Summary Under the proposed Cloud and AI Development Act (CADA), Union entitiesβ€”defined as EU institutions, agencies, offices, and bodiesβ€”are subject to the same sovereignty and procurement obligations as Member State public authorities. As proposed, they must conduct risk assessments (Article 29) to determine the required Union assurance level for their cloud services, procure only recognised sovereign services for activities impacting public order (Article 30), and can participate in a common procurement framework managed by the Commission to leverage collective buying power (Article 37).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen the EU's cloud and AI ecosystem by reducing dependencies on third-country providers and ensuring the resilience of critical infrastructure. While much of the public discourse focuses on Member States, the proposal explicitly extends its core sovereignty and procurement mechanisms to Union entities.

Article 2 of the proposal defines "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

As proposed, CADA imposes three primary obligations on these entities: conducting sovereignty risk assessments, adhering to strict procurement rules based on assurance levels, and participating in common procurement activities.

1. Mandatory Risk Assessments (Article 29)

The cornerstone of CADA's sovereignty framework is the requirement for public-sector bodies to assess the risks associated with their use of cloud computing services. Article 29 mandates that both Member States and Union entities carry out these risk assessments.

Article 29(1) states that "By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments that shall: (a) identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence; (b) determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

This means Union entities cannot treat cloud procurement as a purely technical or financial decision. They must systematically evaluate whether their activities contribute to the preservation of public order. If an agency's activities involve sensitive data, critical infrastructure, or national security interests, the risk assessment will dictate a higher Union assurance level (Level 2, 3, or 4), which imposes stricter criteria on cloud providers regarding data location, personnel citizenship, and absence of third-country control.

The risk assessment must consider the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third countries or service disruption. Article 29(2) requires entities to assess "the sensitivity, criticality, and magnitude of the non-personal data processed... and the nature, scope, context and purpose of processing of personal data."

2. Procurement Obligations Based on Assurance Levels (Article 30)

The outcome of the Article 29 risk assessment directly dictates procurement behavior under Article 30. This article establishes a tiered approach to cloud procurement for Union entities and public sector bodies.

  • Standard Activities: For activities that do not contribute to the preservation of public order, Article 30(2) mandates that Union entities "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1." This sets a baseline minimum standard for all EU cloud spending.
  • Public Order Activities: For activities identified as contributing to the preservation of public order (e.g., those involving justice, law enforcement, or critical security data), Article 30(3) imposes a stricter requirement: "Contracting authorities... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a binding link between the risk assessment and the procurement tender. A Union entity cannot outsource a high-risk function to a cloud provider that has not been formally recognised by a national competent authority as meeting the specific Union assurance level required by the entity's risk assessment.

3. Common Procurement Framework (Article 37)

To help Union entities meet these obligations efficiently and to aggregate demand for sovereign cloud services, CADA introduces a common procurement framework. Article 37 empowers the European Commission to act as a central purchasing body.

Article 37(1) states: "The Commission may carry out procurement activities to procure data centre services, cloud computing services, software and AI systems for itself and for Union entities and for contracting authorities of Member States..."

This provision allows Union entities to participate in joint procurement procedures led by the Commission. The goal is to harness economies of scale and collective bargaining power to secure better terms and accelerate the adoption of trusted, sovereign cloud solutions. Union entities are considered "participating entities" in these procedures.

Furthermore, Article 37 allows the Commission to provide ancillary support, such as technical infrastructure, advice on procurement procedures, and invoicing services. This is particularly beneficial for smaller agencies that may lack the internal expertise to navigate complex sovereign cloud tenders. The framework also includes a Steering Committee composed of the Commission and representatives of Member States to provide strategic oversight of these procurement activities.

4. Open Source and Reuse (Articles 41-44)

While not exclusive to Union entities, CADA places a strong emphasis on open source as a tool for reducing vendor lock-in and enhancing sovereignty. Article 41 encourages Union entities to "use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem."

Additionally, Article 42 requires that when Union entities make software available for reuse under an open-source licence, they must do so through a catalogue connected to the EU Open Source Solutions Catalogue (Article 43). This promotes transparency and allows other public bodies to discover and reuse existing solutions, reducing duplication of effort and cost.

What this means for you

For procurement officers, IT directors, and legal counsel within EU institutions and agencies, CADA signals a significant shift in how cloud services are acquired and managed.

  1. Integrate Risk Assessment into Procurement Cycles: You can no longer separate technical cloud evaluations from security and sovereignty risk assessments. Before launching a tender, your agency must have a completed risk assessment (per Article 29) that clearly defines the required Union assurance level. This assessment must be updated every two years or whenever the nature of the activity changes.
  2. Verify Provider Recognition: When evaluating bids, you must verify that the cloud provider has been formally recognised under Article 17 as offering the specific Union assurance level required by your risk assessment. You cannot accept a provider's self-declaration for Levels 2–4; you must check the central repository maintained by the Commission (Article 22).
  3. Leverage Common Procurement: Consider participating in the Commission-led common procurement framework (Article 37). This can reduce administrative burden, provide access to pre-vetted sovereign providers, and potentially lower costs through aggregated demand. It also ensures compliance with the new sovereignty standards without having to build expertise from scratch.
  4. Plan for Migration: If your current cloud providers do not meet the required Union assurance levels, Article 29(6) notes that migration must occur within a "reasonable transition period that shall not exceed 12 months." Begin planning exit strategies and data portability measures now to ensure continuity of service.

Common misconceptions

Misconception 1: CADA only applies to Member States. Reality: The text explicitly includes "Union entities" (institutions, agencies, offices, bodies) in the scope of risk assessments (Article 29) and procurement obligations (Article 30). The EU's own digital infrastructure must adhere to the same sovereignty standards it imposes on national governments.

Misconception 2: All cloud services must be Level 4 sovereign. Reality: CADA uses a proportionate approach. Only activities contributing to the preservation of public order (e.g., law enforcement, critical security) require Levels 2–4. Standard administrative activities only require Level 1 assurance. The risk assessment determines the appropriate level.

Misconception 3: The Commission will force agencies to use specific providers. Reality: Article 37 allows the Commission to facilitate common procurement, but it does not mandate that all entities must use the Commission's framework. Agencies retain the right to procure independently, provided they meet the assurance level requirements. However, using the common framework is strongly incentivised to reduce complexity and cost.

Misconception 4: Open source is mandatory for all software. Reality: Article 41 encourages the use of open source and open standards, but it is framed as a measure to "encourage" and "facilitate" reuse. It is not an absolute ban on proprietary software, though the preference for open source is a key strategic lever for reducing dependency on single vendors.

Related

This is general information about a draft EU regulation, not legal advice.