Summary The proposed Cloud and AI Development Act (CADA) creates a unified procurement framework that deeply integrates with the EU Financial Regulation (Regulation (EU, Euratom) 2024/2509). As proposed, CADA empowers the European Commission to act as a central purchasing body for Member States, utilizing specific derogations from standard rules to enable joint procurement and dynamic purchasing systems. Crucially, Article 39(2) mandates that the procedural provisions applicable to Union institutions govern the award of specific contracts under these frameworks. The system is self-sustaining: Article 40(3) confirms that fee revenues constitute "internal assigned revenues" under Article 21(3)(a) of the Financial Regulation. Furthermore, Article 30(1) ensures that CADA's sovereignty requirements operate without prejudice to Article 136 of the Financial Regulation regarding sensitive procurement.

Detail

The relationship between the proposed CADA and the EU Financial Regulation is structural rather than merely procedural. CADA seeks to overcome the fragmentation of public procurement across Member States by establishing a unified, EU-level mechanism. This mechanism relies on specific derogations and procedural alignments with the Financial Regulation to function effectively, allowing the Commission to leverage its purchasing power while adhering to strict financial accountability.

The Commission as Central Purchasing Body

Under Article 37 of the CADA proposal, the European Commission is empowered to carry out procurement activities for Union entities, Member State contracting authorities, and selected partner organizations. This extends the Commission's traditional role beyond interinstitutional procurement to act as a central purchasing body for Member States.

This extension is enabled by a derogation from Article 168 of Regulation (EU, Euratom) 2024/2509. Article 37(1) explicitly states that the Commission may carry out these activities "subject to the exceptions set out in this Chapter." By derogating from Article 168, CADA allows the Commission to procure on behalf of Member States, a role traditionally restricted to specific joint procurement agreements. This mechanism enables "participating entities" (Member State authorities, Union entities, and partner organizations) to access cloud and AI services through a single, coordinated entry point, achieving economies of scale and reducing administrative burdens.

Procedural Rules for Specific Contracts

A critical question for legal teams is which procedural rules apply when a specific contract is awarded under this framework. Article 39 of CADA provides the definitive answer, creating a distinct legal regime for these transactions.

Article 39(1) establishes that a participating entity is deemed to have fulfilled its obligations under applicable Union public procurement law if it acquires supplies or services through contracts awarded by the Commission acting as a central purchasing body. This creates a "safe harbor" for Member State authorities, shielding them from national procedural challenges if they follow the Commission's centralized process.

However, for the specific contracts awarded under these framework agreements or dynamic purchasing systems, the procedural rules are distinct and harmonized at the EU level. Article 39(2) states: "The procedural provisions applicable to Union institutions shall apply to the procedures for the award of specific contracts under framework contracts or dynamic purchasing systems."

This means that when a Member State authority selects a specific supplier from a Commission-managed framework, the process is governed by the Financial Regulation's rules for Union institutions, not necessarily the national public procurement directives of that Member State. This harmonization is crucial for cross-border efficiency but requires entities to understand the Commission's internal procurement procedures.

Furthermore, Article 39(5) introduces flexibility for dynamic purchasing systems (DPS). It allows participating entities to join an existing DPS after its establishment, provided the Commission approves the request and cumulative requests do not exceed 50% of the initial estimated quantities. This provision is explicitly framed as a derogation: "By way of derogation from Article 168 of Regulation (EU, Euratom) 2024/2509..." However, Article 39(6) clarifies a critical limitation: this possibility is available only to participating entities that accede to the agreement after the dynamic purchasing system has been launched.

Sensitive Procurement and Public Order

CADA also intersects with the Financial Regulation's provisions on sensitive procurement. Article 30(1) of CADA references Article 136 of the Financial Regulation, which sets out the scope and rules for identifying and implementing sensitive public procurement procedures.

Under Article 30, contracting authorities whose activities contribute to the preservation of public order (as determined by risk assessments under Article 29) must procure cloud services with specific Union assurance levels (Level 2, 3, or 4). Article 30(1) explicitly states that this applies "Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509." This ensures that the sovereignty requirements of CADA operate alongside, and do not override, the strict security protocols for sensitive procurement already established in the Financial Regulation. This dual compliance is mandatory for entities handling critical infrastructure or national security data.

Financial Sustainability: Internal Assigned Revenues

To ensure the long-term viability of this centralized procurement framework, CADA introduces a fee-based financing model. Article 40 outlines how costs incurred by the Commission are recovered from participating entities.

The financial architecture of this model is anchored in the Financial Regulation. Article 40(3) specifies that revenues generated by these fees "shall constitute internal assigned revenues within the meaning of Article 21(3), point (a), of Regulation (EU, Euratom) 2024/2509."

This classification is significant. Internal assigned revenues are earmarked to cover specific expenditures, creating a self-financing loop. The fees collected from participating entities are used to cover the operational costs of the procurement activities, including the development and maintenance of the common procurement platform. Any remaining revenue after covering these costs is entered into the general budget of the Union. This structure ensures that the CADA procurement framework does not impose a net cost on the EU budget, while providing the Commission with the necessary resources to manage the complex joint procurement processes.

Governance and Steering Committee

The operational governance of this framework is established through an agreement between the Commission and at least two Member States, as outlined in Article 38. This agreement establishes a Steering Committee responsible for strategic oversight. While the Steering Committee sets the strategic direction, Article 38(3) clarifies that the Commission remains responsible for the actual operation and management of procurement activities, including the award of contracts. This separation of strategic oversight (Steering Committee) and operational execution (Commission) aligns with the Financial Regulation's principles of accountability and control.

What this means for you

For in-house counsel and compliance officers, the interplay between CADA and the Financial Regulation introduces several key obligations and strategic considerations:

  1. Shift in Procedural Compliance: If your organization participates in CADA's joint procurement framework, you must be familiar with the procedural provisions applicable to Union institutions, as mandated by Article 39(2). Traditional national procurement rules may not apply to the award of specific contracts under Commission-managed framework agreements. Training procurement staff on these EU-level procedures will be essential.
  2. Dynamic Purchasing System Access: Be aware of the opportunity to join existing dynamic purchasing systems under Article 39(5). This allows for faster access to cloud services without waiting for new tenders, but requires monitoring the 50% threshold for new participants. Crucially, this access is only available to entities acceding after the DPS has been launched, per Article 39(6).
  3. Fee Budgeting: Participating in the CADA framework will incur fees. These fees are not optional; they are the mechanism that funds the Commission's procurement activities. Ensure that your procurement budgets account for these costs, which are calculated to cover the Commission's operational expenses.
  4. Sensitive Procurement Alignment: For entities in critical sectors (e.g., energy, health, transport), ensure that your risk assessments under Article 29 are aligned with the sensitive procurement rules of Article 136 of the Financial Regulation. Failure to meet both the CADA sovereignty levels and the Financial Regulation's security standards could result in disqualification or compliance penalties.
  5. Audit Readiness: As a participating entity, your organization may be subject to audits related to the use of fees and the compliance with the framework agreement. Maintain clear records of how procured services are used and how fees are accounted for, in line with the Financial Regulation's transparency requirements.

Common misconceptions

  • "CADA replaces national procurement rules entirely." Incorrect. CADA complements national rules by providing a centralized option. Member States can still procure independently, but if they choose the CADA framework, they benefit from the derogations that simplify cross-border compliance.
  • "The Commission bears the cost of joint procurement." Incorrect. The framework is self-financing. Article 40(3) ensures that fees collected from participants cover the costs, with revenues classified as internal assigned revenues. The EU budget only bears initial establishment costs, which are reimbursed by participants.
  • "Any cloud service can be procured through this framework." Incorrect. The framework is designed for cloud computing services, AI systems, and related software. It is not a general procurement tool for all IT goods. Additionally, services must meet the relevant Union assurance levels if they are for public order-critical activities.
  • "National authorities have full control over the procurement process." Incorrect. While the Steering Committee provides strategic oversight, the Commission retains operational control over the award of contracts. National authorities participate as "participating entities" but do not manage the day-to-day procurement activities.

Related

This is general information about a draft EU regulation, not legal advice.