Summary As proposed under the Cloud and AI Development Act (CADA), public buyers must complete a mandatory risk assessment under Article 29 to fix the required Union assurance level before drafting any tender. Buyers must then integrate specific Union added value criteria into their quality evaluation under Article 32 and actively conduct preliminary market consultations and matchmaking under Article 33 to support innovative European SMEs. Failure to complete these steps before launching a tender could render the procurement non-compliant with the proposed sovereignty framework.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, fundamentally alters the pre-tender phase for public procurement of cloud computing services and AI systems. Unlike traditional procurement, where technical specifications often drive the process, CADA requires a strategic sequence: first, establish the sovereignty baseline via risk assessment; second, design award criteria that reinforce the European digital supply chain; and third, engage the market to ensure viable competition and innovation. This preparation is governed primarily by Articles 29, 32, and 33 of the proposal.

Step 1: Run the Risk Assessment to Fix the Assurance Level (Article 29)

Before drafting technical specifications or inviting bids, contracting authorities must determine the specific "Union assurance level" required for the service. This is not a discretionary choice; it is a mandatory prerequisite for lawful procurement under the proposal.

Under Article 29, Member States and Union entities are obliged to carry out risk assessments at least once every two years, or whenever necessary. These assessments must identify public sector activities that contribute to the preservation of public order. The scope explicitly covers sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

The risk assessment must evaluate three core aspects:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed, including the potential impact on public order.
  • The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

Based on the outcome of this assessment, the buyer determines the appropriate Union assurance level:

  • Union Assurance Level 1: Required for all public sector activities not identified as contributing to the preservation of public order. This serves as the baseline minimum for all public cloud procurement.
  • Union Assurance Levels 2, 3, or 4: Required only for activities identified as contributing to the preservation of public order. The specific level depends on the severity of the risk identified. For instance, the Commission may specify that the highest level of assurance is needed for the most critical public sector activities, including defence.

Practical Implication: If your department handles standard administrative data, your risk assessment will likely mandate Level 1. If you handle sensitive health data, critical infrastructure controls, or law enforcement data, your assessment will likely mandate Level 2, 3, or 4. You cannot launch a tender until this classification is documented, as the tender documents must explicitly require the recognized assurance level. If the required level is not met by any service in the central repository, the buyer may face significant hurdles, making early market engagement critical.

Step 2: Plan Union Added Value Criteria for Innovative Buys (Article 32)

CADA shifts the balance of procurement awards by introducing mandatory non-price criteria for innovative cloud and AI procurements. Article 32 requires contracting authorities to include "Union added value" criteria as part of the quality evaluation of tenders.

These criteria are designed to strengthen the European digital supply chain and reduce dependencies. When drafting your tender, you must evaluate tenderers on:

  • Their contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including research and development results stemming from Union-funded research and development programmes.
  • The extent to which the service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Key Constraint: Article 32(2) explicitly states that these Union added value criteria must be ancillary and not decisive in the award of the contract. They cannot override core technical and financial criteria directly connected to the performance requirements. The proposal suggests a maximum weighting of 15 out of 120 points for these criteria to ensure proportionality.

Practical Implication: You must explicitly define these criteria in your procurement documents. You cannot simply ask for "European solutions"; you must specify how you will measure the supply chain contribution (e.g., percentage of hardware designed in the EU, or evidence of R&D integration). This encourages suppliers to demonstrate their European footprint during the bidding phase and aligns procurement with the broader objective of technological sovereignty.

Step 3: Use Preliminary Market Consultations and Matchmaking (Article 33)

To ensure that tenders are realistic and to support the uptake of innovative European SMEs, Article 33 imposes obligations on how buyers engage with the market before the tender is launched.

Article 33(5) requires Union entities and contracting authorities to promote:

  • Preliminary market consultations: Engaging with potential suppliers early to understand market capabilities and barriers.
  • Matchmaking: Connecting public buyers with innovative solutions provided by European SMEs and start-ups.
  • Favorable contract clauses: Developing public contract clauses that are favorable for innovative SMEs.

Furthermore, Member States must monitor and report on the use of procurement of innovation. The proposal sets an objective that at least 25% of procurement for cloud computing services and AI systems be awarded to innovative SMEs. Buyers are expected to include plans in their national strategies on how they intend to achieve this objective.

Practical Implication: Do not wait for the tender notice to meet suppliers. Use preliminary consultations to identify European SMEs that might meet your Union added value criteria. Structure your tender into lots if necessary to make it accessible to smaller providers. Document these consultations as part of your procurement file to demonstrate compliance with the spirit of Article 33 and to support the monitoring requirements for SME participation.

What this means for you

For public-sector procurement officers, CADA transforms the pre-tender phase from a purely technical exercise into a strategic sovereignty and market-engagement process.

  1. Update Your Risk Registers: You must formally document the sensitivity of your data and services. If you have not performed a risk assessment under Article 29, you cannot legally determine the assurance level required in your tender. Create a template for this assessment now, ensuring it covers the specific risks of third-country access and service disruption.
  2. Redraft Award Criteria: Review your standard procurement templates. Add a specific section for "Union Added Value" as required by Article 32. Ensure this section is weighted appropriately (ancillary, not decisive) and clearly defines what constitutes European supply chain contribution.
  3. Engage Early: Schedule preliminary market consultations before writing the technical specifications. Use this time to identify European SMEs and understand the availability of sovereign cloud solutions. Document these interactions to support your market analysis and the 25% SME target.
  4. Check the Central Repository: When you know your required assurance level, check the Commission's central repository of recognized services (established under Article 22). If no services meet your level, you may face difficulties, so early engagement with the market (under Article 33) is crucial to signal demand and encourage providers to seek recognition.

Common misconceptions

"I can choose any assurance level I want." Incorrect. The assurance level is dictated by the outcome of the mandatory risk assessment under Article 29. You cannot arbitrarily choose Level 4 for a low-risk administrative service, nor can you use Level 1 for a critical law enforcement function. The level must be proportionate to the public order risk identified.

"Union added value criteria will make my tender too expensive or limit competition." Article 32 requires these criteria to be ancillary and not decisive. They are designed to be a quality differentiator or a tie-breaker, not a barrier to entry. Furthermore, they aim to strengthen long-term supply chain security, which may reduce costs and risks over time by mitigating dependency on third-country providers.

"Preliminary market consultations are optional." While the law uses the word "promote," Article 33 places a strong emphasis on these activities as part of the monitoring and reporting framework. Failing to engage with the market may result in tenders that are poorly specified or that fail to attract the innovative SMEs the regulation aims to support, potentially jeopardizing the 25% SME award target.

"This only applies to large, complex tenders." No. Article 29 applies to all public sector activities using cloud services. Even small procurements must meet the minimum Union Assurance Level 1. The requirement to consider Union added value and engage with the market applies to innovative procurements regardless of size.

Related

This is general information about a draft EU regulation, not legal advice.