Summary Under the proposed Cloud and AI Development Act (CADA), Article 30 establishes a tiered procurement regime based on the sovereignty risk of public sector activities. Crucially, Article 30(3) explicitly extends these obligations to "including the entities acting on their behalf." This phrasing ensures that shared service organisations, central purchasing bodies, and external agents cannot bypass sovereignty requirements by acting as intermediaries. If a contracting authority's activity is identified as contributing to the preservation of public order, any entity procuring on its behalf must source cloud services recognised at Union assurance levels 2, 3, or 4. The obligation flows from the principal's activity, not the agent's internal risk profile.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework to safeguard the Union's public order by reducing dependencies on third-country cloud providers. The core mechanism is a risk-based procurement mandate that ties the required "Union assurance level" of a cloud service to the sensitivity of the public activity it supports.

The Two-Tier Procurement Regime

Article 30 creates a clear distinction between general administrative activities and those critical to public order.

The Baseline: Union Assurance Level 1 Article 30(2) sets the floor for public procurement. It mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessment in Article 29(1) must use cloud computing services recognised under Article 17 as having a Union assurance level 1. This level serves as the minimum baseline for standard administrative tasks, ensuring a consistent level of sovereignty across the general public sector.

The Public Order Mandate: Levels 2, 3, or 4 For activities deemed critical, Article 30(3) imposes a stricter obligation. The text states:

"Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

The Critical Phrase: "Including the entities acting on their behalf"

The inclusion of the phrase "including the entities acting on their behalf" in Article 30(3) is a deliberate legislative choice to close potential sovereignty loopholes. In complex public sector structures, procurement is often decentralised or delegated. This provision ensures that the sovereignty obligation attaches to the transaction and the activity being funded, regardless of which legal entity executes the purchase.

Who is covered? The term captures a broad range of intermediaries:

  • Shared Service Organisations (SSOs): Centralised IT or procurement units that manage cloud contracts for multiple ministries or local authorities.
  • Central Purchasing Bodies (CPBs): Entities designated under public procurement directives to aggregate demand and buy on behalf of other authorities.
  • External Agents: Third-party procurement agencies or consultants contracted to manage specific cloud infrastructure bids.

The Flow of Obligation When an entity acts on behalf of a contracting authority, it does not procure for its own operational needs in a vacuum; it procures to enable the principal's activities. Consequently, the required Union assurance level is determined by the risk classification of the principal's activity, not the agent's own risk profile.

For example, if a Ministry of Justice (the principal) identifies its case-management system as contributing to public order, it triggers the Article 30(3) requirement for levels 2, 3, or 4. If a shared service organisation (the entity acting on behalf) is tasked with procuring this system, it is legally bound to source a service at the higher assurance level. The shared service organisation cannot argue that it is merely an administrative processor and therefore only needs Level 1. The "public order" nature of the data and the activity flows through the agency relationship.

The Trigger: Risk Assessments under Article 29

The obligation to procure at levels 2, 3, or 4 is not automatic for all public bodies. It is strictly triggered by the risk assessments mandated by Article 29. Member States and Union entities must carry out these assessments to identify which specific activities contribute to the preservation of public order.

The assessment must consider:

  1. The sensitivity, criticality, and magnitude of the data processed (Article 29(2)(a)).
  2. The risk of unlawful access by third countries (Article 29(2)(b)).
  3. The risk of service disruption (Article 29(2)(c)).

Once an activity is flagged in this assessment, the "entity acting on behalf" is legally bound to restrict its procurement to services in the central repository (established under Article 22) that hold the appropriate higher assurance level.

Derogations and Exceptions

Article 30(4) provides limited, exceptional derogations. An entity acting on behalf of a contracting authority may decide not to procure a recognised service only if:

  • The subject matter cannot be supplied by recognised services in the central repository, and no adequate alternative exists (provided this is not due to artificial narrowing of parameters).
  • A similar process was launched within the previous year with no suitable tenders.
  • Applying the requirements would result in disproportionate cost.

These derogations must be duly justified. The entity acting on behalf cannot simply ignore the sovereignty requirement; it must document why the requirement cannot be met.

What this means for you

For in-house counsel, compliance officers, and procurement managers, the explicit inclusion of "entities acting on their behalf" in Article 30(3) creates a direct line of operational responsibility for centralised units and shared services.

  1. Map the Principal's Activities: If your organisation acts as a procurement agent or shared service provider for multiple public authorities, you must map each client's activities against the risk assessment criteria in Article 29. You cannot apply a one-size-fits-all assurance level. A cloud service procured for a municipal library (likely Level 1) may be entirely non-compliant if that same service is used for a police database (requiring Level 2, 3, or 4).
  2. Contractual Flow-Downs: Ensure your service agreements with principal authorities clearly define the scope of activities being supported. If you are procuring on their behalf, you need explicit confirmation of the required Union assurance level for each workload. Your contracts must reflect that you are bound by the principal's risk classification.
  3. Audit Trails and Verification: The entity acting on behalf is responsible for ensuring the procured service is recognised in the central repository (Article 22). You must maintain records proving that the service meets the specific assurance level dictated by the principal's risk assessment. Relying on a provider's marketing claims is insufficient; formal recognition under Article 17 is required.
  4. Migration Planning: If a risk assessment changes an activity's classification (e.g., from non-critical to critical), Article 29(6) mandates migration within a reasonable period not exceeding 12 months. Entities acting on behalf must plan and execute this migration, ensuring continuity of service while upgrading to a higher-assurance provider.
  5. Liability and Penalties: While Article 24 outlines penalties for cloud providers, contracting authorities and their agents face compliance risks under national transposition of CADA. Failure to procure the correct assurance level could result in administrative fines, invalidation of procurement procedures, or liability for damages under national law.

Common misconceptions

Misconception 1: "The entity acting on behalf can choose the assurance level based on its own risk profile."

  • Reality: No. The obligation flows from the contracting authority's activity. If the authority's activity is deemed critical to public order, the agent must procure a higher-assurance service, regardless of whether the agent itself considers the data low-risk. The risk assessment belongs to the principal (Article 29).

Misconception 2: "Union assurance level 1 is sufficient for all public sector procurement."

  • Reality: Level 1 is the minimum baseline (Article 30(2)). However, for any activity identified as contributing to public order in sectors like defence, justice, or critical infrastructure, levels 2, 3, or 4 are mandatory (Article 30(3)). Entities acting on behalf of authorities in these sectors must bypass Level 1 providers for these specific workloads.

Misconception 3: "We can use any cloud provider as long as we have a robust contract."

  • Reality: CADA moves beyond contractual safeguards. The service must be recognised as offering the specific Union assurance level by the national competent authority (Article 17). A private contract cannot substitute for the formal recognition process and audit requirements outlined in Articles 20–23.

Misconception 4: "Derogations allow us to use non-sovereign providers indefinitely."

  • Reality: Derogations under Article 30(4) are exceptional and temporary. They apply only when no suitable recognised service exists or costs are disproportionate. They do not provide a permanent loophole to bypass sovereignty requirements for critical public order activities.

Related

This is general information about a draft EU regulation, not legal advice.