How does CADA change cloud procurement for the health system?

Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally alter how public health bodies procure cloud services by mandating risk-based sovereignty assessments and minimum assurance levels. Health sector contracting authorities must first determine if their activities contribute to "public order"; if so, they are legally restricted to procuring cloud services recognised at Union assurance levels 2, 3, or 4, rather than relying on standard commercial offers. Additionally, procurement officers can apply "Union added value" criteria—weighted up to 15 out of 120 points—to favour providers that strengthen the European digital supply chain, though this criterion must remain ancillary to core technical and financial requirements.

Detail

The proposed CADA introduces a structured sovereignty framework that directly impacts public procurement in the health sector. The regulation distinguishes between general public services and those critical to public order, creating a bifurcated procurement obligation for health authorities. This framework is designed to reduce dependencies on third-country providers and ensure operational autonomy for critical infrastructure.

Risk Assessments and Assurance Levels

Under Article 29, Member States and Union entities are required to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, which explicitly covers healthcare. The assessment must determine the sensitivity, criticality, and magnitude of data processed, including personal health data, and evaluate the risk of unlawful access by third countries or service disruption.

Based on these risk assessments, Article 30 establishes mandatory procurement rules:

• Non-Critical Health Services: Public sector bodies whose activities are not identified as contributing to the preservation of public order must, as a minimum, use cloud computing services recognised at Union assurance level 1. This baseline level requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union unless explicitly required otherwise by the public body.
• Critical Health Services: Contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., national health registries, emergency response systems, or processing of sensitive medical data) must only procure cloud computing services recognised at Union assurance levels 2, 3, or 4.

This means that for critical health infrastructure, standard global cloud offerings that do not meet these higher sovereignty criteria—such as those lacking strict data localisation, EU-only personnel requirements, or protection against third-country control—would be ineligible for procurement.

The Nuance of Union Assurance Levels 2, 3, and 4

For health bodies requiring higher assurance, the criteria in Annex II become critical:

• Level 2 (Substantial Cybersecurity): Requires a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national standards until the EU scheme is established). It mandates that infrastructure, assets, and personnel are located in the Union. Crucially, it requires that data is not used to train AI systems operated by third countries.
• Level 3 (High Sovereignty): Builds on Level 2 but adds a strict personnel requirement: personnel involved in the provision of the service must be Union citizens. It also requires a European cybersecurity certificate of at least 'substantial' assurance.
  • Third-Country Control Derogation: A provider subject to third-country control may still qualify for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. Note: While the draft text in Annex II (3.1(g)) contains a drafting slip referencing "Article 19", the mechanism for identifying associated third countries is explicitly established in Article 18 ("Associated third countries").
• Level 4 (Highest Sovereignty): Requires a European cybersecurity certificate of at least assurance level 'high'. It mandates that personnel are Union citizens and, where appropriate, hold national security clearance. It strictly prohibits third-country control without any derogation mechanism.

Union Added Value in Procurement

Article 32 introduces "Union added value" as a non-price award criterion in public procurement procedures for innovative cloud computing services and AI systems. This allows contracting authorities to evaluate tenders based on their contribution to the European cloud and AI ecosystem.

Specifically, Article 32(3) enables authorities to assess:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the EU.
• The integration of technologies developed in the Union, including results from EU-funded research.
• The delivery of services through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

While Article 32(2) mandates that these criteria must be linked to the subject matter and expressly set out in procurement documents, Recital 67 provides crucial guidance on weighting. It states that contracting authorities could consider a maximum weighting of 15 out of 120 points to be allocated to European added value. This ensures that while sovereignty and European supply chain resilience are prioritised, the criterion remains ancillary and subordinate to core technical and financial performance requirements.

Exemptions and Derogations

Article 30(4) provides limited derogations. Contracting authorities may decide not to procure recognised assurance-level services if:

1. No adequate or reasonable alternative exists in the central repository, and the absence is not due to artificially narrowed procurement parameters.
2. A similar procurement process launched within the previous year yielded no suitable tenders.
3. Applying the requirements would result in disproportionate costs.

What this means for you

For public-sector procurement officers in the health system, CADA shifts procurement from a purely commercial decision to a strategic sovereignty exercise. You must now integrate sovereignty criteria into your tender documents and evaluation matrices.

1. Conduct and Document Risk Assessments Before launching a procurement for cloud services, you must perform the risk assessment mandated by Article 29. You need to determine if your specific health service (e.g., a regional hospital network vs. a national genomic database) contributes to public order. This classification dictates your assurance level requirement. If your service is critical, you cannot award contracts to providers only certified at Level 1.

2. Update Tender Specifications Your procurement documents must explicitly require bidders to demonstrate recognition at the appropriate Union assurance level (1, 2, 3, or 4) as per Article 30. You should reference the central repository established under Article 22 to verify a provider's status. For critical health data, ensure that technical specifications align with the stricter criteria of Levels 2–4, which may include requirements for EU-only personnel, strict data localisation, and independence from third-country control.

3. Apply Union Added Value Criteria When evaluating bids for innovative cloud or AI solutions, you can now include "Union added value" as a scoring criterion under Article 32. To remain compliant and fair:

• Clearly define how you will measure contribution to the EU supply chain (e.g., percentage of hardware manufactured in the EU, use of EU-developed software).
• Cap the weighting of this criterion at 15 points out of 120, as suggested in Recital 67, to ensure it does not override technical quality or price.
• Ensure the criterion is ancillary; it should not be the decisive factor if a technically superior bid from a non-EU provider (that still meets the assurance level requirements) is submitted.

4. Monitor the Central Repository Procurement officers must check the Commission's central repository of recognised services. If no providers meeting your required assurance level are available, you may need to invoke the derogation in Article 30(4), but you must document that no adequate alternative exists and that the lack of options is not due to restrictive tender parameters.

Common misconceptions

Misconception 1: All health sector cloud procurement requires Level 4 assurance. Correction: CADA uses a risk-based approach. Only health activities identified as contributing to "public order" through the Article 29 risk assessment require Levels 2, 3, or 4. General administrative health services that do not process critical public order data may only need Level 1 assurance, which has less stringent requirements regarding third-country control and personnel citizenship.

Misconception 2: "Union added value" allows you to exclude non-EU providers entirely. Correction: Article 32 requires that Union added value criteria be ancillary and not decisive. You cannot use it to automatically disqualify non-EU providers who meet the technical and assurance level requirements. Instead, it serves as a tie-breaker or a minor weighting factor (up to 15/120 points) to favour providers that strengthen the EU supply chain, provided they still meet the core sovereignty assurance levels.

Misconception 3: The GDPR is sufficient to ensure cloud sovereignty for health data. Correction: While the GDPR protects personal data, it does not address operational autonomy, supply chain resilience, or third-country control risks. CADA's assurance levels (particularly 2–4) introduce specific criteria—such as preventing third-country disruption of service and ensuring EU-only technical support—that go beyond data protection alone. Health bodies cannot rely solely on GDPR compliance to meet CADA's procurement obligations.

Misconception 4: Existing cloud contracts are automatically compliant. Correction: CADA applies to new procurements. Existing contracts may need to be migrated if they do not meet the required assurance levels, particularly if the service is deemed critical to public order. Article 29(6) notes that migration must occur within a reasonable transition period not exceeding 12 months, considering technical feasibility and data portability.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does CADA change public procurement of cloud and AI overall?
• How does CADA change cloud procurement for local and regional government?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• What procurement monitoring and reporting does CADA require of Member States?
• CADA Article 32: What is the Union added value criterion in public procurement?

This is general information about a draft EU regulation, not legal advice.