CADA Cloud Procurement for Public Banks

Summary Under the proposed Cloud and AI Development Act (CADA), public banks and development banks acting as contracting authorities would be subject to a mandatory baseline requirement to procure cloud computing services recognized at Union assurance level 1. However, if a national risk assessment determines that the bank's activities contribute to the preservation of public order—a category that often includes critical financial infrastructure, sovereign debt management, or strategic industrial financing—the proposal would mandate the procurement of services recognized at Union assurance levels 2, 3, or 4. This framework, established in Article 30, aims to reduce dependencies on third-country providers and ensure operational autonomy for critical financial entities.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission in COM(2026) 502 final, introduces a harmonized framework for cloud sovereignty that fundamentally alters procurement for public-sector entities. For public banks, development banks, and other financial institutions that qualify as "contracting authorities," the proposal replaces discretionary procurement choices with a tiered "Union assurance level" system. The core mechanism is Article 30, which links the required assurance level directly to the outcome of a risk assessment regarding public order.

The Baseline: Mandatory Union Assurance Level 1

Article 30(2) establishes a non-negotiable floor for all public procurement of cloud computing services. It states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This baseline is not optional. Even for public banks whose primary mandate is general lending, regional development, or monetary policy support without direct involvement in national security or law enforcement, the proposal would require that any cloud service procured meets the Level 1 criteria. To achieve this recognition, a provider must submit a conformity self-assessment (Article 19) demonstrating:

• Union Establishment: The provider is established in the Union.
• Data and Infrastructure Location: Infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Cybersecurity: Compliance with state-of-the-art cybersecurity standards.
• Third-Country Vulnerability Reporting: If the provider is subject to the control of a third country, it must guarantee that no laws or practices in that third country require reporting software vulnerabilities to authorities before they are known to have been exploited (Annex II, Section 1.1(g)).

For many public banks, this baseline ensures a minimum level of sovereignty and data residency, preventing the use of completely unassured or non-compliant services.

The Public Order Trigger: Levels 2, 3, and 4

The critical compliance challenge for financial institutions lies in the definition of "public order." Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

The identification of these activities is not automatic; it is the result of a risk assessment required under Article 29. Member States and Union entities must carry out these assessments to determine which public sector activities contribute to public order. The assessment must consider:

• Sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive).
• Areas of national security, internal security, external border management, defence, justice, or law enforcement.

While financial institutions are not explicitly listed as "law enforcement," the NIS2 Directive classifies financial market infrastructure and certain financial institutions as "essential entities" due to their systemic importance. Consequently, public banks and development banks that manage critical payment systems, sovereign debt markets, or strategic industrial financing are highly likely to be deemed as supporting public order through the national risk assessment process.

If a public bank is classified under this category, it is barred from using services that only meet Level 1 criteria. It must procure services meeting the stricter criteria of Levels 2, 3, or 4.

What Higher Assurance Levels Require for Banks

The jump from Level 1 to Levels 2–4 introduces significant operational, structural, and personnel constraints on cloud providers, which directly impacts procurement choices for banks:

• Union Assurance Level 2: Requires independent third-party audits (Article 20). Providers must ensure infrastructure, assets, and personnel are located in the Union. Crucially, Annex II, Section 2.1(f) mandates that data generated by using the service must not be used to train or fine-tune any AI system operated by a third country or transferred outside the Union. Providers subject to third-country control must demonstrate effective legal, technical, and organizational separation.
• Union Assurance Level 3: Builds on Level 2 but adds stricter personnel requirements. Annex II, Section 3.1(d) requires that personnel involved in the provision of the service, including subcontractors, are Union citizens. Additionally, providers and subcontractors must not be subject to the control of a third country, unless the Commission has adopted a specific implementing act for an "associated third country" under Article 18. This level also requires a European cybersecurity certificate of at least assurance level 'substantial'.
• Union Assurance Level 4: The highest tier, intended for the most sensitive data. Annex II, Section 4.1 requires that sensitive customer data remains exclusively within the Union. Personnel must be Union citizens with necessary national security clearances. The service must obtain a European cybersecurity certificate of at least assurance level 'high'. Providers and subcontractors must not be subject to third-country control.

Procurement Exceptions and Mitigation

Article 30(4) provides limited derogations. Contracting authorities may decide not to procure recognized services only if:

1. The subject matter cannot be supplied by recognized services in the central repository, and no adequate alternative exists.
2. A similar procurement process launched within the previous year received no suitable tenders.
3. Applying the requirements would result in disproportionate cost.

However, these exceptions are narrow and require strict justification. The proposal encourages the use of multi-vendor or multi-cloud strategies (Recital 65) to enhance resilience and limit dependency on a single provider.

What this means for you

For procurement officers, legal counsel, and risk managers at public banks and development banks, the CADA proposal necessitates a proactive review of cloud contracts and procurement strategies.

1. Determine Your "Public Order" Status

Engage immediately with national competent authorities to understand how your bank's activities are classified under the Article 29 risk assessment. If your bank manages critical payment infrastructure, sovereign debt issuance, or strategic state-backed lending, it may be classified as supporting public order. This classification triggers the mandatory requirement for Union assurance levels 2–4, significantly narrowing your pool of eligible providers.

2. Audit Current Cloud Providers

Assess whether your current cloud providers can achieve the necessary Union assurance level. Many global hyperscalers may struggle to meet Level 3 or 4 criteria due to third-country control issues (e.g., ownership by non-EU entities) or personnel restrictions (e.g., reliance on non-EU citizens for support). You may need to transition to European providers or specialized sovereign cloud offerings that can demonstrate the required separation from third-country control.

3. Review Data Flows and AI Usage

Ensure that your cloud contracts explicitly prohibit the use of your data for training third-country AI models. This is a mandatory requirement for Levels 2–4 (Annex II, Section 2.1(f)). Many standard cloud contracts allow for data to be used for service improvement or model training; these clauses would need to be amended or the provider changed to comply with CADA.

4. Plan for Transition

Article 29(6) allows for a reasonable transition period (up to 12 months) if a risk assessment requires migration to a different cloud service. Begin identifying alternative providers and mapping migration paths now. The proposal does not grandfather existing contracts indefinitely; once the regulation applies, non-compliant services must be replaced.

5. Leverage the EuroCloud Federation

Consider participating in the European public sector cloud federation (Article 34), which facilitates the sharing of secure, sovereign cloud capacities between Union entities and public sector bodies. This could provide access to compliant infrastructure without bearing the full cost of building it in-house, particularly for smaller development banks.

Common misconceptions

"CADA only applies to government ministries." Incorrect. The proposal applies to all "contracting authorities" and "Union entities," which includes public banks, development banks, and other public-sector financial institutions that procure cloud services for their exclusive use. If your bank is a public body, you are a contracting authority under CADA.

"GDPR compliance is enough." No. While CADA complements GDPR, it introduces distinct sovereignty criteria. A provider can be GDPR-compliant but fail to meet Union assurance level 2 because it allows third-country personnel access or uses customer data to train non-EU AI models. CADA focuses on operational autonomy and resistance to third-country legal extraterritoriality, which GDPR does not fully address.

"We can keep using our current global provider if we sign a new contract." Not necessarily. If your bank is deemed to support public order, you must procure services recognized at Levels 2–4. If your current provider cannot achieve this recognition due to its ownership structure or global personnel policies, you will need to switch providers, regardless of existing contracts. The "disproportionate cost" exception is a high bar to clear.

"Level 1 is optional for low-risk activities." No. Article 30(2) makes Level 1 recognition a mandatory minimum for all public sector procurement of cloud services, even for activities not deemed to support public order. Unrecognized services cannot be procured.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What is the minimum cloud assurance level for public-sector procurement under CADA?
• How CADA opens public procurement to AI startups: Article 32 explained
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• CADA Defence Cloud: Sovereignty Pressure, Assurance Levels & Foreign Law Immunity
• CADA Article 32: What is the Union added value criterion in public procurement?

This is general information about a draft EU regulation, not legal advice.