How does CADA procurement affect public administration IT buyers?

Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally reshape how public administration IT buyers procure cloud services and AI systems by introducing mandatory sovereignty risk assessments and standardized assurance levels. Under Article 29 and Article 30, public bodies must assess whether their activities relate to public order; most standard administrative tasks would require only Union Assurance Level 1, while critical functions would mandate higher levels (2, 3, or 4). Additionally, Article 32 would require buyers to evaluate "Union added value" in innovative procurements, and Article 33 would impose reporting duties to promote Small and Medium-sized Enterprise (SME) participation.

Detail

The CADA proposal introduces a structured, risk-based framework for public sector procurement to reduce dependencies on non-European cloud providers while maintaining market efficiency. For public administration IT buyers, the core changes revolve around four specific articles: Article 29 (Risk Assessments), Article 30 (Procurement Obligations), Article 32 (Union Added Value), and Article 33 (SME Promotion and Reporting).

Mandatory Risk Assessments and Assurance Levels (Articles 29 and 30)

The cornerstone of CADA's procurement regime is the obligation for Member States and Union entities to conduct risk assessments. Article 29 requires these entities to carry out risk assessments to identify which public sector activities contribute to the preservation of public order. These assessments must consider sectors falling under Annex I or II of the NIS2 Directive, as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement.

The outcome of this risk assessment determines the minimum "Union Assurance Level" (UAL) required for any cloud computing service procured for those activities. Article 30 sets out the specific procurement obligations based on these findings:

1. Standard Public Administration (UAL 1): For public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment, the minimum requirement is to use cloud computing services recognized as having Union Assurance Level 1. This level generally requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union (unless explicitly required otherwise by the public body).
2. Public Order Relevant Activities (UAL 2, 3, or 4): For contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., defence, critical infrastructure, justice), they must only procure cloud computing services recognized as having Union Assurance Level 2, 3, or 4. These higher levels impose stricter criteria, including independent third-party audits, stricter data localization, personnel citizenship requirements, and prohibitions on third-country control.

Article 30 also provides limited derogations. A contracting authority may decide not to procure a recognized service if no adequate alternative exists in the central repository, if a previous similar procurement failed to yield suitable tenders, or if applying the requirements would result in disproportionate costs.

Union Added Value in Innovative Procurement (Article 32)

Beyond security and sovereignty, CADA aims to strengthen the European digital supply chain. Article 32 mandates that in public procurement procedures for innovative cloud computing services and AI systems, contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These "Union added value" criteria must be:

• Linked to the subject matter of the contract.
• Ancillary and not decisive in the award of the contract.
• Expressly set out in the procurement documents.

Authorities would evaluate factors such as the tenderer's use of software or hardware designed or manufactured in the Union, the integration of technologies developed in the Union, and the contribution to strengthening the security of supply. This provision ensures that while security is the baseline, procurement decisions also actively support the growth of European technological sovereignty.

SME Promotion and Reporting Duties (Article 33)

To ensure that the shift toward sovereign and innovative procurement does not exclude smaller players, Article 33 places specific obligations on Member States regarding the monitoring of innovation procurement. Member States must monitor and report on their use of procurement of innovation in cloud and AI systems.

Key requirements include:

• SME Target: Member States shall pursue as an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.
• Reporting: Member States must inform the Commission annually on SME participation trends, including the number of contracts awarded to SMEs and their share of the total contract value.
• Strategy Integration: Plans on how to achieve the 25% SME objective must be included in the national cloud and AI strategies required under Article 7.

This provision encourages public buyers to design procurement strategies that are accessible to SMEs, such as dividing contracts into lots and promoting preliminary market consultations.

What this means for you

For public-sector procurement officers and IT buyers, the implementation of CADA (if adopted in its current form) would require a significant shift in pre-procurement activities. You can no longer treat cloud procurement as a purely technical or commercial decision; it becomes a strategic risk management exercise.

1. Conduct the Article 29 Assessment Early: Before drafting any tender for cloud services, you must participate in or reference your Member State's risk assessment. Determine clearly whether your specific activity (e.g., managing tax records vs. managing defence communications) is classified as "public order relevant." This classification dictates your entire procurement strategy.
2. Check the Central Repository: When sourcing providers, you will need to consult the central repository of recognized services (Article 22). You must verify that the provider holds the correct Union Assurance Level (1, 2, 3, or 4) for your specific use case. For standard admin tasks, look for UAL 1 compliance. For critical functions, ensure UAL 2, 3, or 4.
3. Draft New Award Criteria: For innovative procurements, update your tender templates to include Article 32's "Union added value" criteria. Ensure these are weighted appropriately as ancillary factors, not the primary deciding factor.
4. Prioritize SME Engagement: Review your procurement plans to identify opportunities to reserve lots or simplify procedures for SMEs, aiming for the 25% innovation procurement target. Be prepared to report on these metrics annually to the Commission.
5. Plan for Migration: If your current cloud provider does not meet the required Union Assurance Level, Article 29(6) notes that migration must occur within a reasonable transition period not exceeding 12 months. Begin planning exit strategies and data portability measures now.

Common misconceptions

• "All public sector cloud must be UAL 3 or 4." This is incorrect. CADA adopts a proportionate approach. Only activities identified as contributing to the preservation of public order (e.g., defence, critical infrastructure) require UAL 2, 3, or 4. Most standard administrative functions (e.g., HR, general IT support) would only require Union Assurance Level 1, which is less restrictive and easier for many providers to achieve.
• "Union Added Value means 'Buy European' exclusively." Article 32 explicitly states that these criteria must be ancillary and not decisive. You cannot reject a technically superior or more cost-effective non-European tender solely because it lacks Union added value. The criteria are part of a holistic quality evaluation, not a blanket protectionist barrier.
• "SMEs are exempt from sovereignty requirements." There is no such exemption. While Article 33 encourages awarding contracts to SMEs, any SME providing cloud services must still meet the relevant Union Assurance Level criteria (UAL 1-4) to be eligible for public procurement under CADA. However, UAL 1 allows for self-assessment, which may be more manageable for smaller entities than the full third-party audits required for higher levels.
• "I can ignore this if I already have a contract." While CADA includes transition periods, new procurements and significant contract renewals will be subject to these rules. Furthermore, if a risk assessment determines that your current service does not meet the required assurance level for your public-order status, you would be obligated to migrate within 12 months.

Related

• CADA procurement compliance checklist for public buyers
• Will small public bodies be able to afford CADA procurement fees?
• CADA Procurement Compliance: Who is Responsible in a Public Body?
• When must public buyers procure level 2, 3 or 4 cloud under CADA?
• What sectors count as preserving public order for CADA procurement?

This is general information about a draft EU regulation, not legal advice.