Summary Yes, the proposed Cloud and AI Development Act (CADA) explicitly supports and mandates the procurement of cloud services for public bodies. Under Article 4(8)(d), operational objective 8 specifically includes the mandate to "support the procurement of data centre services and cloud computing services for Union entities and public sector bodies." This strategic intent is operationalized through Title IV (Autonomy), which establishes a binding sovereignty framework. As proposed, public authorities would be required to procure cloud services meeting specific Union assurance levels (Articles 30–40), with higher levels mandated for activities critical to public order, while new mechanisms like the EuroCloud Federation and joint procurement would facilitate collective buying power.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a significant shift in how the EU approaches the digital infrastructure underpinning its economy. While the Act is often discussed in terms of data-centre capacity and research funding, a core pillar of its strategy is the transformation of public procurement. By leveraging the massive purchasing power of the public sector, the proposal aims to reduce dependence on non-European providers and ensure the resilience of the Union's digital ecosystem.

Operational Objective 8: Procurement as a Strategic Tool

The foundational link between CADA and public procurement is established in Title II, which outlines the Cloud and AI Leadership Initiatives. These initiatives are designed to foster the development and deployment of cutting-edge technologies. Article 4 details the specific operational objectives of these initiatives.

Crucially, Article 4(8)(d) explicitly lists procurement support as a distinct operational objective. Under operational objective 8, which focuses on increasing adoption at regional and local levels, the initiatives shall:

"support the procurement of data centre services and cloud computing services for Union entities and public sector bodies."

This provision confirms that procurement is not merely a transactional administrative function but a strategic instrument to achieve the Regulation's broader goals of technological autonomy and resilience. By embedding procurement support directly into the operational objectives of the Leadership Initiatives, CADA signals that public spending on cloud infrastructure will be directed toward services that align with EU strategic interests, thereby creating a guaranteed market for sovereign cloud providers.

The Sovereignty Framework: From Intent to Obligation

While Article 4 sets the strategic intent, Title IV (Autonomy) provides the mandatory legal framework for how these procurements must be conducted. The proposal introduces a "Union cloud computing sovereignty framework" consisting of four Union assurance levels (Article 16). These levels define the cumulative criteria cloud providers must meet to be recognized as trusted, ranging from basic establishment in the Union (Level 1) to strict requirements regarding personnel citizenship, data localization, and the absence of third-country control (Levels 2–4).

The procurement rules in Articles 30–40 translate these assurance levels into binding obligations for public buyers:

  1. Minimum Baseline (Level 1): Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1. This ensures a baseline of sovereignty for all public cloud spending, preventing the use of services with no EU establishment or data localization guarantees.
  2. Higher Assurance for Critical Functions (Levels 2–4): Article 30(3) imposes stricter requirements on contracting authorities whose activities contribute to the preservation of public order. This includes sectors falling under the NIS2 Directive and areas such as national security, internal security, external border management, defence, justice, or law enforcement. For these entities, the proposal mandates that they "only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."
  3. Risk Assessments as a Pre-requisite: Before determining the required level, Member States and Union entities must conduct risk assessments under Article 29. These assessments identify which public sector activities contribute to public order and determine the appropriate assurance level based on the sensitivity of data and the criticality of the function.

Joint Procurement and the EuroCloud Federation

To address the fragmentation of public markets and the limited bargaining power of individual Member States or local authorities, CADA introduces robust mechanisms for collective action.

Article 37 empowers the Commission to carry out procurement activities for Union entities and Member State contracting authorities. The Commission may act as a central purchasing body, procuring data centre services, cloud computing services, software, and AI systems on behalf of participating entities. This allows public bodies to benefit from economies of scale and negotiate better terms, while ensuring that the procurement aligns with the sovereignty framework.

Furthermore, Article 34 establishes the EuroCloud Federation, a voluntary federation for Union entities and public sector bodies. This mechanism facilitates the sharing of data centre services and cloud computing services between members. Unlike traditional commercial procurement, the sharing within the Federation is anchored in public-sector cooperation and is generally free of charge, except for costs strictly necessary to recover the expenses incurred by the sharing entity. This allows public bodies to utilize idle capacity and share services without triggering standard commercial procurement procedures for every instance of use.

Union Added Value in Procurement

Beyond the mandatory assurance levels, Article 32 encourages contracting authorities to include "Union added value" as a non-price award criterion in public procurement procedures for innovative cloud computing services and AI systems. This criterion allows public bodies to evaluate tenders based on the extent to which the provider contributes to strengthening the EU's digital supply chain. This includes factors such as the use of hardware designed or manufactured in the Union, the integration of Union technologies, and the delivery of services using critical computing components from the EU. While Article 32(2) clarifies that these criteria must be ancillary and not decisive, they provide a legal pathway to steer the market toward providers that enhance European technological sovereignty.

What this means for you

For public-sector procurement officers, IT directors, and policy makers, the proposed CADA introduces a structured, compliance-heavy approach to buying cloud services. The era of treating cloud procurement as a purely commercial decision based on price and functionality is ending; it is becoming a matter of regulatory compliance and national security.

  1. Conduct Risk Assessments Immediately: You must participate in or align with the risk assessments mandated by Article 29. Determine whether your department's activities fall under the "preservation of public order" definition. If they do, you would be legally barred from procuring services that do not meet Union assurance levels 2, 3, or 4.
  2. Verify Assurance Levels Before Tendering: Before issuing a tender, ensure that potential bidders have been recognized under Article 17 as offering the required Union assurance level. This recognition is published in a central repository (Article 22), which you should consult to verify provider status. Procuring a service that has not been recognized at the required level would constitute an infringement.
  3. Leverage Joint Procurement Mechanisms: Consider participating in the joint procurement activities facilitated by the Commission (Articles 37–40) or the EuroCloud Federation (Article 34). These mechanisms can simplify compliance, reduce administrative burden, and potentially lower costs by pooling demand with other public bodies.
  4. Update Procurement Criteria: Review your tender documents to include the "Union added value" criteria outlined in Article 32. While not decisive, weighting these criteria can help steer the market toward providers that strengthen the EU's technological sovereignty and support the objectives of the Cloud and AI Leadership Initiatives.
  5. Plan for Transition: If you currently use cloud services that do not meet the required assurance levels, be aware that migration may be required. Article 29(6) allows for a reasonable transition period (not exceeding 12 months) for migration if a risk assessment requires moving to a different service provider.

Common misconceptions

Misconception 1: CADA bans all non-EU cloud providers. CADA does not ban non-EU providers outright. Instead, it creates a tiered system. A provider controlled by a third country can still qualify for Union assurance level 3 if the Commission adopts an implementing act under Article 18 identifying that third country as providing sufficient safeguards. However, for the highest assurance levels (Level 4), the provider and its subcontractors must not be subject to third-country control (Annex II, 4.1(g)).

Misconception 2: Only large government ministries are affected. CADA applies to all "contracting authorities" as defined in the Public Procurement Directives. This includes regional and local authorities, as well as Union entities. The risk assessment process (Article 29) determines the specific assurance level required, meaning even smaller public bodies must comply with at least Level 1 requirements.

Misconception 3: CADA replaces the Public Procurement Directives. CADA complements, rather than replaces, existing public procurement law. It introduces specific substantive requirements (assurance levels) and award criteria (Union added value) that must be integrated into the existing procurement procedures governed by directives such as 2014/24/EU. Article 39 clarifies that acquiring services through the Commission's central purchasing activities is deemed to fulfill obligations under applicable Union public procurement law.

Misconception 4: "Open Source" is mandatory for all public cloud contracts. While Article 41 encourages the use of open-source solutions and Article 42 promotes the sharing of software, CADA does not mandate that all public cloud procurements must be for open-source services. It encourages public bodies to consider open-source options to reduce vendor lock-in and increase transparency, but the primary legal obligation is tied to the Union assurance levels.

Related

This is general information about a draft EU regulation, not legal advice.