Does CADA procurement cover SaaS, PaaS and IaaS equally?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) procurement rules apply equally to Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). The regulation defines "cloud computing service" broadly, encompassing all these models without distinction. Consequently, the mandatory sovereignty assurance levels under Article 30 apply regardless of the specific service layer. Public sector bodies must procure services that have been formally recognized under Article 17 at the appropriate Union assurance level, whether the offering is SaaS, PaaS, or IaaS. The determining factor for the required assurance level is the risk profile of the public sector activity (e.g., public order relevance), not the technology stack.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonized framework for cloud sovereignty across the European Union. A central pillar of this framework is the procurement obligation for public sector bodies, designed to reduce dependency on third-country providers and ensure operational autonomy. To understand whether these rules treat SaaS, PaaS, and IaaS equally, one must examine the scope definition, the application of assurance levels, and the recognition mechanism.

Broad Definition of Cloud Computing Services

CADA relies on the definition of "cloud computing service" found in Article 2(1), which references Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive). This definition describes a cloud computing service as "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

This definition is technology-neutral and service-model-agnostic. It captures the fundamental characteristics of SaaS (software applications), PaaS (development and deployment environments), and IaaS (virtualized computing resources). Because CADA does not carve out exceptions for specific layers of the cloud stack, the procurement obligations apply to the entire spectrum of cloud services. The regulation focuses on the nature of the service (remote access to shareable resources) rather than the abstraction layer provided to the user.

Article 30 and Assurance Levels

Article 30 of CADA sets out the core procurement obligations for contracting authorities. It mandates that public sector bodies procure cloud computing services based on the "Union assurance levels" established in the regulation. These levels (1 through 4) represent increasing degrees of sovereignty, data localization, and protection against third-country interference.

Crucially, Article 30 does not distinguish between service models when imposing these requirements. Instead, it distinguishes based on the risk profile of the public sector activity:

• Union Assurance Level 1: Applies to public sector activities that have not been identified as contributing to the preservation of public order. Under Article 30(2), these entities must use cloud computing services that have been recognized under Article 17 as having a Union assurance level 1.
• Union Assurance Levels 2, 3, or 4: Applies to activities identified as contributing to the preservation of public order. Under Article 30(3), contracting authorities whose activities fall under sectors listed in Annex I or II of Directive (EU) 2022/2555 (e.g., national security, defense, justice, law enforcement) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

Whether a ministry of defense procures IaaS for its private cloud infrastructure or SaaS for its human resources management system, the required assurance level is determined by the sensitivity of the data and the criticality of the function, as assessed under Article 29, not by the type of cloud service.

Recognition Under Article 17

For a provider to sell to the public sector under CADA, its service must be "recognized" as meeting a specific Union assurance level. Article 17 establishes the mechanism for this recognition. A cloud computing service provider must submit an application for recognition to the national competent authority of establishment.

• For Level 1, the provider submits an EU statement of conformity (with a specific derogation for SMEs where recognition is automatic).
• For Levels 2, 3, and 4, the provider must submit an audit report and a "positive" audit opinion from an independent auditing organization.

Article 17 applies to "cloud computing service providers" generally. There is no separate recognition track for SaaS versus IaaS. A provider offering a suite of services must have each distinct service offering assessed and recognized against the relevant assurance level criteria set out in Annex II. This means an IaaS provider cannot assume its infrastructure automatically qualifies for Level 3 if the specific configuration, data handling, or subcontracting arrangements do not meet the stringent criteria for that level. Similarly, a SaaS provider must demonstrate that the underlying infrastructure and personnel meet the criteria for the level they seek.

Implications for Multi-Cloud and Hybrid Strategies

Article 29(9) explicitly encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their risk assessment. This further reinforces the equal treatment of service models. A public entity might choose to host critical database infrastructure (IaaS) on a Level 4 sovereign provider while using a Level 1 provider for non-critical email services (SaaS). The procurement rules facilitate this mixed approach by focusing on the assurance level of the specific service contract rather than imposing a blanket technology mandate.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the equal application of rules across SaaS, PaaS, and IaaS presents both compliance challenges and market opportunities.

For Cloud Providers and SMEs

• Uniform Compliance Burden: You cannot avoid sovereignty requirements by positioning your product as "just software" (SaaS) if it relies on underlying infrastructure that does not meet the assurance criteria. The audit process under Article 20 for Levels 2-4 is rigorous and applies to the entire service chain, including subcontractors.
• SME Advantage: Article 17(3) provides a derogation for SMEs seeking Level 1 recognition. Their EU statement of conformity is directly and automatically recognized in all Member States without prior recognition by the evaluating national competent authority. This lowers the barrier to entry for SMEs offering SaaS or PaaS solutions for non-critical public sector use cases.
• Market Segmentation: You must clearly map your service offerings to the assurance levels. A single provider may offer a Level 1 SaaS product for general administration and a Level 3 PaaS offering for secure application development. Your marketing and procurement documentation must clearly state which assurance level each specific service SKU holds.

For Public Sector Architects and CTOs

• Risk-Based Procurement: Your primary task is not to select a service model, but to conduct the risk assessment mandated by Article 29. You must determine which of your activities contribute to public order. If your activity is non-critical, you can procure Level 1 services (potentially from a wider, more competitive market). If it is critical, you are restricted to Levels 2-4.
• Vendor Due Diligence: When evaluating tenders, you must verify that the provider has a valid recognition under Article 17 for the specific service you are buying. A provider's general reputation or a Level 1 recognition for one service does not automatically extend to another service or a higher assurance level.
• Multi-Cloud Flexibility: CADA supports a pragmatic approach. You are not forced to migrate all workloads to a single sovereign provider. You can maintain a multi-cloud architecture where critical workloads (e.g., citizen data) run on Level 3/4 infrastructure, while less sensitive workloads (e.g., internal training portals) run on Level 1.

Common misconceptions

"SaaS is exempt because it's just software." No. CADA's definition of cloud computing service includes SaaS. If the software is delivered as a service with on-demand access to shared resources, it falls under the scope. The assurance level required depends on the data processed and the public order relevance, not the delivery model.

"IaaS is automatically more sovereign than SaaS." No. Sovereignty is determined by the assurance level recognition, not the service type. A Level 1 IaaS offering has lower sovereignty guarantees than a Level 4 SaaS offering. The criteria in Annex II apply cumulatively, meaning a Level 3 SaaS provider must meet all the criteria of Levels 1, 2, and 3, including strict data localization and personnel screening.

"Existing contracts are safe until they expire." Not necessarily. While CADA is a proposal, the long-term direction is clear. Article 29(6) states that if a risk assessment requires migration to another cloud computing service, the migration must occur within a reasonable transition period that shall not exceed 12 months. Public sector bodies must plan for the eventual migration of non-compliant services, regardless of whether they are SaaS, PaaS, or IaaS.

Related

• Will small public bodies be able to afford CADA procurement fees?
• Why does CADA add a Union added value criterion to procurement?
• Who pays for CADA procurement fees? Article 40 explained
• CADA Procurement Compliance: Who is Responsible in a Public Body?
• Which sectors trigger Level 2, 3 or 4 cloud procurement under CADA?

This is general information about a draft EU regulation, not legal advice.