Does CADA require EU-made chips for procured cloud services?

Summary No, the proposed Cloud and AI Development Act (CADA) does not mandate that procured cloud services run exclusively on EU-designed or EU-manufactured chips. Instead, Article 32 establishes "Union added value" as a non-decisive, ancillary award criterion in public procurement. While using critical hardware components designed or manufactured in the Union is a positive scoring factor, it is explicitly limited by market availability and technical requirements. If EU hardware is not feasible, providers may use third-country hardware without disqualification, provided it contributes to supply chain security.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a nuanced approach to hardware sovereignty in public procurement. It does not impose a hard ban on non-EU chips for cloud services, but rather creates a structured incentive for the use of European technology through the "Union added value" criterion. This mechanism is designed to strengthen the European digital supply chain without disrupting the functioning of the internal market or violating international trade commitments.

The Legal Basis: Article 32 Union Added Value

The core mechanism governing hardware procurement is Article 32 of the CADA proposal. This article requires contracting authorities (public sector bodies) to include non-price award criteria in their procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Crucially, Article 32(2) mandates that these non-price criteria must be:

• Linked to the subject matter of the contract;
• Ancillary and not decisive in the award of the contract;
• Expressly set out in procurement documents.

This "not decisive" requirement is fundamental. It means that while a bidder can score points for using EU chips, they cannot win a contract solely because of this factor if another bidder offers superior technical or financial value. The primary award criteria remain technical performance and price. As stated in Article 32(2)(d), these criteria must be "ancillary and not decisive in the award of the contract."

Specific Hardware Requirements under Article 32(3)(d)

Article 32(3)(d) specifically addresses the hardware supply chain. It enables contracting authorities to evaluate the extent to which the service is delivered through "critical computing, storage and networking hardware components designed and/or manufactured in the Union."

However, this provision contains a critical feasibility clause. The requirement to use EU hardware applies "to the greatest extent feasible with regard to market availability and technical requirements." This language acknowledges the current global reality of semiconductor supply chains. If high-performance AI accelerators or specific networking chips are not available from EU manufacturers, or if they do not meet the technical specifications required for the cloud service, the contracting authority cannot penalize a bidder for using non-EU alternatives.

The text of Article 32(3)(d) explicitly states that the evaluation considers the extent to which the service is delivered "to the greatest extent feasible with regard to market availability and technical requirements, through critical computing, storage and networking hardware components designed and/or manufactured in the Union."

The Third-Country Fallback

The proposal explicitly permits a fallback mechanism. If using EU-designed or manufactured hardware is not feasible, Article 32(3)(d) allows for the use of hardware components from a third country. However, this is not a free pass. The third-country hardware must "contribute to strengthening the security of supply and the development of a European cloud and AI ecosystem."

This creates a dual test for non-EU hardware:

1. Feasibility: EU hardware was genuinely unavailable or technically unsuitable.
2. Strategic Alignment: The chosen non-EU hardware must not undermine supply chain security. For instance, using hardware from a country with no reciprocal market access or with known security vulnerabilities might fail this test, even if it is technically superior.

The text specifies that where using Union hardware is not feasible, the evaluation considers hardware "from a third country that contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem."

Context: The Sovereignty Framework vs. Procurement

It is vital to distinguish Article 32 (procurement scoring) from the Union Assurance Levels (UALs) defined in Article 16 and Annex II. The UALs are mandatory compliance thresholds for public sector use, particularly for high-risk activities, whereas Article 32 is a scoring mechanism for awarding contracts.

• Union Assurance Level 1 (UAL 1): Requires the provider to be established in the Union and infrastructure/assets to be located in the Union. It does not explicitly mandate EU-designed chips, but requires full transparency of subcontractors.
• Union Assurance Levels 2, 3, and 4: These higher levels introduce stricter criteria regarding third-country control. For example, Annex II, Section 2.1(i) (UAL 2) and Section 3.1(i) (UAL 3) require providers to document software bills of materials (SBOM) and demonstrate controls over third-country software components. While these sections focus heavily on software and firmware, the broader requirement to prevent third-country control over infrastructure implies that hardware with "kill switches" or remote tampering capabilities from non-EU entities would fail the audit, regardless of the Article 32 scoring.

Therefore, while Article 32 rewards EU chips in the bidding phase, the Assurance Levels may effectively disqualify certain non-EU hardware in the compliance phase if it poses a sovereignty risk. The procurement criterion is about preference where feasible; the assurance level is about eligibility based on control and security.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the implications are strategic rather than prohibitive.

1. For Cloud Service Providers (CSPs)

You are not required to rip out your existing non-EU infrastructure to bid for EU public contracts. However, to maximize your score under Article 32, you should:

• Map your supply chain: Identify which components in your stack are EU-designed or manufactured.
• Document feasibility: If you use non-EU chips, prepare evidence demonstrating why EU alternatives were not feasible (e.g., lack of performance, unavailability).
• Highlight security contributions: Show how your chosen non-EU hardware contributes to supply chain security (e.g., through robust security certifications, open-source firmware, or secure enclaves).

2. For Public Sector Procurement Officers

You must include Union added value in your tender documents, but you cannot make it a pass/fail gate.

• Weighting: You may allocate up to 15 out of 120 points to Union added value, as suggested in Recital 67. This ensures it remains proportionate and subordinate to core technical and financial criteria.
• Clarity: Clearly define what "critical hardware" means in your specific context (e.g., CPUs, GPUs, networking switches) and the evidence you will accept for "market availability."

3. For Hardware Manufacturers

• EU Manufacturers: There is a clear market incentive to develop and market chips specifically for the EU cloud sector. Highlighting local design/manufacturing will be a competitive advantage in public tenders.
• Non-EU Manufacturers: You must ensure your products are perceived as contributing to "security of supply." This may involve greater transparency, security audits, or partnerships with EU integrators to mitigate sovereignty concerns.

Common misconceptions

Misconception 1: CADA bans non-EU chips. This is incorrect. Article 32(3)(d) explicitly allows third-country hardware if EU options are not feasible. The goal is to incentivize European supply chains, not to isolate the EU from global technology markets.

Misconception 2: Using EU chips guarantees contract wins. No. Article 32(2) states that Union added value criteria are "ancillary and not decisive." A bidder with superior technical performance and pricing can win even if they use zero EU hardware, provided they meet the minimum sovereignty assurance levels.

Misconception 3: "Designed in the EU" is the only metric. Article 32(3)(d) covers hardware components "designed and/or manufactured in the Union." A chip manufactured in the EU using EU-based IP, or designed in the EU and manufactured elsewhere, may both contribute to the score, depending on how the contracting authority interprets "feasibility" and "security of supply."

Misconception 4: This applies to all private sector contracts. Article 32 applies to public procurement by contracting authorities. While Article 31 allows private sector entities in critical sectors (NIS2 scope) to conduct similar impact assessments, it does not mandate the same scoring criteria. However, market pressure may lead to similar preferences.

Related

• What is the CADA central repository for sovereign cloud services?
• What does Article 30 of CADA require contracting authorities to do?
• How does CADA change public procurement of cloud services?
• Does CADA require public bodies to report procurement to the EU annually?
• Does CADA require public bodies to favour EU providers?

This is general information about a draft EU regulation, not legal advice.