Summary No, the proposed Cloud and AI Development Act (CADA) does not mandate that all public-sector cloud and AI procurement be conducted through the Commission's central purchasing framework. While Chapter IV (Articles 37–40) establishes a voluntary mechanism for the Commission to act as a central purchasing body to leverage collective buying power, Article 30 explicitly preserves the right for contracting authorities to procure services for their "exclusive use" directly. Participation in the Commission's framework is optional; however, authorities choosing this route benefit from Article 39(1), which grants "deemed compliance" with Union public procurement law, whereas those procuring directly must run their own procedures while adhering to the mandatory sovereignty assurance levels.
Detail
The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, introduces a dual-track approach to public procurement for cloud computing services and AI systems. It distinguishes clearly between direct procurement by individual contracting authorities for their own needs and centralized procurement activities managed by the European Commission on behalf of multiple entities. This structure ensures that while the EU can drive market consolidation and standardization, it does not strip Member States of their procurement autonomy.
Chapter IV: A Voluntary Central Purchasing Route
Chapter IV of the proposal (Articles 37–40) establishes a framework for the Commission to act as a central purchasing body. Under Article 37, the Commission is empowered to carry out procurement activities for itself, for Union entities, and for contracting authorities of Member States. This includes concluding framework contracts or operating dynamic purchasing systems for services intended for these "participating entities."
Crucially, this mechanism is designed to harness economies of scale, improve market access for European providers, and reduce administrative fragmentation, but it is not compulsory. Contracting authorities may choose to participate in these joint procurement procedures, but they are under no obligation to do so. The Commission acts as a wholesaler or central purchasing body, acquiring services and reselling them or, in exceptional circumstances, donating them (Article 37(3)).
The governance of this route is defined by an agreement between the Commission and participating Member States (Article 38), overseen by a Steering Committee. Costs incurred by the Commission for these activities are recovered through fees levied on participating entities (Article 40), ensuring the mechanism is financially sustainable without burdening the general EU budget in the long term.
Article 39: The "Deemed Compliance" Incentive
For those authorities that do choose to use the Commission's central purchasing route, Article 39 provides significant administrative relief. Article 39(1) states that a participating entity is "deemed to have fulfilled its obligations under applicable Union public procurement law" if it acquires supplies or services through contracts awarded by the Commission under this Chapter.
This provision is a powerful incentive. By utilizing the Commission's framework agreements or dynamic purchasing systems, a public buyer can bypass the need to run their own separate, full-scale public procurement procedures (such as open or restricted tenders), provided they adhere to the conditions set out in the agreement with the Commission. This "deemed compliance" effectively streamlines the administrative burden for participating entities, allowing them to focus on technical selection rather than procedural compliance.
Article 30: Direct Procurement for Own Use Remains an Option
Simultaneously, Article 30 governs the procurement of cloud computing services by contracting authorities for their "exclusive use." This article imposes mandatory sovereignty requirements based on risk assessments but does not dictate how the procurement must be organized in terms of centralization.
Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1. For authorities whose activities are identified as contributing to public order (e.g., in sectors covered by the NIS2 Directive, national security, defense, or law enforcement), Article 30(3) mandates the procurement of services recognized as offering Union assurance levels 2, 3, or 4.
These obligations apply regardless of whether the procurement is conducted directly by the authority or through the Commission's central purchasing mechanism. However, Article 30 explicitly allows authorities to procure directly. It even includes derogations in Article 30(4) where recognized services are unavailable or would impose disproportionate costs, further emphasizing the flexibility retained by individual contracting authorities. The text of Article 30(1) confirms its application to "contracting authorities that procure cloud computing services for their exclusive use," confirming that direct procurement is a valid and expected path under the proposal.
The Interplay: Sovereignty vs. Procedure
The distinction is clear: Article 30 sets the substantive sovereignty rules (which assurance level is required), while Chapter IV (via Article 39) offers a procedural shortcut (deemed compliance) if one chooses the central route. An authority procuring directly under Article 30 must still run a compliant tender process under national law transposing the Public Procurement Directives, but they must ensure the resulting contract is with a provider meeting the required assurance level. An authority using Chapter IV skips the tender process but must still ensure the selected service meets the assurance level (which is pre-verified in the central repository).
What this means for you
For public-sector procurement officers and legal counsel, the key takeaway is autonomy with an incentive to collaborate. You are not forced to abandon your existing procurement strategies or mandate all future cloud and AI contracts through Brussels. You retain the legal capacity to conduct your own tenders, provided you strictly adhere to the sovereignty assurance levels determined by your national risk assessment under Article 29.
However, the central purchasing route offers a compelling alternative for standardizing contracts and reducing administrative burden. By joining the Commission's framework agreements, you can:
- Simplify Compliance: Rely on Article 39(1) to deem your procurement compliant with EU public procurement directives, avoiding the need for separate, complex tender processes.
- Leverage Scale: Benefit from negotiated terms and prices derived from the collective demand of multiple Member States and Union entities.
- Ensure Sovereignty: Access a curated repository of services that have already been audited and recognized under the CADA sovereignty framework, reducing the due diligence burden on your team.
You must decide whether the complexity of your specific requirements (e.g., highly customized needs for defense or justice sectors) is better served by a tailored national tender or by selecting from the Commission's centralized offers. If you choose the latter, ensure you are registered as a participating entity and understand the fee structure under Article 40. If you choose the former, ensure your tender documentation explicitly references the required Union assurance level and the results of your risk assessment.
Common misconceptions
Misconception 1: CADA abolishes national procurement rules. CADA does not replace national public procurement laws. It adds a layer of sovereignty requirements (assurance levels) and introduces an optional central purchasing mechanism. National authorities still run their own markets, but they must filter for sovereign-compliant services.
Misconception 2: Using the Commission's central purchasing is mandatory for all cloud services. This is incorrect. The framework is voluntary. Article 30 explicitly addresses "contracting authorities that procure cloud computing services for their exclusive use," implying direct procurement is a valid and expected path. The central purchasing route is an additional tool, not a replacement for all national activity.
Misconception 3: Assurance levels only apply to central procurement. Assurance levels (1–4) apply to all public-sector procurement of cloud services, whether conducted directly under Article 30 or through the Commission under Chapter IV. The sovereignty requirement is tied to the service and the user's risk profile, not the procurement method.
Misconception 4: "Deemed compliance" means no oversight. While Article 39(1) deems compliance with public procurement procedures fulfilled when using the Commission's contracts, the contracting authority remains responsible for ensuring the service meets its specific technical needs and that the underlying service provider maintains its recognized assurance level. The authority must still monitor the service's performance and any changes in the provider's recognition status.
Related
- CADA Article 39: The Commission as Central Purchasing Body
- CADA Article 39: How the Commission's Central Purchasing Framework Works
- Should a public buyer use the Commission central purchasing route under CADA?
- CADA Article 39: What must a central purchasing authority pass down to buyers?
- CADA Article 39: How buying through the Commission satisfies EU procurement law
This is general information about a draft EU regulation, not legal advice.