How do I bid on a CADA tender as a provider?

Summary To bid successfully on a public cloud or AI tender under the proposed Cloud and AI Development Act (CADA), you must first be formally recognised as offering a specific Union assurance level and listed in the central repository to be discoverable. Depending on the buyer's risk assessment, you must meet Union assurance level 1 for standard services, or levels 2–4 for activities preserving public order. Additionally, your tender will be evaluated on Union added value non-price criteria, rewarding contributions to the European digital supply chain, hardware manufacturing, and innovation.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, introduces a structured, sovereignty-driven framework for how public authorities and Union entities procure cloud computing services and AI systems. For cloud service providers and data-centre operators, winning these contracts requires navigating three distinct but interconnected mechanisms: formal recognition of sovereignty assurance levels, mandatory inclusion in a central repository, and performance against specific "Union added value" criteria.

Unlike previous procurement regimes where technical compliance and price were often the sole drivers, CADA as proposed would make sovereignty status a prerequisite for eligibility. The following sections detail the specific obligations and strategies derived from Article 30, Article 32, and Article 22 of the proposal.

1. Meeting the Required Union Assurance Level (Article 30)

Under CADA, public procurement of cloud services is inextricably linked to the Union cloud computing sovereignty framework established in Title IV. Article 30 sets out the mandatory minimum assurance levels that contracting authorities must procure. As a provider, your first step is to determine which level your target buyer requires.

• Union Assurance Level 1 (The Baseline): For public sector bodies whose activities have not been identified as contributing to the preservation of public order, the minimum requirement is to use cloud computing services recognised as having Union assurance level 1 (Article 30(2)). This level generally requires establishment in the Union, data localisation, and compliance with state-of-the-art cybersecurity standards, but relies on a self-assessment process.
• Union Assurance Levels 2, 3, or 4 (Public Order): For contracting authorities whose activities have been identified as contributing to the preservation of public order—specifically in sectors falling under Annex I or II of the NIS2 Directive, or in areas such as national security, internal security, external border management, defence, justice, or law enforcement—they must only procure services recognised as having Union assurance levels 2, 3, or 4 (Article 30(3)).

These levels are not self-declared by the buyer alone; they are determined by Member States and Union entities through risk assessments conducted under Article 29. As a provider, you cannot simply claim compliance in a tender document. You must have undergone the specific conformity self-assessment (for Level 1) or independent third-party audit (for Levels 2–4) and received formal recognition from the national competent authority of your establishment. Failure to hold the correct recognition level for the specific public-order relevance of the contract would render your bid non-compliant.

2. Being Listed in the Central Repository (Article 22)

Even if you meet the technical and sovereignty criteria and hold the correct recognition, you must be visible to buyers. Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognised under Article 17.

• Registration Mechanism: The national competent authority that recognises your service is obligated to register it in this central repository (Article 22(2)). While the provider applies for recognition, the actual registration action is performed by the authority.
• Public Availability: This repository is publicly available and regularly updated by the Commission and national competent authorities on a dedicated website (Article 22(4)).
• Discoverability as a Prerequisite: Contracting authorities will use this repository to identify eligible providers. The text implies that if your service is not listed, you effectively cannot be awarded a tender requiring a specific Union assurance level, as the repository serves as the definitive source of truth for recognised services.

For providers, this means that obtaining recognition is not the final step; you must ensure your national competent authority has completed the registration process. If a tender requires a Level 2 service, and your service is not yet visible in the repository, your bid will likely be rejected for non-compliance.

3. Scoring on Union Added Value Criteria (Article 32)

Beyond meeting the minimum assurance thresholds, CADA introduces a strategic layer to procurement: Union added value. Article 32 mandates that contracting authorities include non-price award criteria in the quality evaluation of tenders for innovative cloud computing services and AI systems.

When evaluating your bid, authorities are required to assess your contribution to the European ecosystem based on four specific pillars (Article 32(3)):

1. Supply Chain Strengthening: The extent to which you contribute to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union (Article 32(3)(a)).
2. Technology Integration: The extent to which you have integrated technologies developed in the Union, including research and development results stemming from Union-funded research and development programmes (Article 32(3)(b)).
3. Innovation and Security: The extent to which the innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem (Article 32(3)(c)).
4. Hardware Origin: The extent to which the service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union (Article 32(3)(d)).

These criteria are ancillary and not decisive in the award of the contract (Article 32(2)(d)), meaning they cannot override technical or financial criteria. However, they are mandatory for the evaluation process. Authorities must expressly set out these criteria in the procurement documents (Article 32(2)(c)). Ignoring them or failing to provide evidence of your Union-based contributions will significantly lower your quality score, potentially costing you the contract even if your price is competitive.

What this means for you

As a cloud service provider or data-centre operator targeting the EU public sector, your bidding strategy must shift from purely technical and financial competition to a compliance-first, ecosystem-integrated approach.

Pre-qualification is essential. You cannot bid reactively. You must invest in obtaining recognition for the appropriate Union assurance level before tender opportunities arise. For Level 1, this involves a conformity self-assessment and issuing an EU statement of conformity. For Levels 2–4, you must undergo independent audits by an accredited auditing organisation. Crucially, ensure your national competent authority registers your recognition in the central repository under Article 22. Without this listing, you are invisible to the procurement process.

Tailor your technical documentation. Your tender submissions should explicitly highlight how your service meets the Union added value criteria in Article 32. Do not assume the evaluator will know your supply chain details. Document your use of EU-designed hardware, integration of EU-developed software, and contributions to the European digital supply chain. Provide evidence of R&D results from Union-funded programmes. This evidence will directly impact your quality score under the non-price criteria.

Monitor risk assessments. Since the required assurance level depends on the buyer's risk assessment under Article 29, stay informed about which sectors are classified as preserving public order. This intelligence will tell you whether you need to bid with Level 1 recognition or invest in the more rigorous Levels 2–4 recognition. If a buyer is in the defence sector, Level 1 is insufficient; you must have Level 2, 3, or 4.

Leverage common procurement. The Commission may carry out common procurement activities under Article 37 for Union entities and Member States. Participating in these aggregated tenders can provide economies of scale. Ensure you are aware of the fees and conditions associated with these procurement frameworks, as they may differ from standard national procedures.

Common misconceptions

"Meeting GDPR is enough for sovereignty." GDPR compliance addresses data protection but does not satisfy the sovereignty criteria for Union assurance levels. CADA introduces specific technical, operational, and governance requirements (e.g., data localisation, personnel screening, absence of third-country control, and specific cybersecurity certification levels) that go beyond GDPR. You must be recognised under the CADA framework specifically.

"I can bid without being in the central repository." The central repository under Article 22 is the primary tool for identifying recognised services. While the text does not explicitly state it is the only source, its public, mandatory, and regularly updated nature means that authorities will rely on it to verify compliance. Being unlisted effectively excludes you from consideration for tenders requiring Union assurance, as the authority cannot verify your eligibility.

"Union added value is optional." Article 32 requires contracting authorities to include these non-price award criteria. While they are not decisive, ignoring them will put your bid at a competitive disadvantage. Authorities are mandated to evaluate your contribution to the European ecosystem. If you do not address these criteria in your bid, you will likely score lower than competitors who do.

"Small providers are excluded." CADA includes measures to support SMEs, such as monitoring procurement innovation and aiming for 25% of cloud and AI procurement to be awarded to innovative SMEs (Article 33). Additionally, for Union assurance level 1, SMEs benefit from automatic recognition of their EU statement of conformity across all Member States without prior recognition by the evaluating competent authority (Article 17(3), second subparagraph). This significantly lowers the barrier to entry for smaller providers targeting standard public sector contracts.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Can a provider be excluded from a CADA tender for lacking recognition?
• Can a non-EU provider partner with an EU SME to bid under CADA?
• CADA Procurement Derogation: What if a previous tender received no suitable bids?
• What evidence supports a 'no suitable tender' derogation under CADA?
• CADA public procurement: Can non-EU cloud providers still bid?

This is general information about a draft EU regulation, not legal advice.