How does a startup get its cloud service in front of CADA public buyers?

Summary As proposed, the Cloud and AI Development Act (CADA) creates a streamlined pathway for startups and SMEs to access EU public cloud markets through three specific mechanisms: automatic cross-border recognition for Union Assurance Level 1, mandatory listing in a central repository, and dedicated innovation procurement channels. Under Article 17(3), SMEs benefit from a unique derogation where their EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." To reach buyers, providers must ensure their service is listed in the Commission's central repository (Article 22) and actively engage in matchmaking initiatives (Article 33(5)). Furthermore, Member States are required to pursue an objective where at least 25% of innovative cloud and AI procurement is awarded to SMEs (Article 33(4)).

Detail

The proposed Cloud and AI Development Act (CADA) aims to reduce the EU's dependence on non-European cloud providers by establishing a harmonised sovereignty framework. For startups and small-to-medium-sized enterprises (SMEs), the proposal includes specific provisions designed to lower entry barriers, reduce administrative costs, and facilitate access to public contracts. The pathway to becoming a visible and compliant provider for public buyers involves three critical steps: obtaining streamlined recognition, ensuring visibility through the central repository, and engaging with innovation-focused procurement processes.

1. Streamlined Recognition for Union Assurance Level 1

CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. For most startups, the entry point is Union Assurance Level 1, which sets a baseline for trusted cloud services. This level requires providers to meet cumulative criteria regarding establishment in the Union, location of infrastructure and assets, data residency, and cybersecurity standards, as detailed in Annex II.

Under Article 17, cloud computing service providers generally must submit an application for recognition to the national competent authority of their establishment. For Level 1, this involves carrying out a conformity self-assessment and issuing an EU statement of conformity, as detailed in Article 19.

Crucially for startups, Article 17(3) introduces a significant derogation for SMEs. It states that EU statements of conformity issued by cloud computing service providers that are SMEs shall be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This provision removes a major administrative and financial hurdle. While larger providers or those seeking higher assurance levels (2, 3, or 4) must undergo a rigorous evaluation process involving potential audits and cross-border checks, SMEs seeking Level 1 recognition can rely on their self-assessment. This automatic recognition ensures that a startup's compliance status is valid across the entire EU single market immediately upon issuing the statement, facilitating cross-border sales without navigating 27 different national approval processes. It is important to note that this automatic recognition applies specifically to the administrative act of recognition; the provider remains fully liable for the accuracy of their self-assessment and must be prepared to demonstrate compliance if challenged.

2. Visibility via the Central Repository

Recognition alone does not guarantee visibility. Public buyers need a reliable, centralised source to identify compliant providers. Article 22 mandates the Commission to establish and maintain a "central repository" of cloud computing services that have been recognised under Article 17.

Once an SME issues its EU statement of conformity for Level 1, the national competent authority of establishment is responsible for registering the service in this repository. The text of Article 22(2) specifies that the verifying national competent authority shall register the cloud computing service in the central repository. The repository will be publicly available and regularly updated on a dedicated, easily accessible website.

This platform serves as the primary discovery tool for contracting authorities looking for providers that meet the minimum sovereignty requirements. For a startup, being listed here is essential; it signals to public buyers that the service has met the baseline criteria for data residency, infrastructure location, and cybersecurity standards required for non-critical public sector activities. Without this listing, a compliant service may remain invisible to the public sector buyers who are mandated to procure from recognised providers.

3. Accessing Innovation Procurement and Matchmaking

Beyond standard procurement, CADA introduces demand-side measures to actively foster the adoption of innovative European cloud solutions. Article 33 focuses on the monitoring of procurement of innovation in cloud and AI.

Article 33(4) sets a clear objective: Member States shall pursue the goal that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. This creates a targeted market segment where startups can compete on innovation rather than just price or scale. This objective is not merely aspirational; Member States must include plans in their national strategies (under Article 7) on how they intend to achieve this target.

To facilitate this, Article 33(5) obliges Union entities and contracting authorities to promote specific measures that benefit smaller providers, including:

• Preliminary market consultations: Allowing startups to engage with buyers before a tender is launched to shape requirements.
• Matchmaking between public buyers and innovative solutions provided by European SMEs and start-ups.
• Development of public contract clauses favourable to innovative SMEs.

These measures are designed to address the "imperfect information" market failure often faced by startups. By mandating matchmaking and preliminary consultations, CADA aims to connect technical innovators with public sector needs, helping startups tailor their offerings and understand procurement requirements early in the process. This is particularly relevant for startups that may not have the resources to navigate complex tender procedures without early engagement.

4. The Role of National Strategies and Centres for AI

While CADA sets the EU-wide framework, implementation relies on national execution. Article 7 requires Member States to adopt national cloud and AI strategies. These strategies must include measures to support the development of cloud and AI capabilities, including through public procurement measures set out in Article 33.

Startups should monitor their national strategy documents, as these will outline specific local support mechanisms. For instance, Article 5 requires Member States to establish Experience and Acceleration Centres for AI (Centres for AI). These centres are tasked with helping organisations accelerate their digital transformation and connecting them with European providers of cloud and AI technologies. Engaging with these centres can provide startups with the necessary support to navigate the CADA framework and connect with potential public sector clients.

What this means for you

For cloud service providers and data centre operators, particularly startups and SMEs, CADA offers a clearer, albeit regulated, route to the public sector. Here is how you should prepare:

1. Prepare for Self-Assessment: Begin documenting your compliance with the Annex II criteria for Union Assurance Level 1. This includes ensuring your infrastructure and assets are located in the Union, your customer data remains exclusively within the Union, and you demonstrate state-of-the-art cybersecurity standards. Since you will be issuing an EU statement of conformity, your internal documentation must be robust enough to withstand potential scrutiny, even if prior approval is not required.
2. Engage with National Competent Authorities: Although SMEs benefit from automatic recognition under Article 17(3), you still need to issue the statement of conformity and ensure it is submitted to the national competent authority of establishment. Ensure you understand the submission process in your home Member State to ensure timely registration in the central repository. The authority is obligated to register the service, but proactive communication can speed up the process.
3. Leverage Matchmaking Opportunities: Do not wait for tenders to appear. Actively seek out the matchmaking initiatives mandated by Article 33(5). Engage with national "Centres for AI" and public procurement offices during preliminary market consultations. These channels are specifically designed to help innovative SMEs connect with buyers.
4. Monitor National Implementation: Keep track of how your Member State implements the 25% SME innovation procurement target. This may lead to specific lots in tenders reserved for or heavily weighted towards SMEs, providing a competitive advantage. Pay attention to the national strategies required under Article 7, as they will detail the specific mechanisms for achieving this target.

Common misconceptions

• "SMEs are exempt from sovereignty requirements." This is incorrect. SMEs are not exempt from the technical and legal criteria of Union Assurance Level 1. They are exempt from the administrative burden of prior national authority recognition. You must still comply with data residency, infrastructure location, and cybersecurity standards as set out in Annex II.
• "Listing in the repository guarantees a contract." The central repository (Article 22) is a transparency and discovery tool, not a procurement mechanism. It tells buyers you are compliant, but you must still win contracts through competitive bidding or innovation procurement processes.
• "Level 1 is the only level for startups." While Level 1 is the most accessible entry point, startups offering highly secure services for critical infrastructure or defence may need to pursue Levels 2, 3, or 4. These require independent third-party audits (Article 20) and do not benefit from the automatic recognition derogation. However, for most general public sector cloud needs, Level 1 is the appropriate starting point.
• "The 25% target is a strict quota." Article 33(4) states that Member States shall "pursue as objective" that at least 25% of procurement be awarded to innovative SMEs. This is a policy target to drive behaviour and reporting, not necessarily a strict legal quota that invalidates tenders if not met, though it will heavily influence procurement strategies and evaluation criteria.
• "Startups must wait for the law to be adopted." While CADA is currently a proposal, the framework is designed to be implemented once adopted. Startups should begin preparing their self-assessments and infrastructure now to be ready for the transition period, which is expected to be one year after entry into force.

Related

• How do public buyers find recognised cloud services on the CADA central repository?
• How to get your cloud service listed on the CADA central repository
• CADA Procurement Fees: How Article 40 Determines Costs for Public Buyers
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• What should a public-sector body do before CADA's application date?

This is general information about a draft EU regulation, not legal advice.