How does a public buyer procure cloud services correctly under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public buyers must strictly align their cloud procurement with a four-tier "Union assurance" framework. For standard public activities, you must procure services recognised at Union assurance level 1. However, if a risk assessment determines your activities are critical to public order (e.g., national security, justice, or critical infrastructure), you are legally required to procure only services recognised at Union assurance levels 2, 3, or 4. While there are narrow derogations for exceptional circumstances, such as market unavailability or disproportionate cost, these exceptions require robust justification and cannot be used to bypass sovereignty requirements arbitrarily.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a mandatory sovereignty framework for public sector cloud procurement. This framework is designed to reduce dependence on third-country providers and safeguard the Union's public order. The core mechanism is the Union cloud computing sovereignty framework, which categorises cloud services into four assurance levels based on criteria detailed in Annex II of the proposal. Public buyers cannot simply choose the cheapest or most technically advanced option; they must select a service that matches the specific assurance level mandated by their risk assessment.

The Baseline: Union Assurance Level 1

For the majority of public sector bodies, the default requirement is straightforward. According to Article 30(2) of CADA, Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order in their national risk assessments must use cloud computing services that have been formally recognised as offering Union assurance level 1.

Union assurance level 1 represents the baseline of trust for the EU market. As proposed in Annex II, level 1 requires that:

• The cloud computing service provider is established in the Union.
• The infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• The provider demonstrates compliance with state-of-the-art cybersecurity standards.
• If the provider is subject to the control of a third country, it must guarantee that no third-country laws require it to report software vulnerabilities to foreign authorities before they are known to have been exploited.

This level ensures data residency and basic legal protection against extraterritorial data access, suitable for standard administrative functions, public websites, and non-sensitive internal operations. It is the minimum entry point for any public sector procurement under the Act.

The Elevated Requirement: Levels 2, 3, and 4 for Public Order

The regulatory burden increases significantly for activities deemed critical to public order. Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4.

The determination of which activities fall under this category is not left to the discretion of the individual procurement officer but is the result of a mandatory risk assessment conducted by Member States and Union entities under Article 29. This assessment identifies public sector activities that contribute to preserving public order in sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement.

• Union Assurance Level 2: Requires that both the provider and its subcontractors are established in the Union, with infrastructure, assets, and personnel located exclusively within the Union. It also mandates a European cybersecurity certificate of at least 'substantial' assurance level (once available) and strict controls on software supply chains, including a Software Bill of Materials (SBOM). Crucially, personnel requirements are conditional: Union citizenship is required only if the public sector body explicitly determines it is necessary.
• Union Assurance Level 3: Adds stringent personnel requirements, mandating that all personnel involved in service provision are Union citizens. It also requires that the provider and subcontractors are not subject to the control of a third country, with very limited derogations for associated third countries that meet specific stringent criteria under Article 18.
• Union Assurance Level 4: The highest level, reserved for the most sensitive data. It requires a 'high' assurance level cybersecurity certificate and ensures that sensitive data identified via risk assessment remains exclusively within the Union. Like Level 3, it strictly prohibits third-country control over the provider and subcontractors.

Exceptional Derogations

CADA recognises that rigid application of these rules could, in rare cases, hinder public service delivery. Article 30(4) provides for derogations, allowing contracting authorities to decide not to procure cloud computing services recognised at any Union assurance level (1–4) on an exceptional basis, provided the decision is duly justified and one or more of the following circumstances apply:

1. Market Unavailability: The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository (established under Article 22), and no adequate or reasonable alternative exists. Crucially, this absence must not be the result of an artificial narrowing down of the procurement parameters by the authority.
2. Failed Previous Procurement: The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
3. Disproportionate Cost: Applying the requirements of CADA would require the contracting authority to procure services at a disproportionate cost.

It is important to note that these derogations are exceptions, not the rule. The burden of proof lies with the contracting authority to demonstrate that the conditions are met. The proposal aims to prevent authorities from using "cost" or "availability" as a pretext to revert to non-compliant, third-country-controlled providers without genuine necessity.

The Role of the Central Repository

To facilitate compliance, the Commission will establish and maintain a central repository of cloud computing services recognised as offering Union assurance levels 1–4 (Article 22). Public buyers are expected to use this repository to identify compliant providers. The repository will be publicly available and regularly updated, serving as the primary source of truth for procurement officers verifying a provider's status. Before launching a tender, buyers must consult this list to ensure potential bidders are eligible.

What this means for you

For public-sector procurement officers, CADA fundamentally changes the tender specification and evaluation process. You can no longer treat cloud sovereignty as a optional "nice-to-have" or a secondary technical criterion.

1. Check Your Risk Assessment First: Before drafting any cloud procurement tender, consult your Member State's or Union entity's latest risk assessment under Article 29. Determine explicitly whether your activity is classified as contributing to public order. This classification dictates your minimum assurance level (Level 1 vs. Levels 2–4).
2. Mandatory Qualification Criteria: Make the possession of a valid Union assurance level recognition a mandatory exclusion criterion. If a bidder cannot prove their service is listed in the central repository at the required level, they should be excluded from the tender.
3. Avoid Artificial Narrowing: When considering the derogation for market unavailability (Article 30(4)(a)), ensure your technical specifications are broad enough to allow compliant EU providers to bid. You cannot narrowly define requirements to match a specific non-compliant incumbent and then claim no EU alternative exists.
4. Document Justifications: If you intend to use a derogation under Article 30(4), prepare a robust, documented justification. This must be defensible in case of audit or legal challenge, demonstrating that you have genuinely explored the market and that the cost or availability issues are real and disproportionate.
5. Monitor the Central Repository: Regularly check the Commission's central repository for updates on recognised services. Provider statuses can change if they fail audits or if their recognition is revoked, so continuous monitoring is part of contract management.
6. Consider Union Added Value: While not a substitute for assurance levels, Article 32 encourages contracting authorities to include non-price award criteria evaluating the tenderer's contribution to the European cloud and AI ecosystem, such as using hardware designed in the Union.

Common misconceptions

• "I can choose any level above the minimum." While you can choose a higher level than required (e.g., using a Level 3 service for a Level 1 activity), you cannot choose a lower one. More importantly, choosing a higher level does not exempt you from the procurement rules; it may simply limit the number of available bidders.
• "The derogation for 'disproportionate cost' means 'expensive'." "Disproportionate" is a high legal threshold. It does not mean the service is more expensive than your current non-compliant contract. It means the cost is excessive relative to the value and context of the procurement, likely requiring a comparative analysis against market benchmarks. It is not a blanket waiver for budget constraints.
• "Level 1 allows data to leave the EU freely." Under Annex II, Level 1 requires that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise. The default is strict data residency. You must actively authorise any cross-border transfer, and even then, the provider must ensure traceability and security.
• "Private sector entities are subject to the same mandatory procurement rules." No. Article 30 applies to contracting authorities and Union entities. Private sector entities, particularly those in critical sectors under NIS2, are encouraged to conduct similar impact assessments (Article 31) but are not subject to the same mandatory procurement obligations to buy only from recognised providers. However, market spillover effects mean private buyers will likely face similar expectations from their customers or regulators.
• "Level 2 and Level 3 have the same personnel rules." No. Under Annex II, Level 2 requires Union citizenship for personnel only if the public sector body explicitly requires it. Level 3 makes Union citizenship mandatory for all personnel involved in the provision of the service.

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer verify a provider's CADA assurance level before awarding?
• How does a public buyer justify procuring above the minimum CADA assurance level?
• How does a public buyer apply Union added value criteria in a cloud or AI tender under CADA?
• How does a public body share cloud or data centre services in the EuroCloud Federation?

This is general information about a draft EU regulation, not legal advice.