Summary As proposed, the Cloud and AI Development Act (CADA) would reshape how public bodies buy cloud computing services. Article 30 would oblige contracting authorities and Union entities buying cloud for their exclusive use to procure services that have been formally recognised under the Union sovereignty framework. For activities that a risk assessment has not flagged as contributing to the preservation of public order, the minimum would be a service recognised at Union assurance level 1 (Article 30(2)). For activities that do contribute to public order — in NIS2 sectors and in national security, internal security, external border management, defence, justice or law enforcement — buyers could only procure services recognised at level 2, 3 or 4 (Article 30(3)). Which level applies would flow from the risk assessment under Article 29.
Detail
The proposed CADA (COM(2026) 502 final, presented on 3 June 2026) would create a harmonised framework for procuring cloud computing services across the public sector, with the stated aim of reducing strategic dependencies on non-European providers and improving the resilience of public services. The core procurement rules sit in Article 30, which by its own terms applies to contracting authorities that procure cloud computing services for their exclusive use, and — without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509 — also to Union entities buying for their exclusive use.
The two-tier procurement obligation
Article 30 would split procurement into two cases, depending on the outcome of the risk assessment under Article 29(1).
1. Baseline: Union assurance level 1. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order would have to use cloud computing services recognised under Article 17 as having a Union assurance level 1. In practice, this would mean that even routine administrative, educational or general IT procurement could not simply pick the cheapest or most familiar provider — the specific service would have to hold a level-1 recognition.
Annex II sets the level-1 criteria. They include, cumulatively, that the provider is established in the Union; that its infrastructure and assets (and those of subcontractors involved in the service) are located in the Union unless the public sector body explicitly requires otherwise; that customer data — including metadata and telemetry — remains exclusively within the Union on the same condition; compliance with state-of-the-art cybersecurity standards; and full transparency about subcontractors. Notably, level 1 does not prohibit third-country control: where a provider is controlled by a third country, it must guarantee (demonstrated by independent sources) that no third-country law or practice requires it to report software vulnerabilities to that country's authorities before they are known to have been exploited.
2. Public-order activities: Union assurance level 2, 3 or 4. Under Article 30(3), contracting authorities (including entities acting on their behalf) whose activities have been identified as contributing to the preservation of public order would be able to procure only services recognised at level 2, 3 or 4. The proposal ties this to two groups of activities:
- sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2); and
- national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.
For these activities, level 1 would be insufficient. The specific level (2, 3 or 4) would be set by the Member State's or Union entity's risk assessment, which weighs the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption.
The role of the risk assessment (Article 29)
Article 30's obligations are downstream of Article 29. Member States and Union entities would have to carry out risk assessments by the date of entry into force plus one year, and thereafter every two years or whenever necessary. Those assessments would (a) identify activities that contribute to public order in the listed sectors and (b) determine which level — 2, 3 or 4 — is appropriate. The Commission would specify the methodology and templates by implementing act, and may step in (Article 29(5)) if it concludes a Member State's chosen level does not adequately address the public-order concern.
Exceptions and derogations
Article 30(4) would allow a contracting authority, on an exceptional and duly justified basis, to depart from paragraphs 2 or 3 where one or more circumstances applies: the subject matter cannot be supplied by recognised services in the central repository (Article 22) and no adequate or reasonable alternative exists, provided that absence is not the result of an artificial narrowing of the procurement parameters; a similar procurement in the previous year drew no suitable tenders or participants; or applying the requirements would mean procuring at disproportionate cost. These are deliberately narrow.
Added value and innovation (Article 32)
Separately, Article 32 would require contracting authorities to include "Union added value" as a non-price award criterion in procurement of innovative cloud computing services and AI systems — evaluating a tenderer's contribution to a European cloud and AI ecosystem (for example, EU-designed or manufactured hardware and software, integration of Union-funded R&D, or hardware that strengthens security of supply). Article 32(2)(d) requires this criterion to be ancillary and not decisive; Recital 67 suggests authorities "could consider" a maximum weighting of 15 out of 120 points.
What this means for you
For public-sector procurement teams, CADA would move cloud buying from a purely technical-and-financial exercise toward a sovereignty exercise.
1. Start from your risk assessment. Whether you are buying level 1 or levels 2–4 depends on the Article 29 risk assessment. Confirm which of your activities have been classified as contributing to public order before drafting a tender.
2. Specify the assurance level in the tender. State the required recognised level explicitly — level 1 for ordinary activities, or the level (2, 3 or 4) your risk assessment mandates.
3. Check the central repository. Article 22 would establish a public repository of recognised services. Check it before launching a tender; if no recognised service fits, you may need to justify a derogation under Article 30(4).
4. Plan migrations. Article 29(6) would allow a transition period not exceeding 12 months where a risk assessment requires migrating to another service, taking account of technical feasibility, continuity and data portability.
5. Consider multi-cloud. Article 29(9) would have authorities consider, as part of procurement, whether a multi-vendor or multi-cloud strategy is appropriate for resilience.
Common misconceptions
"CADA bans non-EU cloud providers." No. A third-country-controlled provider could still qualify at level 1 if it meets the Annex II criteria (including the vulnerability-reporting guarantee). The higher levels add progressively stricter conditions on third-country control. The effect is a strong incentive toward EU-established and EU-controlled providers, not a blanket ban.
"Level 1 is a low-quality tier for small buyers." No. Level 1 is the minimum for all public-sector cloud procurement of non-public-order activities. It still requires EU establishment, EU data residency, state-of-the-art cybersecurity and subcontractor transparency.
"Signed contracts are unaffected." Not necessarily. Where a risk assessment requires a higher level, Article 29(6) would trigger a migration obligation within a transition period of up to 12 months.
"Union added value means EU-made hardware only." No. Article 32(2)(d) makes the criterion ancillary and not decisive, and Article 32(3)(d) expressly allows third-country hardware where EU hardware is not feasible, provided it contributes to security of supply.
Related
- Will small public bodies be able to afford CADA procurement fees?
- CADA Procurement Compliance: Who is Responsible in a Public Body?
- What sectors count as preserving public order for CADA procurement?
- What records must a public buyer keep for CADA innovation procurement?
- CADA Article 32: What is the EU hardware criterion for public procurement?
This is general information about a draft EU regulation, not legal advice.