Summary As proposed, the Cloud and AI Development Act (CADA) requires public contracting authorities to include "Union added value" criteria in procurement for innovative cloud and AI services, but strictly limits their impact. Under Article 32(2), these criteria must be linked to the subject matter, ancillary, and not decisive in the award decision. This design aims to comply with the World Trade Organization Agreement on Government Procurement (WTO GPA) by leveraging the public order exception in Article III:2(a) of the GPA. While CADA creates a preference for European supply chains, it does not violate national treatment obligations if applied proportionately to address strategic dependencies and public order risks, and includes a specific fallback in Article 32(3)(d) allowing third-country hardware when EU options are technically unfeasible.

Detail

The intersection of the proposed Cloud and AI Development Act (CADA) and the World Trade Organization Agreement on Government Procurement (WTO GPA) represents one of the most legally sensitive aspects of the proposal. CADA seeks to reduce the European Union's strategic dependence on third-country cloud providers by incentivizing the use of European technologies, supply chains, and manufacturing. However, the WTO GPA generally mandates "national treatment," requiring that once a market is open to foreign suppliers, they must be treated no less favorably than domestic suppliers.

CADA navigates this tension through a dual strategy: embedding strict procedural safeguards in Article 32 to prevent de facto discrimination, and relying on the explicit "public order" exception found in the WTO GPA text to justify the underlying policy objective.

The Mandatory "Union Added Value" Criterion (Article 32)

Article 32(1) of the CADA proposal establishes a mandatory obligation for contracting authorities. In public procurement procedures for innovative cloud computing services and AI systems, authorities shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

This is not a discretionary option; it is a statutory requirement for the scope of the Regulation. The specific dimensions of this "Union added value" are detailed in Article 32(3), which outlines four distinct areas for evaluation:

  1. Supply Chain Strengthening: Evaluating the extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union (Article 32(3)(a)).
  2. Technology Integration: Assessing the integration of technologies developed in the Union, including research and development results from Union-funded programmes and the use of tools, standards, or models developed in the Union (Article 32(3)(b)).
  3. Security of Supply: Determining whether the innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem (Article 32(3)(c)).
  4. Hardware Sourcing: Evaluating whether the service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union (Article 32(3)(d)).

Crucially, Article 32(3)(d) includes a vital "fallback" mechanism. It acknowledges that a strict preference for EU-manufactured hardware may not always be technically possible. The criterion allows for the use of hardware components from a third country if it is not feasible to use Union hardware due to market availability or technical requirements, provided that the third-country hardware still contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem. This provision is designed to prevent the criteria from becoming a de facto ban on non-EU hardware where no viable EU alternative exists, thereby mitigating potential WTO violations.

Safeguards Against Discrimination: The "Ancillary and Not Decisive" Rule

To ensure these criteria do not function as disguised protectionism, Article 32(2) imposes a rigorous set of conditions on their application. Contracting authorities must ensure that the non-price award criteria are:

  • Linked to the subject matter of the contract (Article 32(2)(a)): The criteria cannot be abstract or unrelated to the specific service being procured. They must have a direct connection to the performance or delivery of the cloud/AI service.
  • Not conferring unrestricted freedom of choice (Article 32(2)(b)): The criteria must be objective and measurable, preventing authorities from arbitrarily selecting a preferred bidder.
  • Expressly set out in the procurement documents (Article 32(2)(c)): Transparency is mandatory; bidders must know exactly how they will be evaluated before submitting a tender.
  • Ancillary and not decisive in the award of the contract (Article 32(2)(d)): This is the most critical safeguard. The Union added value criteria must remain secondary to the core technical and financial criteria directly connected to the performance requirements of the contract.

The requirement that the criteria be "ancillary and not decisive" serves as the primary legal firewall. It ensures that a bid with superior technical performance or lower cost cannot be rejected solely because it lacks a high "Union added value" score. The explanatory memorandum accompanying the proposal suggests a practical implementation of this rule, noting that contracting authorities could consider a maximum weighting of 15 out of 120 points for European added value, ensuring it remains proportionate and subordinate to the core contract award criteria.

WTO GPA Compatibility and the Public Order Exception

The core legal question is whether these criteria violate the national treatment obligation of the WTO GPA. The GPA's Article 3 generally prohibits discrimination against covered products, services, or suppliers of other parties. However, the agreement is not absolute.

Recital 64 of the CADA proposal explicitly addresses this compatibility. It states that the Union maintains an open and non-discriminatory framework for market access in accordance with the TFEU and international commitments, including the WTO GPA. The proposal relies on Article III:2(a) of the WTO GPA, which permits a Party to adopt or maintain measures "necessary to protect public morals, order or safety."

The CADA proposal argues that the "Union added value" criteria are not economic protectionism but necessary measures to protect public order. Recital 64 elaborates that identifying and addressing risks such as critical dependencies, unauthorized access to Union data, technology leakage, sabotage, and espionage is fundamental for preserving Union public order. By framing the procurement preferences as a response to these systemic security risks, the proposal seeks to justify the measures under the GPA's security exception.

Furthermore, Recital 64 emphasizes that preserving public order requires a "prudent but firm political, legal and operational response" in full respect of international commitments. The proposal posits that the criteria are proportionate because they are linked to the mitigation of specific public order risks identified in the risk assessments required under Article 29. If a Member State's risk assessment determines that a specific activity contributes to public order, the procurement of services for that activity is subject to stricter sovereignty requirements (Union assurance levels 2, 3, or 4 under Article 30(3)), which naturally favor EU-established providers or those meeting stringent EU-aligned criteria.

The Two-Tiered Procurement Landscape

The interaction between Article 32 (added value) and Article 30 (assurance levels) creates a nuanced, two-tiered procurement environment:

  1. General Public Sector Activities: For activities not identified as contributing to public order, contracting authorities must procure services with at least Union assurance level 1 (Article 30(2)). While Article 32's added value criteria still apply here, the baseline sovereignty requirements are lower, allowing for a broader range of providers.
  2. Public Order/Critical Sectors: For activities identified as contributing to public order (e.g., law enforcement, defence, critical infrastructure), authorities shall only procure services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). These levels impose strict criteria regarding establishment, data localization, and personnel (including Union citizenship requirements for levels 3 and 4).

This structure ensures that the most restrictive measures are applied only where a specific public order risk has been formally identified, aligning with the proportionality principle required by the WTO GPA. The "Union added value" criteria in Article 32 then act as a secondary lever to further incentivize European ecosystem development within these tiers, without overriding the primary technical and financial evaluation.

What this means for you

For in-house counsel, procurement officers, and legal advisors, the implementation of CADA's procurement rules requires a meticulous approach to tender design and risk management.

1. Audit Your Procurement Documents for Mandatory Inclusion Ensure that all tender documents for innovative cloud computing services and AI systems explicitly include the non-price award criteria outlined in Article 32(3). Failure to include these mandatory criteria could constitute a procedural error under the Regulation. However, you must ensure these criteria are linked to the subject matter (Article 32(2)(a)). Vague references to "European values" or "local support" without a direct, demonstrable link to the technical or operational requirements of the specific contract may be challenged as non-compliant.

2. Calibrate the Weighting of Criteria Strictly The criteria must be ancillary and not decisive (Article 32(2)(d)). In practice, this means the weighting assigned to Union added value must not overshadow technical quality or price. While the proposal suggests a maximum of 15 out of 120 points, you should review your internal scoring matrices to ensure the Union added value criterion cannot, on its own, determine the winner. If a technically superior bid loses solely due to a lower "Union added value" score, the procurement could be vulnerable to challenge under both CADA and WTO GPA principles.

3. Document the "Third-Country Hardware" Fallback Article 32(3)(d) provides a critical safety valve: if EU hardware is not feasible due to market availability or technical requirements, third-country hardware may be used if it still strengthens security of supply. Procurement teams must document their market research thoroughly. If you specify EU hardware, you must be prepared to justify why third-country alternatives were rejected (e.g., lack of technical capability). Conversely, if you accept third-country hardware, you must demonstrate how it contributes to the security of supply and the European ecosystem, rather than simply being the only option.

4. Align Procurement with Risk Assessments (Article 29) Ensure that your organization's risk assessments under Article 29 are up to date and formally documented. The level of assurance required (and thus the strictness of the sovereignty criteria) depends entirely on whether your activities are deemed to contribute to public order. Misclassifying your activities could lead to procuring services that do not meet the required assurance level, resulting in non-compliance with Article 30(3) and potential legal liability.

5. Monitor Commission Implementing Acts The Commission is empowered to adopt implementing acts to specify the methodology for risk assessments (Article 29(3)). Stay alert to these secondary legislations, as they will provide the detailed templates and elements required for compliant risk assessments. The precise definition of "public order" risks and the methodology for assessing them will be critical for determining the scope of your procurement obligations.

Common misconceptions

Misconception 1: CADA prohibits non-EU providers from bidding. This is incorrect. CADA does not impose a blanket ban on non-EU providers. Instead, it introduces a sovereignty framework where providers must be recognized at a specific Union assurance level. Non-EU providers can qualify if they meet the stringent criteria for Union assurance levels, particularly if their home country is recognized under Article 18 as providing sufficient assurances (e.g., via adequacy decisions and lack of extraterritorial data access laws). The "Union added value" criterion in Article 32 favors EU supply chains but does not exclude non-EU bidders entirely, especially if they can demonstrate contributions to security of supply or if EU hardware is technically unfeasible.

Misconception 2: The "Union added value" criterion is the primary factor in awarding contracts. No. Article 32(2)(d) explicitly states that these criteria must be ancillary and not decisive. The primary factors remain technical quality and financial criteria directly connected to performance. The Union added value is a secondary consideration intended to break ties or provide a slight preference for European ecosystem development, not to override technical merit. If a tender document makes Union added value the deciding factor, it violates the Regulation.

Misconception 3: CADA violates the WTO GPA's national treatment obligation. The proposal is drafted to comply with the WTO GPA by utilizing the public order exception under Article III:2(a). Recital 64 explicitly justifies the measures as necessary to protect public order by addressing risks like data exfiltration, sabotage, and service disruption. As long as the measures are proportionate, linked to genuine public order risks (as determined by Article 29 risk assessments), and applied with the "ancillary and not decisive" safeguard, they are legally defensible under international trade law. The fallback for third-country hardware in Article 32(3)(d) further strengthens this defense by ensuring the measures are not more trade-restrictive than necessary.

Misconception 4: Only EU-established companies can win contracts. While Article 16 and Annex II emphasize establishment in the Union for certain assurance levels, Article 18 provides a mechanism for third-country providers to qualify if their country meets specific criteria. Furthermore, the "Union added value" criteria in Article 32 evaluate the contribution to the ecosystem, not just the origin of the bidder. A non-EU company that integrates Union technologies or strengthens the security of supply could score highly on these criteria, provided they meet the baseline assurance level requirements.

Related

This is general information about a draft EU regulation, not legal advice.