How does a small council or municipality comply with CADA cloud procurement?

Summary Under the proposed Cloud and AI Development Act (CADA), a small council or municipality must procure cloud computing services that are formally recognised as offering at least Union assurance level 1. This is the mandatory baseline for all public-sector bodies whose activities are not identified as contributing to the preservation of public order. Before signing any contract, you must verify the provider's status in the central repository of recognised services maintained by the Commission. If a provider is not listed there, they are ineligible for your procurement, regardless of their other certifications.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, introduces a harmonised, EU-wide framework for cloud procurement. For small public-sector bodies—such as local councils, municipalities, and minor administrative authorities—the rules are designed to be proportionate, clear, and legally binding once adopted. The core obligation revolves around the Union cloud computing sovereignty framework, which categorises services into four assurance levels based on their sovereignty, security, and operational autonomy characteristics.

The Baseline Requirement: Union Assurance Level 1

For the vast majority of small public-sector entities, the procurement rule is straightforward and mandatory. Article 30(2) of the proposed Regulation explicitly states:

"Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This provision establishes a clear legal floor. If your council's activities do not fall into high-sensitivity categories (such as national security, defence, or critical infrastructure protection), you are legally required to purchase only from cloud providers that have been formally recognised as meeting Union assurance level 1 criteria. You cannot procure from unrecognised providers, nor can you rely solely on general cybersecurity certifications (like ISO 27001) or GDPR compliance without this specific CADA recognition.

The criteria for Level 1, detailed in Annex II, require the provider to be established in the Union, ensure that infrastructure and customer data remain exclusively within the Union (unless the public body explicitly requires otherwise), and demonstrate compliance with state-of-the-art cybersecurity standards. Crucially, Level 1 allows for a conformity self-assessment by the provider, making it the most accessible tier for the market while still ensuring a baseline of sovereignty.

The Central Repository: Your Primary Source of Truth

How do you know if a provider is recognised? You do not need to conduct your own audits or request private documentation. Article 22 establishes a central repository of cloud computing services that have been recognised in accordance with Article 17.

"The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."

This repository is publicly available and regularly updated by the Commission and national competent authorities. It serves as the single source of truth for compliance. Before issuing any tender or signing a contract for cloud services (including SaaS, PaaS, or IaaS), your procurement team must check this repository.

The process is simple:

1. Access the central repository website maintained by the Commission.
2. Search for the cloud service provider or the specific service offering.
3. Verify that the service is listed with a valid Union assurance level 1 (or higher, if applicable).
4. If a provider is not listed, or if their recognition has been revoked, they are not eligible for your procurement process.

This mechanism ensures transparency and prevents "sovereignty washing," where providers might claim to be European without meeting the rigorous criteria of the Act.

Exceptions: When Higher Levels Are Required

While Level 1 is the default for ordinary administrative functions, you must first confirm that your specific activities do not trigger a higher requirement. Member States are required to conduct risk assessments (under Article 29) to identify which public-sector activities contribute to the preservation of public order.

If your council manages sensitive data related to:

• National or internal security;
• External border management;
• Justice or law enforcement (including the prevention, investigation, detection, or prosecution of criminal offences);
• Critical infrastructure falling under the NIS2 Directive;

...then your activities may be classified as requiring Union assurance levels 2, 3, or 4. In these specific cases, Article 30(3) mandates that you "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

However, for standard administrative functions—such as website hosting, public email services, document management systems, citizen portals, or basic ERP systems—Level 1 remains the applicable and sufficient standard. The risk assessment under Article 29 is the key determinant; if your national authority has not flagged your specific use case as "public order relevant," you remain on the Level 1 track.

Derogations: What If No Recognised Service Exists?

CADA recognises that the market for sovereign cloud services is still maturing and that specific niche needs might not yet be met by recognised providers. Article 30(4) provides derogations allowing contracting authorities to decide not to procure recognised services in exceptional circumstances, provided the decision is duly justified. These circumstances include:

1. The subject matter of the tender cannot be supplied by recognised services available in the central repository, and no adequate or reasonable alternative exists.
2. The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
3. Applying the requirements of the Regulation would require the contracting authority to procure services at disproportionate cost.

These derogations are exceptional and must be documented carefully. They are not a loophole for routine procurement but a safety valve for unique, highly specialised needs where the sovereign market has not yet responded.

What this means for you

As a procurement officer, IT manager, or legal advisor in a small council or municipality, your workflow for cloud purchases changes significantly under the proposed CADA. You must integrate the following steps into your standard procurement procedure:

1. Conduct a Local Risk Check: Before starting any procurement, confirm with your national competent authority or legal team whether your specific cloud use case is classified as "public order relevant" under the national risk assessment (Article 29). For most local government IT (e.g., HR, finance, public websites), the answer will be "no," meaning you are bound to Level 1.
2. Mandatory Repository Check: Before drafting your tender specifications, go to the Commission's central repository (established under Article 22). Search for providers that offer Union assurance level 1. Do not accept marketing claims of "EU-based" or "GDPR compliant" as a substitute for this verification.
3. Update Tender Documents: Explicitly state in your procurement documents that bidders must hold a valid recognition under Article 17 for Union assurance level 1 (or higher, if applicable). Require bidders to provide the specific reference number or link to their entry in the central repository as part of their eligibility criteria.
4. Avoid Unrecognised Providers: Do not award contracts to major global hyperscalers or other providers unless they have explicitly applied for and received recognition under the CADA framework. If your current provider is not recognised, you may need to plan a migration. Article 29(6) notes that where a risk assessment requires migration, the transition period shall not exceed 12 months.
5. Monitor for Updates: The repository is dynamic. Providers may gain recognition, or their recognition may be revoked if they fail to maintain compliance. Ensure your supplier management process includes periodic checks of the repository to ensure continued compliance throughout the contract life.

Common misconceptions

"We just need GDPR compliance and ISO 27001 certification." Incorrect. While GDPR and ISO standards are important, they are not sufficient under CADA. A provider can be fully GDPR-compliant and ISO-certified but still fail to meet the sovereignty and operational autonomy criteria for Union assurance level 1 (e.g., if they are controlled by a third-country entity with extraterritorial data access laws, or if their infrastructure is not located in the Union). CADA recognition is a separate, mandatory legal status that addresses these specific sovereignty gaps.

"Level 1 is too restrictive for small towns." On the contrary, Level 1 is the entry-level baseline designed to be accessible. It requires providers to be established in the Union, keep infrastructure and data within the Union (unless explicitly allowed otherwise), and demonstrate state-of-the-art cybersecurity. It does not impose the heavy personnel citizenship requirements (which are conditional at Level 2 and mandatory at Levels 3/4) or the strict third-country control bans that apply to higher levels. It is the most practical tier for small municipalities.

"We can use any EU-based provider." Not necessarily. Being an EU-based company is a criterion for Level 1, but it is not the only one. The provider must undergo a conformity self-assessment (Article 19) and submit an EU statement of conformity to the national competent authority for recognition (Article 17). You must verify this recognition in the central repository; you cannot assume compliance based on a provider's marketing claims or their place of incorporation alone.

"We can ignore this until the final law is passed." While CADA is currently a proposal (COM(2026) 502 final), the market is already shifting towards these standards. Providers are preparing for recognition now. Starting your procurement strategy with CADA compliance in mind will future-proof your contracts, avoid costly migrations later, and ensure you are ready to comply immediately upon the Regulation's entry into force (which would be 20 days after publication, with application one year later).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• How does an SME cloud provider comply with CADA most cheaply?
• How does a Union entity comply with CADA when procuring for its own use?
• How does a Member State include cloud and AI procurement in its CADA national strategy?

This is general information about a draft EU regulation, not legal advice.