Summary The proposed Cloud and AI Development Act (CADA) would fundamentally alter how public authorities procure AI systems by layering sovereignty and strategic autonomy requirements onto the procurement process. Under Article 32, contracting authorities would be required to include "Union added value" as a non-price award criterion specifically for innovative AI systems, evaluating a vendor's contribution to the European digital supply chain. Simultaneously, Article 33 would mandate Member States to monitor and report on innovation procurement, setting a target that at least 25% of relevant contracts for cloud and AI systems be awarded to innovative SMEs. Crucially, the procurement of the AI system itself is inextricably linked to the cloud infrastructure hosting it: under Article 30, the cloud underpinning the AI must meet specific Union assurance levels (1, 2, 3, or 4) determined by a public order risk assessment. This creates a dual compliance track where the AI system must be "innovative" and "sovereign" in its hosting environment.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, does not regulate the technical safety or fundamental rights compliance of AI systemsβ€”that remains the domain of the EU AI Act. Instead, CADA targets the procurement ecosystem in which these systems are bought, deployed, and hosted. For public sector bodies and Union entities, this means that the decision to procure an AI system is no longer just a technical or functional choice; it is a strategic decision involving supply chain resilience, European industrial policy, and data sovereignty.

The regulation establishes a framework where the procurement of AI systems is governed by three intersecting pillars: the mandatory inclusion of Union added value criteria, the monitoring of SME participation in innovation, and the strict application of cloud sovereignty levels to the infrastructure supporting the AI.

Union Added Value: A Mandatory Criterion for Innovative AI

A pivotal shift in public procurement under the proposal is the introduction of a mandatory "Union added value" criterion. Article 32(1) explicitly expands the scope of this requirement beyond cloud computing services to include AI systems. The text states: "In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem."

This provision ensures that when a public body seeks to procure an innovative AI solution, it cannot simply award the contract to the lowest bidder or the most technically advanced global provider without considering the strategic impact on the EU ecosystem. The criterion is designed to be "ancillary and not decisive" in the award of the contract, meaning it cannot be the sole factor determining the winner, but it must be a scored element of the quality evaluation.

Under Article 32(3), contracting authorities would evaluate the extent to which:

  • The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The tenderer has integrated technologies developed in the Union, including research and development results from Union-funded programmes.
  • The innovation required to deliver the service contributes to strengthening the security of supply.
  • The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

This creates a direct incentive for AI vendors to localize their supply chains, partner with EU-based hardware manufacturers, or integrate EU-developed models if they wish to score highly in public tenders. It effectively embeds industrial policy into the procurement process for AI.

Monitoring Innovation and the 25% SME Target

To ensure that the procurement of AI systems fosters a competitive and diverse European market, Article 33 establishes a robust monitoring and reporting framework. Member States would be required to monitor and report annually on their use of procurement of innovation in cloud computing services and AI systems.

The regulation sets a clear, quantitative objective: Article 33(4) states that "Member States shall pursue as objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs." This target is not merely aspirational; Member States must include plans in their national cloud and AI strategies (under Article 7) on how they intend to achieve this objective.

The monitoring requirements under Article 33(3) are detailed. Member States must report on:

  • The size of economic operators participating in such procurement.
  • SME participation trends, including the number of contracts awarded to SMEs and their share of the total contract value.
  • Measures taken to improve SME access, such as dividing contracts into lots.

This framework signals a structural shift in the market. Public buyers would be under pressure to structure tenders in a way that allows SMEs to compete, potentially by breaking large AI procurement projects into smaller, manageable lots or by simplifying administrative requirements for smaller innovators. For AI startups, this represents a significant, legislated pathway to market access in the public sector.

The Sovereignty Chain: Cloud Assurance Levels for AI Infrastructure

While Articles 32 and 33 address the procurement criteria for the AI system itself, Article 30 addresses the infrastructure on which that system runs. AI systems, particularly those used in the public sector, rely heavily on cloud computing services for training, inference, and data storage. CADA treats the procurement of the AI system and the procurement of the cloud infrastructure as a linked compliance chain.

Under Article 30, the Union assurance level required for the cloud service depends on the outcome of a risk assessment conducted by the Member State or Union entity under Article 29. This assessment determines whether the activity contributes to the preservation of public order.

  • Baseline Requirement (Article 30(2)): For public sector activities that have not been identified as contributing to the preservation of public order, the cloud computing services used must be recognized as offering Union Assurance Level 1. This applies to the cloud underpinning the AI system.
  • Public Order Relevance (Article 30(3)): If the risk assessment determines that the activity (e.g., an AI system used in law enforcement, justice, or critical infrastructure) contributes to the preservation of public order, the contracting authority must procure cloud computing services recognized as offering Union Assurance Levels 2, 3, or 4.

This creates a critical dependency. An architect cannot procure a compliant AI system under Article 32 if the cloud provider hosting that system fails to meet the assurance level mandated by Article 30. For example, if a public body procures an AI system for border management (a public order activity), it must ensure the cloud provider is recognized at Level 2, 3, or 4. If the AI vendor uses a non-sovereign cloud provider that only meets Level 1 (or no level), the entire procurement could be deemed non-compliant with CADA.

The assurance levels themselves, defined in Annex II, impose strict requirements on establishment, data localization, personnel (including Union citizenship requirements for higher levels), and third-country control. Thus, the procurement of an AI system effectively forces a due diligence check on the entire stack, from the algorithm to the physical server and the nationality of the support staff.

What this means for you

For CTOs and AI Architects: Your architecture decisions are now procurement constraints. When designing AI solutions for public sector clients, you must verify the Union assurance level of the underlying cloud infrastructure before finalizing the AI model selection. If the use case involves public order relevance (e.g., healthcare triage, security screening), you are restricted to cloud providers with Level 2, 3, or 4 recognition. This may limit your choice of hyperscalers. Furthermore, when preparing bids for innovative AI projects, you must explicitly document your "Union added value." Highlight the use of EU-designed hardware, integration of EU-developed models, or contributions to the European open-source ecosystem, as these will be scored criteria under Article 32.

For AI Startups and SMEs: CADA creates a protected market segment. The 25% target for innovative SMEs under Article 33 means public buyers are incentivized to structure tenders to include you. Focus on "innovative" solutions that demonstrate clear Union added value. Consider partnering with EU hardware manufacturers or open-source foundations to strengthen your bid. Monitor national strategies for specific "lots" designed for SMEs, as the regulation encourages the division of contracts to facilitate your participation. Ensure your cloud infrastructure is recognized at the appropriate assurance level, as this is a prerequisite for your AI system to be eligible for public procurement in critical sectors.

For Legal and Procurement Officers: You must update your tender documentation to reflect the new mandatory criteria.

  1. Include Union Added Value: Ensure your tender documents for innovative AI systems include the non-price award criteria mandated by Article 32, with clear evaluation matrices for supply chain contributions and EU technology integration.
  2. Conduct Risk Assessments: Before launching a tender for an AI system, ensure a risk assessment under Article 29 has been completed to determine if the activity contributes to public order. This dictates the minimum cloud assurance level required under Article 30.
  3. Track SME Targets: Implement internal monitoring to track your progress toward the 25% SME target for innovative AI procurement, as required by Article 33. Failure to report or meet these targets could impact national compliance reporting.

Common misconceptions

"CADA replaces the AI Act for AI procurement." No. The two instruments are complementary. The AI Act regulates the safety, fundamental rights, and transparency of the AI system itself (e.g., risk management, data governance). CADA regulates the procurement conditions (Union added value, SME targets) and the sovereignty of the hosting infrastructure. A public body must comply with the AI Act for the system's safety and CADA for the system's procurement and hosting.

"Union Added Value is a blanket ban on non-EU vendors." Not necessarily. Article 32 requires the criterion to be "ancillary and not decisive." Non-EU vendors can still win contracts if they demonstrate sufficient Union added value, for example, by manufacturing components in the EU, integrating EU-developed software, or establishing a strong local supply chain. The goal is to evaluate contribution to the ecosystem, not to exclude foreign entities entirely.

"Only the AI model needs to be checked for sovereignty." Incorrect. The sovereignty check extends to the cloud infrastructure underpinning the AI. Under Article 30, the cloud service must meet the assurance level determined by the public order risk assessment. An AI system that is technically compliant with the AI Act but hosted on a non-compliant cloud service would fail CADA procurement requirements for public order activities.

"The 25% SME target is a suggestion." While the regulation uses the term "pursue as objective," Article 33 makes this a binding requirement for Member States to include in their national strategies and report on annually. It creates a strong political and administrative pressure to structure tenders to meet this threshold.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.