Summary As proposed in the Cloud and AI Development Act (CADA), sharing data centre and cloud computing services within the EuroCloud Federation does not trigger Union public procurement rules, provided the arrangement is strictly governed by public interest considerations and limited to cost recovery. Article 35(5) of the proposal explicitly states that fees charged by a sharing entity are not deemed a "pecuniary interest" within the meaning of Directive 2014/24/EU, thereby excluding these transactions from the scope of standard public procurement directives. This framework is designed as a mechanism for public-to-public cooperation, legally distinct from the Commission's central purchasing activities outlined in Articles 37–39, which involve commercial procurement from the market.

Detail

The EuroCloud Federation, established under Article 34 of the proposed CADA, aims to facilitate the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies. A critical legal question for in-house counsel and compliance officers is whether this sharing mechanism constitutes a public contract subject to the stringent procedures of Directive 2014/24/EU. The proposal explicitly carves out an exemption for this specific type of inter-administrative cooperation, provided strict conditions are met.

The Exemption from Public Procurement Rules

The core of the exemption lies in the nature of the financial arrangement. Article 35(5) of the CADA proposal states that a sharing entity may charge a fee to the using entity, but this amount must be limited to the costs incurred by the sharing entity in relation to the sharing of the service. Crucially, the provision clarifies that these fees "shall not constitute a pecuniary interest within the meaning of Article 2 of Directive 2014/24/EU and Regulation (EU, Euratom) 2024/2509."

In EU public procurement law, the existence of a "pecuniary interest" is a primary threshold for determining whether a contract falls under the procurement directives. By explicitly negating this element, the proposal removes the transaction from the scope of Directive 2014/24/EU. Recital 73 of the explanatory memorandum reinforces this by stating that the sharing of services within the EuroCloud Federation is anchored in public-sector cooperation governed solely by considerations of public interest. It must not entail any form of consideration in exchange for another, except for costs strictly necessary and proportionate to recover the additional costs incurred in sharing capacity.

Conditions for Valid Sharing

To benefit from this exemption, the sharing arrangement must satisfy several cumulative conditions outlined in Article 35 and the accompanying recitals:

  1. Ownership and Control: The sharing entity must directly or indirectly own the hardware through which the service is made available. If an intermediate legal entity provides the service, the sharing entity must exercise control over it. Recital 71 defines this control as requiring: (i) decisive influence over strategic objectives and significant decisions; (ii) no direct private capital participation in the intermediate entity; and (iii) more than 80% of the activities of the intermediate entity carried out in the performance of tasks entrusted by the sharing entity.
  2. Public Sector Exclusivity: Participation is limited to public entities. Recital 71 explicitly excludes direct private participation where the sharing entity owns the hardware.
  3. Cost Recovery Limitation: Fees must cover only additional costs such as allocating and isolating resources, managing access, enabling interoperability, ensuring compliance with Union law, and managing the sharing relationship (Recital 73). They cannot include profit margins or general overheads unrelated to the specific sharing activity.
  4. Security and Resilience: The sharing entity must implement appropriate technical, operational, and organisational measures, including policies on risk analysis, information system security, incident handling, and business continuity (Article 35(2) and Recital 72).

Contrast with Commission Central Procurement

It is vital to distinguish the EuroCloud Federation from the Commission's central procurement framework detailed in Articles 37–39. While the EuroCloud Federation is a peer-to-peer sharing mechanism between public bodies, Articles 37–39 establish a framework where the Commission acts as a central purchasing body for Union entities, Member State contracting authorities, and selected partner organisations.

Under Articles 37–39, the Commission procures data centre services, cloud computing services, software, and AI systems on behalf of participating entities. This involves standard procurement procedures, framework contracts, and dynamic purchasing systems. Participating entities pay fees to the Commission to cover the costs of these procurement activities (Article 40). Unlike the EuroCloud sharing, which is an exchange of existing capacity between public peers, the Commission's framework is a traditional procurement activity aimed at harnessing collective purchasing power to negotiate better terms with commercial providers. The legal basis, procedural rules, and fee structures differ significantly, and the exemption from procurement directives applies only to the EuroCloud sharing model under Article 35, not to the commercial contracts awarded by the Commission under Articles 37–39.

What this means for you

For in-house counsel and compliance officers in public sector bodies, the EuroCloud Federation offers a pathway to access additional cloud capacity without navigating full-scale public procurement tenders. However, strict adherence to the proposed rules is mandatory to maintain the legal exemption.

Obligations and Compliance Checks

  • Verify Eligibility: Ensure your entity qualifies as a public sector body or Union entity. Private entities cannot directly participate in the sharing mechanism (Recital 71).
  • Audit Fee Structures: If your entity is a "sharing entity," you must meticulously track and document all costs related to the sharing of capacity. Fees charged to "using entities" must be strictly cost-based. Any deviation into profit-making or cross-subsidisation could reclassify the arrangement as a service contract subject to procurement rules.
  • Implement Security Measures: Before sharing, you must demonstrate to the Commission that you have implemented the necessary technical, operational, and organisational measures for security and resilience (Article 35(2)). This includes access control policies, incident handling, and business continuity plans.
  • Documentation: Maintain clear records of the contractual or administrative arrangements that govern the sharing, ensuring they reflect public interest considerations rather than commercial exchange.

Deadlines and Penalties

As CADA is a proposal, specific enforcement deadlines are not yet fixed. However, once adopted, Member States will need to designate national competent authorities (Article 25) and implement the necessary legal frameworks. Non-compliance with the sovereignty and sharing rules could lead to penalties. Article 24 outlines that Member States must lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." While Article 24 primarily addresses infringements by cloud computing service providers regarding assurance levels, the broader regulatory framework implies that misuse of the procurement exemption could attract scrutiny from national procurement authorities and potentially competition authorities if it distorts the market.

Strategic Planning

Public sector bodies should prepare to assess their existing cloud infrastructure for potential inclusion in the EuroCloud Federation. This involves evaluating whether your hardware ownership structures and security protocols meet the stringent requirements of Article 35 and Recital 71. Early engagement with national competent authorities will be crucial to ensure your sharing arrangements are recognised as valid public-sector cooperation rather than disguised procurement.

Common misconceptions

Misconception 1: EuroCloud sharing is a free service. While Recital 73 states that sharing should be free of charge except for cost recovery, this does not mean it is cost-free for the using entity. The sharing entity can charge fees to cover the additional costs of sharing capacity, such as resource isolation and access management (Article 35(5)). The key is that these fees are strictly limited to cost recovery and do not constitute a pecuniary interest.

Misconception 2: Any public body can share cloud services under this framework. Participation is restricted. The sharing entity must own the hardware, either directly or through a controlled intermediate legal entity that meets specific criteria (no private capital, >80% activities for the sharing entity) (Recital 71). Public bodies that lease all their infrastructure from private providers without meeting these control criteria may not qualify as sharing entities.

Misconception 3: The EuroCloud Federation replaces standard procurement for all cloud services. The EuroCloud Federation is a specific mechanism for sharing existing public sector capacity. It does not replace the need for procurement when acquiring new cloud services from commercial providers. Furthermore, the Commission's central procurement framework (Articles 37–39) remains a separate tool for aggregating demand and purchasing services from the market. The two mechanisms serve different purposes and operate under different legal rules.

Misconception 4: The exemption from procurement rules is automatic. The exemption under Article 35(5) is conditional. It applies only if the fees are strictly cost-based and the arrangement is governed by public interest considerations. If a sharing entity charges fees that exceed the additional costs incurred, or if the arrangement involves private entities in a way that distorts competition, the transaction may fall back under the scope of Directive 2014/24/EU.

Related

This is general information about a draft EU regulation, not legal advice.