).

What this means for you

For in-house counsel, procurement officers, and compliance teams at Union institutions and agencies, CADA introduces a mandatory due diligence process for all cloud and AI procurements.

1. Conduct Mandatory Risk Assessments: You must perform risk assessments within one year of the regulation's entry into force, and every two years thereafter (Article 29(1)). These assessments must evaluate the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries.
2. Map Procurement to Assurance Levels: You cannot simply buy the cheapest or most feature-rich cloud service. You must verify that the provider holds a valid recognition for the appropriate Union assurance level (1, 2, 3, or 4) in the central repository maintained by the Commission (Article 22).
3. Update Vendor Contracts: Your contracts with cloud providers must include clauses ensuring compliance with the specific UAL criteria. For high-risk activities, this means verifying that providers are not controlled by third countries and that data never leaves the Union.
4. Monitor for Material Changes: Under Article 23, you must monitor your providers for material changes in circumstances that could affect their assurance status. If a provider's status changes or is revoked, you must migrate to a compliant service within a reasonable transition period, not exceeding 12 months (Article 29(6)).
5. Leverage Common Procurement: Consider participating in the Commission's common procurement framework (Articles 37–40), which can simplify compliance by aggregating demand and negotiating terms that meet UAL requirements, potentially reducing administrative burden and cost.

Common misconceptions

• "CADA only applies to national governments." Incorrect. Article 30(1) explicitly includes Union entities. The EU institutions are bound by the same sovereignty standards as Member State contracting authorities to prevent loopholes where EU-level data could be hosted on less secure, non-sovereign infrastructure.

• "All cloud services must meet the highest sovereignty level (UAL 4)." Incorrect. CADA uses a proportionate approach. Only activities identified as contributing to the preservation of public order require UAL 2, 3, or 4 (Article 30(3)). Standard administrative functions generally require only UAL 1, which is less restrictive but still ensures data residency and provider establishment within the Union.

• "Existing contracts are automatically compliant." Incorrect. Current contracts likely do not include the specific CADA sovereignty criteria. You will need to renegotiate terms or issue new tenders that explicitly require recognised Union assurance levels. The proposal allows a transition period for migration if a risk assessment requires moving to a new provider, but this must be done within 12 months (Article 29(6)).

• "The EU-US Data Privacy Framework makes US providers automatically compliant." Incorrect. While the Data Privacy Framework addresses data transfers, it does not address operational autonomy or sovereignty risks. CADA's UALs, particularly levels 2–4, explicitly restrict providers subject to third-country control unless specific derogations are granted by the Commission (Article 18 and Annex II).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Will small public bodies be able to afford CADA procurement fees?
• CADA Procurement vs AI Act: How Public Bodies Must Buy Cloud & AI
• CADA Article 30: Do Union entities and national bodies face different cloud procurement rules?
• Does CADA require public bodies to report procurement to the EU annually?
• Does CADA procurement apply to defence and law enforcement?

This is general information about a draft EU regulation, not legal advice.