Summary No. As proposed in the Cloud and AI Development Act (CADA), the mandatory "Union added value" criterion applies only to public procurement procedures for innovative cloud computing services and AI systems (Article 32(1)). Routine, commodity, or non-innovative cloud purchases are not covered by this specific quality evaluation requirement. However, all public-sector cloud procurements, regardless of innovation status, remain strictly subject to the mandatory Union assurance level requirements set out in Article 30, which dictate the minimum sovereignty and security standards providers must meet.

Detail

The Cloud and AI Development Act (CADA) introduces a nuanced, two-tiered approach to public procurement. It distinguishes between routine infrastructure acquisitionsβ€”where the primary goal is service continuity and complianceβ€”and strategic, innovative technology acquisitions designed to foster European technological sovereignty. To determine whether the Union added value criterion applies to a specific procurement, one must examine the precise scope defined in Article 32.

The Strict Scope of Article 32(1)

Article 32(1) explicitly limits the application of the Union added value criterion. The text states:

"In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem."

This wording is deliberate and legally significant. The obligation to evaluate a tenderer's contribution to the European ecosystemβ€”such as the use of hardware designed in the Union, the integration of Union-developed technologies, or the strengthening of the local digital supply chainβ€”is triggered only when the procurement is classified as "innovative."

If a public authority is purchasing standard, off-the-shelf cloud infrastructure (e.g., basic storage, standard virtual machines, or mature SaaS solutions) that does not involve the procurement of innovation, Article 32 does not mandate the inclusion of these specific non-price award criteria. The legislative intent is that routine procurements should focus primarily on price, technical performance, and compliance with the baseline sovereignty standards (Union assurance levels), rather than strategic industrial policy goals which are better addressed through innovation-focused contracts.

Distinguishing "Innovative" from "Routine" Procurement

While CADA does not provide a single, rigid definition of "innovative procurement" within Article 32 itself, the context of the regulation, particularly Article 33 (Monitoring of procurement of innovation), suggests a distinction based on the nature of the service and the procurement method.

  1. Innovative Procurement: This typically involves the procurement of new cloud or AI solutions that do not yet exist on the market, or the significant adaptation of existing solutions to meet novel public-sector needs. These procurements often utilize innovation partnership procedures or other flexible frameworks designed to foster technological development. In these cases, Article 32 requires authorities to assess how the provider contributes to European technological sovereignty (e.g., using EU-designed chips, open-source middleware developed in the EU, or local R&D results).
  2. Routine/Commodity Procurement: This involves the purchase of established, standardized cloud services where the specifications are well-defined and the market is mature. For these buys, the primary regulatory focus under CADA shifts from "added value" to "assurance."

The Non-Negotiable Role of Article 30: Assurance Levels

It is a critical misconception that non-innovative procurements are free from CADA's strategic requirements. While Article 32 (added value) may not apply, Article 30 (Public procurement) remains fully applicable to all cloud computing services procured by contracting authorities for their exclusive use.

  • Article 30(2) mandates that public sector bodies whose activities are not identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1.
  • Article 30(3) mandates that contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement) must procure services recognized as having Union assurance levels 2, 3, or 4.

Therefore, even for a simple, non-innovative cloud buy, the public authority must ensure the provider meets the relevant Union assurance level. The "added value" criterion is an additional layer of evaluation for innovative buys, not a replacement for the baseline sovereignty requirements.

How the Criterion Works (When Applicable)

For context, when Article 32 does apply (i.e., in innovative procurements), Article 32(3) outlines what the "Union added value" entails. Contracting authorities must evaluate the extent to which:

  • The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded programmes.
  • The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
  • The service is delivered, to the greatest extent feasible, through critical computing, storage and networking hardware components designed and/or manufactured in the Union.

Article 32(2) clarifies that these criteria must be "ancillary and not decisive in the award of the contract," preserving the primacy of technical and financial criteria.

What this means for you

For public-sector procurement officers and legal counsel, this distinction simplifies the evaluation process for standard cloud renewals or basic infrastructure expansions while ensuring strategic goals are met for innovation.

  1. Check the Procurement Type: Before drafting your tender documents, determine if the procurement is classified as "innovative." If you are buying standard IaaS, PaaS, or SaaS solutions with well-defined, market-available specifications, you are likely conducting a routine procurement.
  2. Omit Added Value Criteria for Routine Buys: If the procurement is not innovative, you are not required to include the non-price award criteria detailed in Article 32(3). You can focus your evaluation criteria on price, technical performance, service level agreements (SLAs), and compliance with the relevant Union assurance level.
  3. Maintain Assurance Level Compliance: Regardless of whether the buy is innovative or routine, you must still enforce the Union assurance level requirements. Ensure that any cloud provider bidding for your contract has been recognized under Article 17 as meeting at least Union assurance level 1 (or higher, if your risk assessment under Article 29 dictates).
  4. Document the Decision: It is good practice to document why a procurement is considered non-innovative if challenged. Reference the maturity of the technology, the standardization of the market, and the lack of novel R&D components in the scope of work.

Common misconceptions

Misconception 1: "All cloud procurements under CADA must include European added value criteria."

  • Correction: No. Article 32(1) restricts this requirement to innovative cloud computing services and AI systems. Routine, commodity cloud buys are exempt from this specific quality evaluation criterion.

Misconception 2: "If I don't use the added value criterion, I don't need to check for sovereignty."

  • Correction: Incorrect. The Union assurance levels (Article 30) apply to all cloud procurements by public authorities. The added value criterion is an extra layer for innovation; the assurance levels are the baseline for all public-sector cloud use.

Misconception 3: "Non-innovative means low-risk."

  • Correction: Not necessarily. A routine cloud buy may still process highly sensitive data. If your risk assessment (Article 29) identifies the activity as contributing to public order, you must procure services with Union assurance levels 2, 3, or 4, regardless of whether the procurement is innovative.

Related

This is general information about a draft EU regulation, not legal advice.