CADA Article 30

Summary Under the proposed Cloud and AI Development Act (CADA), Union entities and national contracting authorities face identical substantive obligations regarding cloud sovereignty. Both must procure, as a minimum, services recognized as offering Union assurance level 1. Where activities are identified as contributing to the preservation of public order, both must procure only services recognized at Union assurance levels 2, 3, or 4. The critical distinction is not in the level of sovereignty required, but in the procedural framework: Union entities operate under Regulation (EU, Euratom) 2024/2509 (the Financial Regulation), specifically referencing Article 136 for sensitive procurement, while national bodies operate under the 2014 Public Procurement Directives (Directive 2014/24/EU). CADA Article 30(1) explicitly bridges these two worlds, ensuring a harmonized baseline across the entire EU public sector.

Detail

CADA Article 30 establishes a unified sovereignty floor for public procurement of cloud computing services, eliminating the risk of fragmented national standards. The provision applies broadly to "contracting authorities that procure cloud computing services for their exclusive use." Crucially, the text explicitly extends this obligation to the Union level, stating: "Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, this Article also applies to Union entities that procure cloud computing services for their exclusive use."

This phrasing confirms that while the legal vehicle for procurement differs, the sovereignty outcome is mandatory and uniform.

1. Substantive Obligations: A Single Baseline for All

The core of Article 30 is the tiered assurance requirement, which applies equally to Union entities (such as the Commission, agencies, and bodies) and national contracting authorities (Member State ministries, local authorities, and public bodies).

• The Baseline: Union Assurance Level 1 Under Article 30(2), any Union entity or public sector body whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized under Article 17 as having Union assurance level 1. This creates a mandatory floor. No public body, regardless of its legal status, can procure a cloud service that fails to meet this baseline sovereignty standard. This level requires, among other things, establishment in the Union and data remaining within the Union unless explicitly required otherwise by the public sector body.

• The Public Order Tier: Levels 2, 3, or 4 Under Article 30(3), the obligation tightens significantly for sensitive activities. Contracting authorities—including Union entities acting on their behalf—whose activities have been identified as contributing to the preservation of public order must procure only services recognized as having Union assurance level 2, 3, or 4.

  The scope of "public order" is defined by reference to Article 29(1) and includes:

  • Sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive).
  • Areas of national security, internal security, external border management, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

  For these entities, procuring a Level 1 service would constitute a direct infringement of the proposed Regulation.

2. Procedural Context: Financial Regulation vs. 2014 Directives

While the what (the assurance level) is identical, the how (the procurement procedure) diverges based on the entity's legal status.

• Union Entities: The Financial Regulation Framework Union entities are governed by Regulation (EU, Euratom) 2024/2509 (the Financial Regulation). Article 30(1) explicitly anchors CADA obligations within this framework by referencing Article 136 of the Financial Regulation. Article 136 sets out the specific scope, rules, and procedures for identifying and implementing sensitive public procurement procedures within the Union institutions.

  Consequently, when a Union entity procures cloud services, it must:

  1. Conduct the risk assessment required by CADA Article 29.
  2. Apply the appropriate assurance level (Level 1 or Levels 2–4) as a mandatory technical specification.
  3. Execute the tender in compliance with the Financial Regulation's rules on sensitive procurement, ensuring that CADA's sovereignty criteria are integrated into the award criteria and contract conditions.

• National Bodies: The 2014 Directives Framework National contracting authorities operate under the horizontal public procurement framework established by Directive 2014/24/EU (and related directives). CADA Article 30 does not replace these directives but supplements them.

  National bodies must:

  1. Align their procurement with the national risk assessment results (Article 29).
  2. Embed the CADA assurance level requirements into their tender documentation as mandatory technical specifications or award criteria.
  3. Ensure that the procurement process respects the principles of the 2014 Directives (non-discrimination, proportionality) while strictly adhering to the sovereignty thresholds set by CADA.

3. Derogations: Identical Exceptions for Both

Article 30(4) provides a narrow set of derogations that apply equally to Union entities and national bodies. On an exceptional basis and where duly justified, a contracting authority may decide not to procure a recognized service if:

• The subject matter cannot be supplied by recognized services available in the central repository (Article 22), and no adequate or reasonable alternative exists (provided the absence is not the result of an artificial narrowing of parameters).
• A similar procurement process was launched within the previous year but yielded no suitable tenders or participants.
• Applying the CADA requirements would require the contracting authority to procure services at disproportionate cost.

These exceptions are strictly construed. The burden of proof lies with the contracting authority to demonstrate that the conditions are met.

4. Penalties and Enforcement

Non-compliance with Article 30 carries significant consequences, though the enforcement mechanism differs by entity type.

• For National Bodies and Providers: Under Article 24, Member States must lay down rules on penalties applicable to infringements of Chapter IV (which includes Article 30). These penalties must be "effective, proportionate and dissuasive." National competent authorities are responsible for enforcing these rules against cloud providers and, by extension, ensuring contracting authorities adhere to the procurement mandates.
• For Union Entities: Enforcement relies on the internal audit and control mechanisms of the Union institutions, supervised by the European Court of Auditors and the European Ombudsman. While the AI Act's Article 100 covers fines on Union institutions for AI-related breaches, CADA-specific procurement infringements by Union entities are primarily addressed through internal financial regulations and the specific sensitive procurement procedures of Article 136 of the Financial Regulation.

What this means for you

For legal counsel, procurement officers, and compliance teams, the strategic imperative is to treat sovereignty compliance as a binary, non-negotiable threshold that transcends the internal legal structure of the buyer.

• For National Procurement Officers: You must verify that any cloud service you intend to procure is listed in the central repository (Article 22) with a valid recognition of Union assurance level 1, 2, 3, or 4. You cannot rely solely on GDPR adequacy decisions or national cybersecurity certifications; you need specific CADA recognition. If your department handles public order (e.g., police, defense, critical infrastructure), you are legally barred from procuring Level 1 services and must target Levels 2–4. Your tender documents must explicitly reference the required assurance level as a mandatory technical specification under the 2014 Directives.
• For Union Entity Legal Teams: While you operate under the Financial Regulation, you cannot bypass CADA's sovereignty framework. Article 136 of the Financial Regulation already mandates sensitivity assessments for public procurement; CADA Article 30 now defines exactly what "sensitive" means in terms of cloud sovereignty. Ensure your tender documents explicitly require CADA recognition certificates and that your internal approval processes for sensitive procurement (Article 136) are updated to reflect the new assurance level requirements.
• Risk Assessment Alignment: Both groups must align their procurement with the risk assessments conducted under Article 29. If your entity's risk assessment identifies an activity as "public order relevant," you must procure at Level 2 or higher. Misalignment here constitutes a direct infringement of Article 30(3).
• Derogation Documentation: If you believe no compliant service exists, you must document this rigorously to invoke the Article 30(4) derogation. The burden of proof is on the contracting authority to show that the absence of compliant tenders is not due to artificially narrow technical specifications.

Common misconceptions

"Union entities have looser sovereignty rules because they follow the Financial Regulation."

• Reality: Article 30(1) explicitly states that the same assurance level requirements apply to Union entities as to national contracting authorities. The reference to the Financial Regulation is procedural, not a substantive relaxation of sovereignty standards. The "Without prejudice" clause ensures that CADA's sovereignty rules apply in addition to, not instead of, the Financial Regulation's sensitive procurement rules.

"GDPR compliance is sufficient for CADA Level 1."

• Reality: CADA introduces a distinct "Union assurance level" framework. A service may be GDPR-compliant but fail to meet CADA Level 1 criteria (e.g., regarding subcontractor transparency, third-country control, or specific cybersecurity standards). You must procure services specifically recognized under Article 17.

"National bodies can set their own sovereignty definitions."

• Reality: CADA harmonizes sovereignty criteria across the EU. National bodies cannot create their own "sovereign cloud" labels that diverge from the four Union assurance levels. They must use the Commission's central repository to verify compliance.

"The 2014 Directives override CADA."

• Reality: CADA supplements the 2014 Directives. While the Directives govern the procedure (how to tender), CADA Article 30 imposes specific substantive requirements (assurance levels) that must be integrated into the award criteria and contract specifications. The two frameworks operate in parallel.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Procurement Fees Explained: Article 40 Rules & Costs
• Will small public bodies be able to afford CADA procurement fees?
• Who pays for CADA procurement fees? Article 40 explained
• Article 31 CADA: Voluntary impact assessments for private critical entities
• CADA Article 39: Which procedural rules apply to specific contracts?

This is general information about a draft EU regulation, not legal advice.