How does CADA change cloud procurement for local and regional government?

Summary Under the proposed Cloud and AI Development Act (CADA), local and regional governments must fundamentally rethink how they procure cloud computing services. The proposal mandates a baseline requirement that all public-sector cloud contracts use services recognized at Union assurance level 1 (Article 30). For activities deemed critical to public order, procurement must escalate to higher assurance levels (2, 3, or 4) based on mandatory risk assessments. Additionally, contracting authorities must include "Union added value" criteria in tenders to favor European supply chains and innovation (Article 32). These measures aim to reduce dependency on non-EU providers while ensuring that regional and local AI adoption remains secure and sovereign.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a significant shift in how public authorities across the EU, including local and regional bodies, approach digital procurement. While the EU has long promoted digital transformation, CADA introduces specific, binding sovereignty and security standards that directly impact procurement strategies. For local and regional governments, this means moving beyond cost and performance metrics to include rigorous sovereignty assurance and European added value in every cloud and AI procurement process.

The Baseline Requirement: Union Assurance Level 1

The cornerstone of CADA's procurement framework is Article 30. This article establishes a mandatory minimum standard for all cloud computing services procured by public sector bodies. According to Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services that have been recognized as having a Union assurance level 1.

This creates a universal baseline. Local councils, regional health authorities, and municipal services can no longer procure cloud services from providers that do not meet these specific sovereignty criteria. Union assurance level 1 requires, among other things, that the provider is established in the Union, infrastructure and assets are located in the Union, and customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body. This ensures that even non-critical municipal data is protected from extraterritorial access and third-country control.

Escalating Requirements for Public Order Activities

For local and regional governments involved in more sensitive operations, the requirements escalate. Article 30(3) stipulates that contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4.

Which level applies depends on a mandatory risk assessment conducted by Member States and Union entities under Article 29. This assessment identifies public sector activities that contribute to public order in sectors such as national security, internal security, external border management, defense, justice, or law enforcement. For a regional police force or a local emergency response center, this likely means that standard commercial cloud offerings will no longer suffice; they must procure from providers that have undergone independent third-party audits and met stricter criteria regarding personnel citizenship, software supply chain transparency, and absence of third-country control.

Promoting European Innovation: Union Added Value

Beyond security, CADA aims to strengthen the European cloud and AI ecosystem through procurement policy. Article 32 introduces the concept of "Union added value" as a non-price award criterion in public procurement procedures for innovative cloud computing services and AI systems.

Contracting authorities are required to include criteria that allow them to evaluate a tenderer's contribution to the development of a European cloud and AI ecosystem. Article 32(3) specifies that these criteria should assess:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including results from Union-funded research.
• The extent to which the service is delivered through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2) notes that these criteria must be ancillary and not decisive in the award of the contract. They cannot override technical and financial criteria directly connected to performance. However, they provide a legal mechanism for local and regional governments to actively prefer European providers, helping to level the playing field against dominant non-EU hyperscalers.

Regional and Local Adoption Focus

The proposal explicitly recognizes the role of local and regional governments in driving AI adoption. Recital 23 highlights that the Cloud and AI Leadership Initiatives should promote the broad adoption of AI by private and public sector organizations, including at regional and local levels. It emphasizes the role of Experience and Acceleration Centres for AI (Centres for AI) in supporting SMEs, small mid-caps, and public sector bodies in their digital transformation.

This suggests that CADA is not just about restricting procurement but also about enabling it. By creating a trusted, sovereign framework, the EU aims to give local and regional authorities the confidence to adopt advanced AI and cloud technologies without compromising sovereignty. The proposal also encourages the sharing of public sector data centre services and cloud computing services through the EuroCloud Federation (Article 34), allowing smaller local authorities to access high-quality, sovereign capacity by pooling resources with other public bodies.

What this means for you

For procurement officers in local and regional governments, CADA introduces several immediate and long-term changes to your workflow:

1. Update Your Vendor Shortlists: You must verify that all current and future cloud providers are recognized under the CADA framework. Providers not offering Union assurance level 1 will no longer be eligible for standard public sector contracts.
2. Conduct Risk Assessments: Work with your national competent authority to determine if your specific activities (e.g., local law enforcement, social services handling sensitive data) fall under the "public order" category. If they do, you must procure at assurance levels 2, 3, or 4.
3. Revise Tender Documents: Incorporate "Union added value" criteria into your tender evaluations. Ensure these criteria are clearly defined, non-discriminatory, and ancillary to technical performance. This will help you support European suppliers while complying with EU procurement law.
4. Plan for Migration: If your current provider does not meet CADA standards, you must plan a migration. Article 29(6) allows for a reasonable transition period of up to 12 months for migration to a new cloud service, provided technical feasibility and data portability are considered.
5. Leverage the EuroCloud Federation: Explore participation in the EuroCloud Federation to access shared sovereign cloud capacity. This can be particularly beneficial for smaller local authorities with limited bargaining power.

Common misconceptions

• Misconception: CADA bans non-EU cloud providers entirely.
  • Reality: CADA does not ban non-EU providers. However, it creates a sovereignty framework where non-EU providers can only qualify for Union assurance level 3 if the Commission determines their home country provides sufficient safeguards (Article 18). For most standard public sector use, providers must meet Union assurance level 1, which effectively favors EU-established providers with EU-based infrastructure.
• Misconception: Union added value means you must buy European hardware.
  • Reality: Article 32 allows you to evaluate the contribution to the European supply chain as a non-price criterion. It does not mandate that you only buy European hardware. The criterion must be ancillary and not decisive, meaning you can still choose a non-European provider if their technical and financial offer is superior, but you can give a slight edge to European providers.
• Misconception: Only central government is affected.
  • Reality: CADA explicitly applies to "public sector bodies," which includes local and regional authorities. Recital 23 specifically mentions the importance of AI and cloud adoption at regional and local levels. The sovereignty framework applies uniformly across all tiers of public administration.

Related

• How does CADA change public procurement of cloud and AI overall?
• How does CADA change cloud procurement for the health system?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• What procurement monitoring and reporting does CADA require of Member States?
• CADA Article 32: What is the Union added value criterion in public procurement?

This is general information about a draft EU regulation, not legal advice.