Does CADA replace the 2014 Procurement Directives? Sovereignty vs. Procedure

Summary No, the proposed Cloud and AI Development Act (CADA) does not replace the 2014 Public Procurement Directives (Directive 2014/24/EU and Directive 2014/25/EU). Instead, as proposed, CADA supplements them by introducing a sector-specific sovereignty framework that layers on top of the existing horizontal rules. The proposal explicitly states that the 2014 Directives remain the governing procedural framework for national authorities, except where a specific "deemed compliance" mechanism applies. Under Article 39, contracting authorities participating in Commission-led joint procurement are deemed to have fulfilled their obligations under applicable Union public procurement law. However, for all other procurement, national authorities must still follow the 2014 Directives while simultaneously complying with CADA's mandatory Article 30 requirements to procure cloud services at specific Union assurance levels (1–4) based on risk assessments.

Detail

The relationship between the proposed CADA and the established EU public procurement acquis is one of complementarity and supplementation, not substitution. The explanatory memorandum to the proposal clarifies that public authorities' heavy reliance on non-EU cloud providers creates risks that the existing horizontal acquis cannot adequately address. Consequently, CADA introduces a "nuanced and targeted sectoral approach" that operates alongside the general principles of the 2014 Directives.

The Legal Architecture: Supplementation, Not Replacement

CADA is designed to fill a specific gap: the lack of a harmonised Union framework for cloud sovereignty and strategic autonomy in procurement. The 2014 Directives (2014/24/EU for public sector and 2014/25/EU for utilities) continue to govern the procedural aspects of procurement, such as transparency, non-discrimination, and the award of contracts. CADA does not repeal these directives; rather, it imposes additional substantive conditions on the subject matter of the contract (i.e., the cloud service) and the criteria for award.

The proposal explicitly notes in the recitals that the 2014 Directives "do not contain elements to shape up a more competitive offer of European cloud computing services." Therefore, CADA acts as a sector-specific overlay. National contracting authorities remain bound by the procedural rules of the 2014 Directives unless they opt into the specific joint procurement framework established by CADA.

The "Deemed Compliance" Shortcut: Article 39

The most significant deviation from standard national procurement procedures is found in Article 39, titled "Applicable public procurement framework." This article establishes a mechanism for contracting authorities to bypass the full procedural burden of the 2014 Directives when participating in Commission-led joint procurement.

Article 39(1) states:

"A participating entity shall be deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services by means of contracts awarded by the Commission under this Chapter..."

This "Chapter" refers to Title IV, Chapter IV (Procurement of data centre services, cloud computing services, software and AI systems by the Commission), which covers Articles 37 to 40. Under this framework:

1. The Commission acts as a central purchasing body.
2. It conducts procurement procedures (framework agreements or dynamic purchasing systems) on behalf of participating Member State authorities and Union entities.
3. If a contracting authority joins this framework, it is deemed to have complied with the 2014 Directives for those specific acquisitions.

This mechanism is designed to leverage economies of scale and ensure a unified approach to sovereignty. However, it is an opt-in route. If a national authority chooses to procure cloud services independently (outside the Commission's framework), the "deemed compliance" shield does not apply, and the full procedural requirements of Directive 2014/24/EU or 2014/25/EU remain in force.

The Sovereignty Overlay: Article 30 and Assurance Levels

While the 2014 Directives govern how to procure, Article 30 of CADA dictates what can be procured. This creates a mandatory substantive overlay that national authorities must integrate into their tender documents and evaluation processes.

The obligation is triggered by the risk assessment required under Article 29. Once a Member State or Union entity identifies which public sector activities contribute to the preservation of public order, Article 30 imposes strict minimum assurance levels:

• Article 30(2): For activities not identified as contributing to public order, contracting authorities must procure cloud services recognised at Union assurance level 1 (the baseline).
• Article 30(3): For activities identified as contributing to public order (including national security, defence, law enforcement, justice, and sectors under the NIS2 Directive), authorities must only procure services recognised at Union assurance level 2, 3, or 4.

These assurance levels are defined in Annex II and include criteria such as:

• Establishment: The provider must be established in the Union.
• Infrastructure & Data: Infrastructure and customer data must remain within the Union (unless explicitly required otherwise by the public body).
• Personnel: For levels 3 and 4, personnel must be Union citizens (conditional for level 2 if the public body requires it).
• Third-Country Control: Strict prohibitions on control by third countries, with specific derogations for Level 3 under Article 18.

This means that even if a tender complies perfectly with the 2014 Directives' procedural rules, it would be non-compliant with CADA if the awarded provider fails to meet the required assurance level. The 2014 Directives provide the procedure; CADA provides the eligibility criteria.

Additional Procurement Requirements: Article 32 and 33

CADA further layers specific requirements onto the 2014 Directives:

• Union Added Value (Article 32): Contracting authorities must include non-price award criteria evaluating the "European added value" of the tender. This includes assessing the tenderer's contribution to the EU digital supply chain, the use of Union-designed hardware/software, and the integration of Union technologies. Crucially, Article 32(2) mandates that these criteria be "ancillary and not decisive," ensuring that technical and financial performance criteria remain primary, as required by the 2014 Directives.
• Innovation Monitoring (Article 33): Member States must monitor and report on their procurement of innovation, with an objective to award at least 25% of relevant cloud and AI procurement to innovative SMEs. This adds a reporting and strategic planning layer to the existing transparency obligations of the 2014 Directives.

Penalties and Enforcement

The enforcement regimes are distinct but intersecting. Article 24 of CADA requires Member States to lay down penalties for infringements of the sovereignty chapter by cloud service providers. These penalties must be "effective, proportionate and dissuasive."

For contracting authorities, failure to comply with Article 30 (e.g., procuring a Level 1 service for a public-order activity requiring Level 3) would likely constitute a breach of CADA. Simultaneously, because the procurement procedure itself is governed by the 2014 Directives (unless using Article 39), such a breach could also trigger remedies under the national laws transposing the 2014 Directives, such as contract suspension or annulment.

What this means for you

For legal counsel, procurement officers, and compliance teams in the public sector, the operational reality is a dual-compliance regime. You cannot rely solely on the 2014 Directives, nor can you ignore them in favour of CADA.

1. Determine Your Procurement Route:

   • Option A (Joint Procurement): If you join the Commission's framework under Articles 37–40, you benefit from the Article 39 "deemed compliance" status. You do not need to run a separate national tender under the 2014 Directives for these specific contracts.
   • Option B (National Procurement): If you procure independently, you must run a full procedure under Directive 2014/24/EU or 2014/25/EU. CADA does not replace these rules; it adds to them.

2. Conduct the Risk Assessment First: Before drafting any tender, you must perform the risk assessment mandated by Article 29. This determines your minimum assurance level (Level 1 vs. Levels 2–4) under Article 30. This is a prerequisite for defining the technical specifications of your tender.

3. Update Tender Specifications:

   • Include a mandatory requirement for the cloud provider to hold the specific Union assurance level identified in your risk assessment.
   • Include the European added value criteria under Article 32 as part of the quality evaluation (ensuring they are non-decisive).
   • Ensure your evaluation criteria allow for the assessment of the provider's compliance with Annex II (e.g., data localisation, personnel citizenship).

4. Verify Provider Status: You cannot accept a provider's self-declaration of GDPR compliance or general cybersecurity certification as sufficient. You must verify that the provider is formally recognised under CADA's framework (via the central repository in Article 22) at the required assurance level.

5. Track SME Participation: If you are a Member State authority, ensure your procurement strategy includes plans to meet the 25% SME objective for innovative cloud and AI procurement under Article 33.

Common misconceptions

"CADA replaces the 2014 Procurement Directives for cloud services."

• Reality: This is incorrect. CADA explicitly supplements the Directives. The 2014 Directives remain the primary procedural law for national authorities. CADA only displaces them via the specific "deemed compliance" route in Article 39 when using the Commission's joint procurement framework.

"GDPR compliance or standard cybersecurity certification is enough to meet CADA."

• Reality: No. GDPR addresses data protection, and standard certifications (like ISO 27001) address technical security. CADA addresses sovereignty, operational autonomy, and third-country control. A provider can be GDPR-compliant and ISO-certified but still fail CADA's Annex II criteria (e.g., if they are controlled by a third country or if their data leaves the Union). You must obtain a specific Union assurance level recognition.

"European added value criteria can be used to automatically exclude non-EU bidders."

• Reality: Under Article 32(2), these criteria must be "ancillary and not decisive." You cannot use them to discriminate against bidders based solely on nationality. However, you can (and must, under Article 30) exclude bidders who do not meet the mandatory Union assurance levels (which effectively require EU establishment and data localisation). The distinction is between award criteria (where CADA limits discretion) and eligibility criteria (where CADA sets mandatory thresholds).

"CADA only affects the public sector."

• Reality: While the procurement obligations in Article 30 apply to contracting authorities, the sovereignty framework (Title IV) affects any cloud provider wishing to serve the public sector. Furthermore, Article 31 allows private sector entities in high-criticality sectors (NIS2 Annex I) to conduct similar impact assessments, and the market pressure from public procurement will likely drive private sector adoption of CADA standards.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does CADA relate to the 2014 Procurement Directives?
• CADA Article 33: Innovation Procurement, SMEs and the 2014 Directive
• What is artificial narrowing of a procurement procedure under CADA?
• How CADA uses public procurement to build EU tech sovereignty
• How does CADA procurement support European technological sovereignty in practice?

This is general information about a draft EU regulation, not legal advice.