How CADA Would Change Public Procurement of Cloud and AI

Summary As proposed, the Cloud and AI Development Act (CADA) would reshape public procurement by requiring EU public-sector buyers to procure cloud services with at least Union assurance level 1 recognition. For activities identified as contributing to the preservation of public order, authorities would have to conduct risk assessments and procure only from services recognised at assurance levels 2, 3, or 4. CADA would also introduce "Union added value" award criteria for innovative cloud and AI tenders and establish a common procurement framework through which the Commission could buy on behalf of Member States. These measures are designed to reduce dependency on third-country providers and strengthen the EU's digital sovereignty.

Detail

As proposed, CADA would introduce a framework for the public procurement of cloud computing services and AI systems, aiming to shift the market toward sovereign, secure, and innovative providers. It would operate through several mechanisms: sovereignty assurance levels, risk-based procurement obligations, new award criteria, and centralised procurement structures.

Mandatory Sovereignty Assurance Levels

Under Article 30, CADA would set a baseline for public-sector cloud procurement. Article 30 applies to contracting authorities (and Union entities) that procure cloud computing services for their exclusive use. Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order would have to use cloud computing services recognised under Article 17 as having Union assurance level 1. This would create a universal floor, so that even non-critical public services do not rely on providers lacking basic EU alignment.

For activities that are identified as contributing to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive, or in national security, internal security, external border management, defence, justice or law enforcement — Article 30 would require contracting authorities to only procure cloud computing services recognised as having Union assurance level 2, 3, or 4. This tiered approach is intended to ensure the most sensitive public functions are supported by infrastructure with higher degrees of operational autonomy and protection.

Risk Assessments as a Procurement Prerequisite

The procurement obligations in Article 30 are tied to the risk assessments mandated by Article 29. Member States and Union entities would carry out these assessments to identify which public-sector activities contribute to public order and to determine the appropriate assurance level (2, 3, or 4) for each. Without a completed risk assessment, authorities could not determine which procurement tier applies, creating a direct link between sovereignty risk management and purchasing decisions.

Union Added Value Criteria

Article 32 would introduce non-price award criteria for public procurement procedures involving innovative cloud computing services and AI systems. Contracting authorities would have to include criteria evaluating a tenderer's contribution to the development of a European cloud and AI ecosystem. Specifically, the criteria would let authorities evaluate the extent to which:

• The tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including results from Union-funded research and development.
• The innovation required to deliver the service strengthens the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32 specifies that these non-price criteria must be ancillary and not decisive in the award of the contract. They must be linked to the subject matter, expressly set out in the procurement documents or contract notice, and must not confer unrestricted freedom of choice on the contracting authority.

Common Procurement Framework

To address fragmented purchasing power, Articles 37 to 40 would establish a common procurement framework under which the Commission may carry out procurement activities for Union entities and contracting authorities from Member States, including acting as a central purchasing body for data centre services, cloud computing services, software, and AI systems.

As proposed, this framework would allow the Commission to:

• Conclude framework contracts or operate dynamic purchasing systems on behalf of participating entities.
• Act as a wholesaler by acquiring services and reselling them to Member States.
• Provide ancillary support, such as technical infrastructure and advice on procurement procedures.

Participating entities would contribute to the costs through fees levied by the Commission to cover direct and indirect costs. This mechanism is designed to achieve economies of scale and facilitate adoption of standardised, secure technologies across the EU.

Monitoring and Reporting

Article 33 would require Member States to monitor and report on their use of procurement of innovation in cloud and AI. As proposed, Member States would pursue the objective that at least 25% of their procurement for cloud computing services and AI systems is awarded to innovative SMEs, and would include plans to achieve this in their national strategies. They would report annually to the Commission on SME participation to identify barriers and support the European innovation ecosystem.

Relationship with Existing Law

As proposed, CADA would not replace the Public Procurement Directives but supplement them. The explanatory memorandum states the existing directives do not cover the nuanced, sector-specific sovereignty risks associated with cloud dependencies. CADA would provide the specific award criteria and assurance-level requirements that the horizontal acquis lacks, creating a targeted layer for digital sovereignty.

What this means for you

For public-sector procurement officers, CADA would introduce new steps to integrate into your procurement lifecycle:

1. Conduct Mandatory Risk Assessments: Before initiating cloud procurement, determine whether your activity contributes to the preservation of public order under Article 29. If it does, you could not simply choose the cheapest option; you would procure from providers recognised at assurance levels 2, 3, or 4. If it does not, you would still ensure the provider has assurance level 1.
2. Update Award Criteria: For innovative cloud and AI tenders, revise documents to include the "Union added value" criteria in Article 32, ensuring they are clearly defined, linked to the subject matter, and weighted so they remain ancillary, not decisive.
3. Verify Recognition Status: Rely on the central repository established under Article 22 to verify that bidders hold the necessary Union assurance level. Do not accept self-declarations without verification against this official list.
4. Consider Common Procurement: Evaluate whether your needs can be met through the Commission's common procurement framework (Articles 37-40), which may reduce administrative burden and leverage aggregated demand.
5. Support SME Innovation: Implement measures to facilitate SME participation, working toward the 25% objective for innovative SMEs in Article 33 — for example, dividing contracts into lots or simplifying documentation.

Common misconceptions

• "CADA bans non-EU cloud providers." As proposed, this is incorrect. CADA would not ban non-EU providers outright. It would create a sovereignty framework where providers must meet specific criteria (assurance levels 1-4) to be eligible for public contracts. Providers can qualify if they meet the requirements for data localisation, personnel controls, and freedom from third-country control, which become stricter at levels 2-4. In practice, the requirements for Levels 3 and 4 are stringent.

• "Union added value criteria will make European solutions more expensive." Article 32 specifies these criteria must be ancillary and not decisive. They are designed to reward European supply-chain contributions where technical and financial criteria are comparable, not to override cost-effectiveness or technical performance.

• "Only large ministries need to worry about this." Article 30 would apply to all contracting authorities procuring cloud services for their exclusive use. Even local municipalities or small agencies would procure at least assurance level 1 services. The distinction lies in whether their activities are identified as contributing to the preservation of public order, which triggers the higher assurance levels.

• "CADA replaces the Public Procurement Directives." No. As proposed, CADA would supplement the directives. You would still comply with all standard EU procurement rules on transparency, non-discrimination, and competition. CADA would add specific sovereignty and innovation criteria on top.

Related

• Why does CADA focus so heavily on the public sector?
• What is the role of public order in CADA?
• What does CADA mean for public-sector cloud buyers?
• How does CADA support the public sector's move to cloud?
• Does CADA only apply to the public sector?

This is general information about a draft EU regulation, not legal advice.