Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally restructure public procurement of cloud and AI services by mandating minimum sovereignty assurance levels and introducing specific "European added value" award criteria. Contracting authorities would be required to procure only from services recognised under CADA's sovereignty framework, with higher assurance levels mandatory for activities deemed critical to public order. Additionally, Member States would need to monitor and report on innovation procurement, aiming to award at least 25% of such contracts to small and medium-sized enterprises (SMEs). These obligations are tightly linked to national cloud and AI strategies, creating a unified framework for digital sovereignty.

Detail

The proposed CADA introduces a rigorous, risk-based framework for public procurement, primarily detailed in Title IV of the regulation. The core objective is to reduce the EU's dependence on third-country providers and ensure that public sector operations are underpinned by resilient, sovereign infrastructure. This is achieved through three main pillars: mandatory assurance levels (Article 30), European added-value criteria (Article 32), and structured monitoring of innovation procurement (Article 33).

Mandatory Assurance Levels and Risk Assessments (Article 30)

Article 30 establishes a strict baseline for cloud computing procurement. It applies to contracting authorities and Union entities procuring cloud services for their exclusive use. The article mandates that all public sector bodies must, at a minimum, procure cloud computing services that have been recognised as offering Union assurance level 1.

However, the regulation recognises that not all public sector activities carry the same risk. Therefore, Article 30(3) imposes stricter requirements on authorities whose activities have been identified as contributing to the preservation of public order. This identification stems from the risk assessments mandated under Article 29, which cover sectors listed in Annexes I and II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice, and law enforcement. For these high-stakes activities, contracting authorities must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4.

Article 30(4) provides limited derogations from these requirements. Authorities may decide not to procure from recognised services only if:

  • The subject matter cannot be supplied by recognised services in the central repository, and no adequate alternative exists (provided this absence is not due to artificially narrow parameters).
  • A similar procurement process was launched within the previous year but yielded no suitable tenders.
  • Applying the requirements would result in disproportionate costs.

Crucially, if a risk assessment requires migration to a different cloud service, Article 29(6) stipulates that the migration must occur within a reasonable transition period not exceeding 12 months, considering technical feasibility and data portability.

European Added Value in Award Criteria (Article 32)

Article 32 introduces a novel mechanism to steer procurement towards strengthening the EU's digital supply chain. In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities shall include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must be linked to the subject matter of the contract, expressly set out in procurement documents, and must be ancillary and not decisive in the award of the contract. They should evaluate:

  • The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including results from EU-funded research.
  • The extent to which the service is delivered through critical computing, storage, and networking hardware components designed or manufactured in the Union. If this is not feasible, hardware from a third country may be accepted if it contributes to strengthening supply security and the European ecosystem.

Recital 67 of the proposal provides specific guidance on weighting these criteria. It suggests that contracting authorities could consider a maximum weighting of 15 out of 120 points for European added value within the overall evaluation methodology. This ensures the criterion remains proportionate and subordinate to core technical and financial criteria, preventing it from distorting the market while still incentivising European innovation.

Monitoring and SME Participation (Article 33)

Article 33 shifts focus from mere compliance to active market shaping, particularly for SMEs. Member States are obligated to monitor and report annually to the Commission on their use of procurement of innovation in cloud and AI. This reporting must include:

  • The size of economic operators participating.
  • SME participation trends, including the number of contracts awarded to SMEs and their share of total contract value.
  • Measures taken to improve SME access.

The regulation sets a clear target: Member States shall pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, Article 33(2) requires Member States to identify barriers to SME participation and promote strategies such as dividing contracts into lots. Furthermore, Union entities and contracting authorities are encouraged to promote preliminary market consultations and matchmaking between public buyers and European SMEs.

Links to National Cloud and AI Strategies

These procurement obligations do not operate in a vacuum. Article 33(4) explicitly links these targets to the national cloud and AI strategies required under Article 7. Member States must include plans in their national strategies on how they intend to achieve the 25% SME award objective. This ensures that procurement policies are aligned with broader national goals for cloud adoption, AI development, and technological sovereignty. The national strategies, which must be adopted within one year of the regulation's entry into force, serve as the strategic blueprint for implementing these procurement mandates.

What this means for you

For public-sector procurement officers, CADA would introduce significant changes to tender design, vendor evaluation, and internal risk management.

  1. Mandatory Vendor Screening: You can no longer select cloud providers based solely on price or standard technical specs. You must verify that any provider you engage holds a valid recognition under the CADA sovereignty framework. For non-critical services, Level 1 is the floor; for critical services (e.g., defence, justice), you must source from Level 2, 3, or 4 providers.
  2. Risk Assessment Integration: Procurement decisions must be preceded by a formal risk assessment (Article 29). You will need to classify your activities to determine the required assurance level. This requires close collaboration with your IT security and legal teams to map data sensitivity and criticality.
  3. New Award Criteria: Your tender documents must include specific, non-decisive criteria for "European added value." You will need to develop scoring matrices that assess a vendor's use of EU-designed hardware/software and their contribution to the EU supply chain. While you have discretion, the recital suggests a cap of 15 points out of 120 to maintain proportionality.
  4. SME-Focused Strategies: You are expected to actively facilitate SME participation. This means breaking down large tenders into lots, promoting pre-commercial procurement, and engaging in matchmaking. You must also track and report on SME win rates to meet the 25% target.
  5. Migration Planning: If your current providers do not meet CADA standards, you face a strict 12-month window to migrate. This necessitates early identification of compliant vendors and robust data portability planning.

Common misconceptions

  • "CADA bans all non-EU cloud providers." This is incorrect. CADA creates a tiered system. Non-EU providers can participate if they meet the criteria for Union assurance levels. For instance, Article 18 allows the Commission to recognise third countries for Level 3 if they meet strict sovereignty and adequacy criteria. Even for Level 1, providers can be established in the EU but may have certain third-country links, provided they meet the specific transparency and control criteria in Annex II.
  • "European added value is a primary selection criterion." No. Article 32(2) explicitly states these criteria must be ancillary and not decisive. They are intended to break ties or provide a slight preference for EU-centric solutions, not to override technical quality or financial viability. The suggested weighting of 15/120 points reinforces this subordinate role.
  • "Only the public sector is affected." While CADA's mandatory procurement rules apply to the public sector, Article 31 allows private entities in critical sectors (listed in NIS2 Annex I) to conduct similar impact assessments. The market signal from public procurement will inevitably influence private sector standards as vendors adapt their offerings to meet public demand.
  • "SME targets are optional." Article 33(4) states Member States "shall pursue as objective" the 25% target. While it is framed as an objective rather than a hard quota for every individual tender, it is a binding policy goal that must be integrated into national strategies and monitored through annual reporting. Failure to demonstrate efforts to meet this target could lead to scrutiny.

Related

This is general information about a draft EU regulation, not legal advice.