How does a Union entity comply with CADA when procuring for its own use?

Summary As proposed, Union entities (EU institutions, bodies, offices, and agencies) must procure cloud computing services that meet at least Union assurance level 1, unless a mandatory risk assessment identifies their activities as contributing to the preservation of public order. In those high-risk cases, they must procure services recognized at Union assurance levels 2, 3, or 4. This process requires Union entities to conduct biennial risk assessments under Article 29 and apply the procurement rules in Article 30, which operate alongside existing EU financial rules, specifically Article 136 of the Financial Regulation.

Detail

The Cloud and AI Development Act (CADA) proposal establishes a rigorous, two-stage framework for how Union entities procure cloud computing services for their exclusive use. The framework decouples the procedural rules of public procurement from the substantive sovereignty requirements of the cloud service itself.

The Procurement Obligation: Article 30

Article 30 of the CADA proposal sets out the direct procurement requirements for Union entities. According to Article 30(1), these rules apply to Union entities procuring cloud computing services for their exclusive use. Crucially, the provision explicitly states that this applies "without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509" (the EU Financial Regulation).

This interplay is the cornerstone of compliance:

• The Financial Regulation (Article 136) governs the procedural aspects of sensitive public procurement, including the identification of sensitive procedures and the specific tendering mechanisms required.
• CADA (Article 30) governs the substantive sovereignty level of the service being purchased.

The specific assurance level required depends entirely on the outcome of the risk assessment mandated by Article 29:

• Standard Use (Level 1): Under Article 30(2), Union entities whose public sector activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having a Union assurance level 1. This serves as the baseline requirement for most administrative, non-critical IT functions and general office support.
• Public Order Relevance (Levels 2–4): Under Article 30(3), if an entity's activities are identified as contributing to the preservation of public order, they must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4. This obligation applies to activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in the areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

Derogations (Article 30(4)) Article 30(4) provides limited, exceptional derogations. A Union entity may decide not to procure a recognized service at the required level only if one of the following circumstances applies:

1. The subject matter of the tender cannot be supplied by recognized cloud computing services available in the central repository (Article 22), and no adequate or reasonable alternative exists.
2. The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
3. Applying the requirements of this Regulation would require the contracting authority to procure services at disproportionate cost.

The Risk Assessment Mechanism: Article 29

The determination of which assurance level applies rests entirely on the risk assessments mandated by Article 29. Union entities are required to carry out these risk assessments within one year of the Regulation's entry into force, and thereafter every two years, or whenever necessary.

The purpose of the Article 29 assessment is twofold:

1. To identify public sector activities that contribute to the preservation of public order.
2. To determine which Union assurance level 2, 3, or 4 is appropriate for those identified activities.

When conducting this assessment, Article 29(2) requires Union entities to consider at least the following aspects:

• The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context, and purpose of processing of personal data.
• The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The Commission will provide implementing acts specifying the methodology, templates, and elements to be taken into account. If the Commission concludes that the assurance level identified by a Union entity is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels.

Interplay with Existing Financial Rules

It is vital to note that CADA does not replace the EU Financial Regulation. Article 30(1) references Article 136 of the Financial Regulation, which sets out the scope, rules, and procedures for identifying and implementing sensitive public procurement procedures. Union entities must therefore navigate both frameworks simultaneously: they must follow the procedural rules of the Financial Regulation for tendering and contracting, while ensuring the selected vendor meets the substantive sovereignty criteria of CADA.

What this means for you

For procurement officers, legal counsels, and IT security leads within Union entities, compliance with CADA will require a structured, two-step approach to all future cloud computing tenders.

1. Map Your Activities to Assurance Levels

Before launching a tender, you must determine the sovereignty requirement. If your entity handles data related to defence, justice, law enforcement, or critical infrastructure, you likely fall under the "public order" category. You must ensure your risk assessment, conducted under Article 29, explicitly documents this classification. If you do not conduct this assessment, you cannot legally justify the assurance level required in your tender documents.

2. Update Tender Specifications

Your technical specifications must now include a mandatory requirement for the vendor to hold a recognized Union assurance level.

• For standard administrative tools, specify Union assurance level 1.
• For critical systems, specify Union assurance level 2, 3, or 4 as determined by your risk assessment.
• Ensure the tender requires the vendor to provide proof of recognition from the central repository established under Article 22.

3. Coordinate with Legal and Security Teams

Because Article 29 requires an assessment of data sensitivity and third-country access risks, procurement officers cannot work in isolation. You must collaborate with your entity's data protection officer (DPO) and security team to complete the risk assessment. The assessment must consider the "sensitivity, criticality, and magnitude" of the data, as well as the risk of "unlawful access... by a third country."

4. Monitor for Commission Guidance

The Commission will issue implementing acts detailing the methodology for Article 29 risk assessments. Union entities must align their internal assessment templates with these forthcoming guidelines to ensure their chosen assurance levels are not later challenged by the Commission.

Common misconceptions

Misconception 1: CADA replaces the Financial Regulation for procurement procedures. Reality: CADA sets the substantive sovereignty standards (which level of cloud service you can buy). The Financial Regulation sets the procedural rules (how you run the tender). Article 30(1) explicitly states CADA applies "without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509." You must comply with both.

Misconception 2: All Union entities must use Level 4 cloud services. Reality: Only entities whose activities are deemed to contribute to the "preservation of public order" in specific high-risk sectors (e.g., defence, justice, law enforcement) are required to use Levels 2–4. Most standard administrative functions only require Level 1, as per Article 30(2). The risk assessment under Article 29 determines this distinction.

Misconception 3: Union entities can choose any vendor they like if it's cheaper. Reality: Union entities cannot bypass the assurance level requirements for cost reasons alone. Article 30(4) allows derogations only in exceptional circumstances, such as when no recognized service exists in the central repository or when applying the rules would cause "disproportionate cost." Standard commercial considerations do not override the sovereignty mandate.

Misconception 4: The risk assessment is a one-time exercise. Reality: Article 29(1) requires Union entities to carry out risk assessments "every two years, or whenever necessary." The assessment must be updated regularly to reflect changes in data sensitivity, technological capabilities, or geopolitical risks.

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a healthcare provider apply CADA when procuring cloud services?
• When are CADA risk assessments due and how often must they be repeated?
• How does an SME cloud provider comply with CADA most cheaply?
• How does a startup get its cloud service in front of CADA public buyers?

This is general information about a draft EU regulation, not legal advice.