Summary Under the proposed Cloud and AI Development Act (CADA), Article 30 does not impose a single, universal cloud sovereignty standard for all public procurement. Instead, it functions as a conditional rule that relies entirely on the outcome of the risk assessment mandated by Article 29(1). Article 30(2) applies to activities not identified as preserving public order, requiring a minimum of Union assurance level 1. Conversely, Article 30(3) applies to activities identified as preserving public order, mandating that contracting authorities procure only services recognised at Union assurance levels 2, 3, or 4. The risk assessment is the decisive gatekeeper: without it, the correct assurance level cannot be determined.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sophisticated, risk-based framework for public procurement of cloud computing services. Unlike traditional regulations that might apply a blanket requirement, CADA creates a dynamic link between a strategic risk assessment and specific procurement obligations. This mechanism ensures that the EU's public sector can balance operational efficiency with the need to safeguard public order and strategic autonomy.

The core of this mechanism lies in the interaction between Article 29 (Risk Assessments) and Article 30 (Public Procurement). Article 30 explicitly defers to the findings of Article 29 to determine the applicable sovereignty standard.

The Trigger: Article 29(1) Risk Assessments

Before any procurement decision can be made under Article 30, a Member State or Union entity must first conduct a risk assessment as required by Article 29(1). This assessment is not a generic security review; it is a specific legal instrument designed to categorise public sector activities based on their contribution to the preservation of public order.

Under Article 29(1), Member States and Union entities must:

  1. Identify public sector activities that use or will use cloud computing services.
  2. Determine whether these activities contribute to the preservation of public order.

The scope of this assessment is broad, explicitly covering sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as areas of national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

The outcome of this assessment is binary for the purposes of procurement: an activity is either identified as contributing to the preservation of public order, or it is not. Furthermore, for those activities that are identified, the assessment must determine which specific Union assurance level (2, 3, or 4) is appropriate, taking into account the sensitivity, criticality, and magnitude of the data processed, as well as the risk of service disruption or unauthorised third-country access.

The Rule: Article 30 Procurement Obligations

Article 30 translates the findings of the Article 29 assessment into binding procurement requirements for contracting authorities. It establishes two distinct pathways, both of which are conditional on the Article 29(1) outcome.

1. The Baseline: Article 30(2)

Article 30(2) governs the procurement of cloud services for activities that have not been identified as contributing to the preservation of public order under the Article 29(1) risk assessment.

The text states: "Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This provision establishes a mandatory floor for all public cloud procurement. Even for non-critical administrative tasks, a public body cannot procure services that lack the baseline sovereignty criteria of Level 1 (which includes requirements such as Union establishment, data localisation within the Union, and compliance with state-of-the-art cybersecurity standards). However, it does not require the higher, more restrictive levels of assurance.

2. The Elevated Standard: Article 30(3)

Article 30(3) governs the procurement of cloud services for activities that have been identified as contributing to the preservation of public order.

The text mandates: "Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) ... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This is a strict prohibition on using Level 1 services for public-order-critical activities. The specific level (2, 3, or 4) to be procured is determined by the granularity of the risk assessment conducted under Article 29. For instance, an activity involving law enforcement data might require Level 3 or 4, while a less sensitive public order activity might only require Level 2. The key takeaway is that the procurement authority must procure at least Level 2, and the specific level is driven by the risk assessment.

The Mechanism: How the Assessment Drives the Level

The interaction between these articles creates a closed-loop compliance system:

  1. Risk Identification: The Member State or Union entity conducts the Article 29(1) risk assessment.
  2. Classification: The assessment determines if the specific activity contributes to the preservation of public order.
  3. Procurement Mandate:
    • If No: Article 30(2) applies. The authority must procure a service with Union assurance level 1.
    • If Yes: Article 30(3) applies. The authority must procure a service with Union assurance level 2, 3, or 4, as determined by the assessment.

This structure ensures that procurement decisions are proportionate. It prevents authorities from incurring the higher costs and stricter constraints of Level 3 or 4 services for low-risk administrative tasks, while simultaneously preventing the use of basic Level 1 services for critical national functions where sovereignty and operational autonomy are paramount.

Exceptions and Derogations

While the link between Article 29 and Article 30 is strict, Article 30(4) provides for limited derogations. On an exceptional basis and where duly justified, a contracting authority may decide not to procure a recognised service if:

  • The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
  • A similar procurement process launched within the previous year received no suitable tenders.
  • Applying the requirements would result in disproportionate costs.

However, these derogations are exceptions to the rule and do not alter the fundamental principle that the Article 29 risk assessment is the primary driver for determining the required assurance level.

What this means for you

For public-sector procurement officers, legal counsel, and IT strategists, the interaction between Articles 29 and 30 dictates a specific workflow for cloud procurement. You cannot simply issue a tender for "secure cloud services" without first anchoring the requirements in the Article 29 risk assessment.

1. Validate Your Risk Assessment First

Before drafting any tender documentation, you must confirm that your organisation has completed the Article 29(1) risk assessment for the specific activity in question. If your activity has not been formally assessed, you cannot legally determine whether Article 30(2) or Article 30(3) applies.

  • Action: Consult your national competent authority or internal risk register to confirm the classification of your activity.
  • Action: If the activity is new or has changed in scope, a new risk assessment may be required before procurement can proceed.

2. Define Technical Specifications Based on the Outcome

Your tender's technical specifications must explicitly reference the assurance level derived from the risk assessment.

  • For Non-Public-Order Activities: Your tender must require bidders to hold a Union assurance level 1 recognition. You may not demand Level 2 or higher unless you have a specific, documented justification that goes beyond the standard Article 30(2) requirement.
  • For Public-Order Activities: Your tender must require bidders to hold a Union assurance level 2, 3, or 4 recognition. You must specify which level is required based on the risk assessment's determination of sensitivity and criticality. A blanket requirement for "Level 4" for all public order activities may be challenged as disproportionate if the risk assessment only justifies Level 2.

3. Verify Formal Recognition

Under CADA, a provider claiming to be "sovereign" is insufficient. Article 30 requires services to be recognised under Article 17.

  • Action: Verify that the bidder is listed in the central repository established by the Commission (Article 22) for the specific assurance level you require.
  • Action: Ensure the recognition is current and has not been revoked.

4. Document the Legal Basis

In your procurement documentation, explicitly state that the required assurance level is derived from the Article 29(1) risk assessment. This provides the legal basis for your technical specifications and protects against challenges regarding market exclusivity or discrimination. It demonstrates that the requirement is not arbitrary but is a necessary measure to preserve public order as defined by the Regulation.

Common misconceptions

"All public cloud procurement must meet the highest standard (Level 4)."

  • Reality: This is incorrect. Article 30(2) explicitly mandates only Level 1 for activities that do not contribute to the preservation of public order. Even for public order activities, the risk assessment may determine that Level 2 or 3 is sufficient. Level 4 is reserved for the most critical scenarios, such as the hosting of EU classified information, as determined by the assessment.

"The risk assessment is optional if I know my data is sensitive."

  • Reality: The risk assessment is a mandatory legal step under Article 29. You cannot self-declare an activity as "public order" or "non-public order" without the formal assessment process. The assessment provides the legal certainty required to apply Article 30(2) or Article 30(3). Without it, the procurement authority lacks the legal basis to set the assurance level.

"Article 30 replaces the existing public procurement directives."

  • Reality: Article 30 operates within the existing public procurement framework (e.g., Directive 2014/24/EU). It adds specific, mandatory technical criteria (the Union assurance levels) that must be included in tenders for cloud services. It does not replace the procedural rules regarding advertising, evaluation, or award, but it overrides the freedom to choose any cloud provider by imposing these sovereignty constraints.

"If a provider is established in the EU, they automatically qualify for Level 1."

  • Reality: While Union establishment is a criterion for Level 1, it is not the only one. The provider must also meet criteria regarding data localisation, cybersecurity standards, subcontractor transparency, and third-country control. Crucially, they must undergo the formal recognition process under Article 17 to be legally eligible for procurement under Article 30.

Related

This is general information about a draft EU regulation, not legal advice.