CADA vs Directive 2014/24/EU

Summary As proposed, the Cloud and AI Development Act (CADA) does not replace Directive 2014/24/EU but introduces specific, mandatory substantive conditions that contracting authorities must layer on top of existing public procurement rules. Under Article 30, authorities must procure cloud services meeting at least Union Assurance Level 1, escalating to Levels 2–4 for activities deemed critical to public order. Article 32 mandates the inclusion of "Union added value" as a non-price award criterion within the MEAT (Most Economically Advantageous Tender) framework, while Article 33 establishes a specific monitoring regime and a strategic objective for Member States to award at least 25% of cloud and AI innovation procurement to SMEs. These obligations operate strictly within the procedural framework of the Directive, modifying how tenders are structured and evaluated without overriding the core procedural rights or remedies of Directive 2014/24/EU.

Detail

The proposed CADA creates a specialized regulatory overlay on the general public procurement framework established by Directive 2014/24/EU. While the Directive provides the horizontal rules for transparency, non-discrimination, and procedural fairness, CADA introduces sector-specific substantive requirements for cloud computing services and AI systems. The interaction between these instruments is designed to reduce dependency on third-country providers and enhance EU technological sovereignty, as outlined in the explanatory memorandum. CADA functions as a "sector-specific approach" to sovereignty that the horizontal acquis could not sufficiently address.

Mandatory Assurance Levels as Procurement Conditions (Article 30)

Article 30 of CADA establishes a tiered system of mandatory assurance levels that contracting authorities must apply when procuring cloud computing services for their exclusive use. This provision directly interacts with the technical specifications and selection criteria phases of a procurement procedure under Directive 2014/24/EU. A tender that fails to meet the requisite assurance level is non-compliant with CADA, regardless of its compliance with the Directive's procedural rules.

1. Baseline Requirement (Level 1): For public sector activities not identified as contributing to the preservation of public order, contracting authorities must use cloud computing services recognized as offering Union Assurance Level 1. This applies to the majority of standard administrative cloud services.
2. Elevated Requirement (Levels 2–4): Where a risk assessment under Article 29 identifies that a public sector activity contributes to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in areas of national security, internal security, external border management, defence, justice, or law enforcement, authorities must only procure services recognized as offering Union Assurance Level 2, 3, or 4.
3. Derogations: Article 30(4) provides limited derogations from these requirements. Authorities may decide not to procure recognized services only if:
   • The subject matter cannot be supplied by recognized services available in the central repository, no adequate alternative exists, and the absence is not due to artificial narrowing of parameters;
   • A similar procurement process was launched within the previous year but yielded no suitable tenders; or
   • Applying the requirements would impose a disproportionate cost.

These requirements function as mandatory technical specifications. Under the Directive, technical specifications must be linked to the subject matter; CADA explicitly defines the "subject matter" for cloud services to include these sovereignty levels.

Union Added Value as Non-Price Award Criteria (Article 32)

Article 32 introduces specific non-price award criteria that contracting authorities shall include in public procurement procedures for innovative cloud computing services and AI systems. This provision operates within the "Most Economically Advantageous Tender" (MEAT) framework of Directive 2014/24/EU, specifically influencing the evaluation phase.

• Mandatory Inclusion: Contracting authorities must include criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.
• Criteria Content: The criteria must evaluate:
  • Contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Integration of technologies developed in the Union, including results from Union-funded R&D programs.
  • Contribution to strengthening security of supply and the European cloud and AI ecosystem.
  • Delivery of services through critical computing, storage, and networking hardware components designed and/or manufactured in the Union, or, if not feasible, hardware from third countries that contributes to security of supply.
• Proportionality and Weighting: Article 32(2) and Recital 67 emphasize that these criteria must be linked to the subject matter, not confer unrestricted freedom of choice, and be ancillary and not decisive in the award of the contract. The proposal explicitly guides contracting authorities to consider a maximum weighting of 15 out of 120 points for Union added value, ensuring it remains subordinate to core technical and financial criteria.

This requirement modifies the evaluation matrix of a tender under the Directive, forcing authorities to explicitly score and weigh EU technological contribution alongside traditional quality and price factors. It ensures that "European added value" is not merely a political aspiration but a scored component of the award decision.

Innovation Procurement and SME Measures (Article 33)

Article 33 focuses on the procurement of innovation in cloud computing services and AI systems, introducing monitoring and target-setting obligations that sit within the broader innovation procurement framework of the Directive.

• Monitoring and Reporting: Member States must monitor and report annually on their use of innovation procurement. This includes data on the size of economic operators, SME participation trends, and measures taken to improve SME access.
• SME Target: Member States must pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. This target must be included in national cloud and AI strategies under Article 7.
• Support Measures: Contracting authorities are required to promote preliminary market consultations, matchmaking between public buyers and European SMEs/start-ups, and the development of public contract clauses favorable to innovative SMEs.

While the Directive already encourages innovation procurement and SME participation, Article 33 of CADA creates a specific, quantifiable target and a mandatory reporting mechanism for the cloud and AI sector. It transforms the general encouragement of the Directive into a sector-specific strategic objective.

What this means for you

For in-house counsel, procurement officers, and compliance teams, the proposed CADA imposes a dual-layer compliance burden: adherence to the procedural rigor of Directive 2014/24/EU and the substantive sovereignty requirements of CADA.

1. Risk Assessments are Procurement Prerequisites: Before drafting a tender for cloud services, you must conduct or update the risk assessment required by Article 29. The outcome of this assessment dictates the mandatory assurance level (Article 30). Failure to align the tender's technical specifications with the correct assurance level renders the procurement non-compliant with CADA, potentially exposing the authority to legal challenges.
2. Tender Documentation Overhaul: Your tender documents must explicitly include the non-price award criteria for Union added value as mandated by Article 32. You must define how these criteria will be scored, ensuring they do not exceed the recommended 15/120 point weighting to remain proportionate. Legal review is needed to ensure these criteria are objectively linked to the subject matter and do not violate the non-discrimination principles of the Directive.
3. SME Strategy Integration: Compliance with Article 33 requires proactive measures to facilitate SME participation. This may involve splitting contracts into lots, providing detailed specifications early, and actively reporting on SME award rates. Internal tracking systems must be updated to capture and report the 25% innovation procurement target for SMEs.
4. Penalty Exposure: While Article 24 of CADA focuses on penalties for cloud service providers, the procurement obligations fall on the contracting authorities. Non-compliance with CADA's procurement rules could lead to legal challenges by unsuccessful bidders under national procurement laws, arguing that the tender was flawed for failing to meet mandatory EU law requirements.

Common misconceptions

• "CADA replaces the Procurement Directives." This is incorrect. CADA supplements the Directives by adding specific substantive requirements for cloud and AI. The general procedures, timelines, and remedies of Directive 2014/24/EU remain fully applicable. CADA is a sector-specific overlay, not a replacement.
• "Union Added Value is a decisive criterion." Article 32 explicitly states that Union added value criteria must be "ancillary and not decisive." They cannot override technical or financial criteria that are more directly connected to the performance requirements. The suggested 15/120 point cap reinforces this.
• "All cloud procurement requires Level 4 assurance." No. Article 30 mandates Level 1 as the minimum. Higher levels (2–4) are only required for activities identified in a risk assessment as contributing to public order in critical sectors. Most standard administrative cloud use will likely remain at Level 1.
• "SME targets are optional." Article 33(4) states that Member States "shall pursue as objective" the 25% target. While it is framed as an objective to pursue, it is a mandatory strategic commitment that must be included in national strategies and monitored through annual reporting.
• "CADA only affects public bodies." While the procurement obligations fall on contracting authorities, the sovereignty framework reaches any provider wanting to serve them. Private sector entities in critical sectors may also face similar impact assessments under Article 31.

Related

• CADA Article 33: Innovation Procurement, SMEs and the 2014 Directive
• Does CADA replace the 2014 Procurement Directives? Sovereignty vs. Procedure
• CADA Article 39: Which procedural rules apply to specific contracts?
• CADA procurement rules: Legal basis, WTO safeguards and the Financial Regulation
• What is a contracting authority under CADA procurement rules?

This is general information about a draft EU regulation, not legal advice.