Summary No, the proposed Cloud and AI Development Act (CADA) does not require public bodies to exclusively favour EU providers or mandate the purchase of EU-made hardware. While the proposal introduces a "Union added value" criterion to encourage European technological development, Article 32 explicitly defines this as a non-price, ancillary factor that must not be decisive in awarding contracts. Furthermore, Article 32(3)(d) permits the use of third-country hardware where EU alternatives are not feasible. The core procurement obligation under Article 30 relates to meeting specific Union assurance levels based on sovereignty and security criteria, not the nationality of the provider.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, seeks to strengthen the EU's cloud and AI ecosystem. A frequent question from procurement officers, legal counsel, and non-EU service providers is whether this proposal introduces protectionist measures that would legally force public authorities to exclude non-EU vendors. The text of the proposal clarifies that while it aims to reduce strategic dependencies and boost European industrial capacity, it does not impose a blanket preference based on nationality. Instead, it establishes a nuanced framework balancing market openness with strategic autonomy through specific, limited mechanisms.

The "Union Added Value" Criterion: Ancillary, Not Decisive

The primary mechanism for encouraging European solutions in public procurement is found in Article 32 of the proposal. This article mandates that contracting authorities include non-price award criteria in their procurement procedures for innovative cloud computing services and AI systems. These criteria allow authorities to evaluate a tenderer's contribution to the development of a European cloud and AI ecosystem.

However, the proposal places strict, legally binding limits on how this criterion can be applied to ensure compliance with internal market principles. Article 32(2) specifies that these non-price award criteria must be:

  • Linked to the subject matter of the contract.
  • Not conferring unrestricted freedom of choice on the contracting authority.
  • Expressly set out in the procurement documents or in the contract notice.
  • Ancillary and not decisive in the award of the contract.

This distinction is critical. While a public body may award additional points to a bidder for using European software or hardware, this score cannot override the core technical and financial performance of the bid. The primary focus of the procurement remains on the quality, price, and technical merit of the service offered. The "Union added value" acts as a secondary quality factor or a tie-breaker, not a veto power that would automatically disqualify non-EU providers.

Flexibility on Hardware: The Feasibility Exception

A common misconception is that CADA mandates the exclusive use of EU-manufactured hardware. Article 32(3) outlines the specific elements contracting authorities may evaluate, including the extent to which a tenderer contributes to strengthening the digital technology supply chain in the Union.

Crucially, Article 32(3)(d) provides a significant exception for hardware components. It states that services should be delivered through critical computing, storage, and networking hardware components designed and/or manufactured in the Union "to the greatest extent feasible with regard to market availability and technical requirements."

The text explicitly allows for the use of hardware from a third country if EU hardware is not feasible. In such cases, the criterion can be met if the third-country hardware "contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem." This clause acknowledges the current realities of the global semiconductor and hardware supply chain, preventing public bodies from being forced into impossible procurement positions where no suitable EU hardware exists. It ensures that the pursuit of sovereignty does not compromise the technical functionality or security of the procured service.

Sovereignty and Assurance Levels vs. Nationality

It is essential to distinguish between nationality and sovereignty assurance. The proposal's primary regulatory burden on public procurement relates to the Union cloud computing sovereignty framework established in Article 16 and enforced through Article 30.

Article 30 mandates that public sector bodies must procure cloud computing services that meet specific "Union assurance levels" (levels 1, 2, 3, or 4). These levels are not based on where a company is registered or incorporated. Instead, they are based on a rigorous set of technical, legal, and operational criteria designed to ensure data confidentiality, operational autonomy, and protection against third-country interference.

For example, a cloud provider established in a third country could theoretically qualify for a high assurance level if it can demonstrate compliance with the stringent criteria in Annex II of the proposal. This includes ensuring that customer data remains exclusively within the Union, that no third-country laws can compel data access, and that operational support is performed within the Union. Conversely, an EU-based provider that fails to meet these sovereignty criteria (e.g., by allowing data to be accessed by a third-country parent company) would not qualify. Therefore, the requirement is about trust, security standards, and operational control, not geographic origin.

Risk Assessments and Public Order

Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities require higher levels of assurance (levels 2, 3, or 4) due to their relevance to public order, national security, or critical infrastructure. If a risk assessment determines that a specific use case involves sensitive data or critical functions, the contracting authority must procure services that meet the higher assurance levels.

Again, this is a risk-based requirement focused on the characteristics of the service and the data, not the nationality of the provider. The procurement obligation is to find a service that meets the required assurance level, regardless of whether the provider is EU-based or third-country-based, provided the third-country provider can meet the specific criteria (potentially via the derogation mechanism in Article 18 for Level 3).

What this means for you

For public-sector procurement officers, legal advisors, and service providers, the proposal implies a shift in how tender documents are structured and bids are evaluated, but it does not mandate the exclusion of non-EU providers.

  1. Structure Award Criteria Correctly: You must include "Union added value" as a non-price, ancillary criterion in your tenders for innovative cloud and AI services. Ensure this criterion is clearly defined in your documentation and explicitly stated as not decisive. The award decision must still be based on the most economically advantageous tender, determined primarily by technical quality and price.
  2. Assess Hardware Feasibility: When evaluating hardware components, you are not required to use EU hardware if it is not technically feasible or available. You can accept third-country hardware if it contributes to supply chain security and EU alternatives are not feasible, as per Article 32(3)(d). Document your assessment of market availability and technical requirements.
  3. Prioritize Assurance Levels: Your primary compliance duty is to ensure that the cloud services you procure meet the appropriate Union assurance level based on your risk assessment under Article 29. Focus on verifying that providers meet the technical and legal criteria for data sovereignty and operational autonomy (e.g., data location, personnel screening, cybersecurity certification) rather than simply checking their country of incorporation.
  4. Transparency and Justification: Be prepared to justify how you have applied the Union added value criterion and how you have determined the necessary assurance level for your specific use case. This ensures compliance with the proposal's requirement for transparency and adherence to the principle that non-price criteria must be ancillary.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers. This is incorrect. The proposal does not ban non-EU providers. It requires them to meet the same stringent sovereignty and assurance criteria as EU providers. If a non-EU provider can demonstrate that their service offers the required level of data protection and operational autonomy (e.g., by keeping data exclusively in the EU and blocking third-country access), they can compete for public contracts.

Misconception 2: The "Union added value" criterion allows public bodies to ignore price and quality. This is incorrect. Article 32(2) explicitly states that the Union added value criterion must be ancillary and not decisive. The core award decision must still be based on the most economically advantageous tender, which is primarily determined by technical quality and price. The EU preference is a secondary factor, not a primary one.

Misconception 3: Public bodies must buy only EU-made hardware. This is incorrect. Article 32(3)(d) explicitly allows for the use of third-country hardware where EU hardware is not feasible due to market availability or technical requirements. The goal is to encourage EU supply chains where possible, not to create impossible procurement mandates that would hinder the delivery of essential services.

Misconception 4: Assurance levels are based on company nationality. This is incorrect. The Union assurance levels (1-4) are based on a detailed set of technical, legal, and operational criteria outlined in Annex II of the proposal. These criteria focus on data location, personnel citizenship (for higher levels), cybersecurity certification, and protection against third-country control. A company's country of registration is not the primary determinant; its ability to meet these sovereignty standards is.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.