Summary The proposed Cloud and AI Development Act (CADA) transforms public procurement into a strategic instrument for EU digital autonomy. As proposed, Article 30 mandates a baseline of Union assurance level 1 for all public cloud procurement, escalating to levels 2, 3, or 4 for activities critical to public order (e.g., defense, justice). Article 32 requires contracting authorities to include "Union added value" criteria to steer demand toward European supply chains, while Article 33 sets a target for 25% of innovation procurement to be awarded to SMEs, fostering domestic capacity. These measures collectively aim to reduce reliance on non-EU providers and strengthen the Union's strategic autonomy.

Detail

The proposed Cloud and AI Development Act (CADA) explicitly identifies public procurement as a primary mechanism to address the Union's dependence on third-country cloud providers. By harmonizing procurement rules across the single market, the proposal seeks to create a predictable demand signal that incentivizes investment in European infrastructure and technology. The framework operates through three distinct but interconnected pillars: mandatory sovereignty tiers based on risk, qualitative award criteria favoring European ecosystems, and targeted support for small and medium-sized enterprises (SMEs).

Mandatory Sovereignty Tiers for Public Order (Article 30)

The core of CADA's procurement strategy is the establishment of a tiered sovereignty framework. Article 30(2) establishes a mandatory baseline: all contracting authorities and Union entities procuring cloud computing services for their exclusive use must, as a minimum requirement, procure services recognized as offering Union assurance level 1. This ensures a consistent floor of trust, requiring data localization within the Union and compliance with state-of-the-art cybersecurity standards, even for non-critical administrative functions.

However, the proposal imposes stricter obligations for activities deemed critical to the Union's security. Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public orderβ€”following the risk assessments mandated by Article 29β€”must procure only cloud computing services recognized as offering Union assurance levels 2, 3, or 4.

The distinction between these levels is critical for digital autonomy:

  • Level 2 requires infrastructure, assets, and personnel to be located in the Union, with strict controls against third-country data access and service disruption.
  • Level 3 adds a requirement for personnel to be Union citizens (conditional on public body requirements) and mandates a European cybersecurity certificate of at least "substantial" assurance. It also allows for a derogation where a third-country controlled provider may qualify if the Commission has adopted an implementing act under Article 18 (formerly mis-referenced as Article 19 in some drafts) confirming the third country provides sufficient safeguards.
  • Level 4 represents the highest tier, requiring a "high" assurance cybersecurity certificate, Union citizen personnel, and strict prohibitions on third-country control, ensuring the highest level of operational autonomy for the most sensitive sectors like defense and intelligence.

By legally binding public buyers to these tiers, CADA ensures that the most vital state functions are insulated from extraterritorial legal risks and operational dependencies on non-EU jurisdictions.

Steering Demand Toward the EU Ecosystem (Article 32)

Beyond mandatory compliance, CADA actively shapes market dynamics through quality-based evaluation. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem, defined as "Union added value."

According to Article 32(3), this added value includes:

  • Strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Integrating technologies developed in the Union, including research and development results from Union-funded programmes.
  • Delivering services through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2) stipulates that these criteria must be "ancillary and not decisive in the award of the contract." This ensures that while the EU ecosystem is prioritized, procurement remains competitive and value-driven, preserving the primacy of technical and financial performance. By systematically rewarding bids that rely on European supply chains, CADA creates a sustained demand signal intended to encourage investment in domestic cloud and AI capabilities.

Building Domestic Capacity Through SME Support (Article 33)

Long-term digital autonomy requires a robust base of domestic innovators, not just large incumbents. Article 33 focuses on the procurement of innovation to foster this capacity, with a specific emphasis on SMEs. Member States are required to monitor their use of procurement of innovation in cloud computing services and AI systems and report annually to the Commission on SME participation trends.

The proposal sets a clear, ambitious objective: Member States shall pursue the goal that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, Member States must include plans in their national cloud and AI strategies (under Article 7) on how they intend to meet this target.

Article 33 also encourages contracting authorities to promote preliminary market consultations, matchmaking between public buyers and European SMEs, and the development of public contract clauses favorable to innovative SMEs. By lowering barriers to entry and actively monitoring SME participation, CADA aims to prevent market consolidation and nurture a diverse, competitive European provider base.

What this means for you

For public-sector procurement officers and policy makers, CADA introduces a more structured and sovereignty-focused procurement landscape. As proposed, you will need to:

  1. Conduct Rigorous Risk Assessments: Under Article 29, you must determine which of your public sector activities contribute to the preservation of public order. This assessment is the trigger that dictates whether you are restricted to Union assurance level 1 or must procure levels 2, 3, or 4.
  2. Verify Sovereignty Status: You must verify that any cloud computing service you procure is listed in the central repository of recognized services (established under Article 22) and meets the appropriate Union assurance level. Standard cybersecurity certifications alone are insufficient; formal recognition under CADA is required.
  3. Integrate Union Added Value Criteria: When procuring innovative cloud or AI services, you must include non-price criteria that evaluate the European origin of the supply chain and technology. While these cannot be the sole deciding factor, they will influence the final score and must be expressly set out in procurement documents.
  4. Support SME Innovation: You are expected to actively facilitate SME participation in innovation procurements. This may involve breaking contracts into lots, using simplified procedures, and engaging in early market consultations to help smaller European providers compete.
  5. Report and Monitor: You will need to track and report on your procurement activities, particularly regarding SME participation and innovation uptake, as part of the broader national monitoring framework required by Article 33.

Common misconceptions

"CADA bans non-European cloud providers entirely." This is incorrect. CADA does not impose a blanket ban. Instead, it creates a tiered system. Non-European providers can still compete for Union assurance level 1 contracts if they meet the criteria (including data localization and cybersecurity standards). For higher assurance levels (2, 3, and 4), the criteria become significantly stricter regarding third-country control and infrastructure location. However, Article 18 provides a mechanism for the Commission to recognize specific third countries as providing sufficient assurances, potentially allowing providers controlled by those countries to qualify for level 3 under strict conditions.

"Union added value" is a quota for European goods. Article 32 does not set a percentage quota for European hardware or software. Instead, it introduces a qualitative criterion for evaluation. The "Union added value" must be ancillary and not decisive, meaning a bid with superior technical performance and price can still win even if its European added value is lower than a competitor's. The goal is to steer demand, not to mandate purchase.

"All public cloud procurement requires the highest sovereignty level." No. Article 30(2) establishes a baseline of Union assurance level 1 for all public sector cloud procurement. Higher levels (2, 3, and 4) are only required for activities identified as contributing to the preservation of public order through the mandatory risk assessment process under Article 29. Most routine administrative functions will likely only require level 1.

"CADA replaces the AI Act's procurement rules." CADA does not replace the AI Act. The AI Act regulates the safety and fundamental rights of AI systems, while CADA regulates the infrastructure (cloud) and sovereignty of the supply chain. A public body deploying a high-risk AI system must comply with the AI Act for the system itself, while simultaneously complying with CADA Article 30 for the cloud infrastructure hosting it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.