CADA Risk Assessments vs. Union Added Value

Summary Under the proposed Cloud and AI Development Act (CADA), the risk assessment mandated by Article 29 and the Union added value procurement criteria in Article 32 function as a sequential, two-stage filter for public procurement. Article 29 acts as the gatekeeper: it determines the mandatory minimum "Union assurance level" (UAL) required to safeguard public order, effectively defining the eligible pool of providers. Article 32 then acts as the optimizer: within that eligible pool, it allows contracting authorities to award additional points to providers who strengthen the European supply chain, thereby reducing strategic dependencies. While Article 29 ensures security and sovereignty compliance, Article 32 ensures that procurement actively fosters the EU's industrial autonomy. Together, they transform public procurement from a transactional exercise into a strategic tool for reducing reliance on non-EU cloud providers.

Detail

The proposed CADA introduces a sophisticated dual mechanism for public procurement of cloud computing services and AI systems. This mechanism separates the determination of security necessity from the strategic selection of providers. Understanding the interplay between Article 29 (Risk Assessments) and Article 32 (Union Added Value) is critical for procurement officers, as the former dictates the legal floor for participation, while the latter shapes the competitive landscape above that floor.

The Gatekeeper: Article 29 Risk Assessments

Article 29 establishes the foundational obligation for Member States and Union entities to conduct risk assessments before procuring cloud services. These assessments are not merely administrative formalities; they are the legal prerequisite for determining the "Union assurance level" (UAL) required for a specific public sector activity.

According to Article 29(1), these assessments must identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement. The assessment must rigorously evaluate:

• The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption and its consequent impact on public order.

The outcome of this assessment directly dictates the procurement strategy under Article 30. If an activity is identified as contributing to the preservation of public order, the contracting authority must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4. Conversely, if the activity does not contribute to public order, the minimum requirement is Union assurance level 1. Thus, Article 29 acts as the primary filter, establishing the mandatory sovereignty baseline that any provider must meet to be considered.

The Strategic Lever: Article 32 Union Added Value

Once the risk assessment under Article 29 has defined the eligible pool of providers (those meeting the required UAL), Article 32 introduces "Union added value" criteria to further refine the selection process. Article 32(1) requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Article 32(3) specifies that these criteria must enable authorities to evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded programmes.
• The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2)(d) states that these non-price award criteria must be "ancillary and not decisive in the award of the contract." This ensures that while Union added value can influence the final decision, it cannot override technical and financial criteria directly connected to performance requirements. Recital 67 of the proposal suggests that contracting authorities could consider a maximum weighting of 15 out of 120 points for these criteria, ensuring they remain proportionate and subordinate to core contract award criteria.

The Link: How Assessment Outcomes Shape Procurement Strategy

The relationship between Article 29 and Article 32 is one of necessity versus optimization. The risk assessment outcome under Article 29 shapes the procurement strategy by defining the constraints within which Article 32 operates.

1. Defining the Eligible Pool: The Article 29 assessment determines the minimum UAL. If the assessment concludes that an activity contributes to public order (e.g., a law enforcement database), the procurement strategy must restrict the tender to providers with UAL 2, 3, or 4. This immediately excludes providers who only meet UAL 1 or those subject to third-country control without specific derogations.
2. Optimizing Within Constraints: Once the pool is restricted to compliant providers, the procurement strategy can utilize Article 32 to select the provider that best aligns with the goal of reducing dependencies. For instance, if multiple providers meet the required UAL 3, the authority can award additional points to the provider that uses EU-manufactured hardware or integrates EU-developed AI models.
3. Shared Goal of Reducing Dependencies: Both articles serve the overarching objective of reducing critical external dependencies, a central theme of the CADA proposal. Recital 5 highlights the Union's dependence on a limited number of third-country providers and the associated risks to operational autonomy. Article 29 mitigates the immediate risk of third-country access or disruption by mandating high assurance levels for critical functions. Article 32 addresses the long-term structural risk by incentivizing the growth of European alternatives. By linking the two, the regulation ensures that public procurement not only avoids risky providers but actively cultivates a resilient European supply chain.

A Practical Example

Consider a public health authority procuring a cloud service for managing sensitive patient data and AI-driven diagnostic tools.

• Step 1 (Article 29): The authority conducts a risk assessment. It determines that the processing of health data and the use of AI for diagnostics contribute to the preservation of public order. Consequently, the assessment mandates a minimum of Union assurance level 3.
• Step 2 (Article 30): The tender is restricted to providers recognized at UAL 3. Providers with UAL 1 or 2, or those subject to third-country control without an Article 18 derogation, are excluded.
• Step 3 (Article 32): Among the remaining UAL 3 providers, the authority applies Union added value criteria. It awards points to the provider that demonstrates the use of EU-designed processors and the integration of AI models trained on EU-funded research.
• Outcome: The final contract is awarded to a provider that is not only secure and sovereign (meeting the Article 29 requirement) but also actively strengthens the European industrial base (meeting the Article 32 objective).

What this means for you

For public-sector procurement officers and legal counsel, the implementation of CADA requires a structured, two-step approach to tendering.

1. Conduct Rigorous Risk Assessments First: Before drafting any tender documents, you must conduct a risk assessment under Article 29. This assessment must document the sensitivity of the data, the criticality of the service, and the specific risks of third-country access. The outcome of this assessment is the legal basis for the mandatory Union assurance level. Failure to conduct this assessment correctly could render the procurement non-compliant.
2. Design Criteria Based on Assessment Outcomes: Once the required UAL is established, draft the tender to include Article 32 Union added value criteria. Define clear, measurable indicators for how a tenderer contributes to the European supply chain (e.g., percentage of EU-manufactured hardware, integration of EU R&D outputs). Ensure these criteria are explicitly "ancillary and not decisive" to comply with Article 32(2)(d).
3. Align with National Strategies: Your national cloud and AI strategy, required under Article 7, should outline how your authority plans to achieve these objectives. Use the risk assessment outcomes to inform your long-term procurement strategy, prioritizing services that meet high assurance levels and contribute to Union added value.
4. Monitor and Report: Article 33 requires Member States to monitor the procurement of innovation in cloud and AI. Be prepared to report on the use of Union added value criteria, the participation of SMEs, and the overall impact of your procurement activities on reducing dependencies on non-EU providers.

Common misconceptions

"Union added value criteria can override technical or financial criteria."

• Correction: Article 32(2)(d) explicitly states that Union added value criteria must be "ancillary and not decisive." They cannot be used to award a contract to a provider who fails to meet the core technical, financial, or sovereignty requirements (such as the UAL determined by Article 29).

"Risk assessments are only for high-security sectors like defence."

• Correction: Article 29 applies to all public sector activities that use cloud computing services. While higher assurance levels are required for activities contributing to public order, all entities must assess the risks associated with their data and services to determine the appropriate Union assurance level.

"Using Union added value criteria violates non-discrimination principles."

• Correction: The CADA proposal is designed to be consistent with EU public procurement directives and international commitments. Article 32 criteria are linked to the subject matter of the contract and are applied in a transparent, non-discriminatory manner. They focus on the contribution to the European ecosystem, which is a legitimate public interest objective under EU law.

"Article 29 and Article 32 are independent and can be applied in any order."

• Correction: They are sequential. The risk assessment under Article 29 must be completed before the procurement strategy is finalized, as it defines the mandatory eligibility criteria (UAL). The Union added value criteria under Article 32 are then applied within the pool of providers that satisfy the Article 29 requirements.

Related

• Who must carry out risk assessments under Article 29 of CADA?
• CADA Risk Assessments: How Article 29 Drives Digital Sovereignty
• CADA Risk Assessments: How Article 29 Mandates Highest Assurance for Critical Sectors
• Who sets the methodology for CADA risk assessments?
• What templates must be used for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.