How does CADA procurement support European technological sovereignty in practice?

Summary As proposed, the Cloud and AI Development Act (CADA) transforms public procurement from a passive purchasing activity into a strategic engine for European technological sovereignty. The proposal mandates that public authorities procure cloud services meeting specific "Union assurance levels" based on risk assessments (Article 30), introduces mandatory non-price "Union added value" criteria to favour European supply chains (Article 32), and sets a target for awarding at least 25% of innovation procurement to SMEs (Article 33). Combined with the Commission's power to aggregate buying through a common framework and the EuroCloud Federation, these measures would create guaranteed demand for sovereign services, reduce dependence on third-country providers, and build a scalable EU cloud ecosystem.

Detail

The CADA proposal recognises that supply-side incentives alone cannot correct the market failure of critical dependence on a limited pool of non-EU hyperscalers. To address this, the regulation establishes a robust demand-side framework designed to steer public spending toward resilient, EU-based infrastructure. This framework operates through three interconnected pillars: mandatory sovereignty tiers, European added value criteria, and innovation-focused SME support, all underpinned by the aggregation of public demand.

Mandatory Sovereignty Tiers in Public Procurement (Article 30)

The cornerstone of CADA's sovereignty framework is the mandatory linkage between public sector risk and the required "Union assurance level" of cloud services. Article 30 establishes a risk-based approach that dictates procurement obligations based on the criticality of the activity.

1. Baseline Requirement (Union Assurance Level 1): As a minimum, all contracting authorities must procure cloud computing services recognised as offering Union assurance level 1. This ensures a consistent baseline of safeguards across the Union, reducing vulnerabilities to third-country access to data and ensuring operational autonomy.
2. Higher Assurance for Public Order (Levels 2–4): For activities contributing to the preservation of public order—specifically in sectors falling under Annex I or II of the NIS2 Directive, and in areas of national security, internal security, external border management, defence, justice, or law enforcement—stricter rules apply. Under Article 29, Member States and Union entities must conduct risk assessments to identify these activities. If an activity is deemed to contribute to public order, Article 30(3) mandates that contracting authorities only procure services recognised at Union assurance levels 2, 3, or 4.
3. Derogations: Article 30(4) provides limited derogations only under exceptional circumstances: if no recognised service is available in the central repository, if a similar procurement failed to attract suitable tenders in the previous year, or if compliance would impose disproportionate costs. This prevents authorities from bypassing sovereignty requirements due to temporary market gaps while maintaining strict conditions.

By legally binding public buyers to these tiers, CADA creates a guaranteed, high-value demand stream for sovereign cloud services, incentivising providers to invest in EU-based infrastructure and compliance mechanisms to access the public market.

Union Added Value Criteria (Article 32)

To actively steer procurement decisions toward European suppliers beyond the baseline assurance levels, Article 32 introduces "Union added value" as a mandatory non-price award criterion. In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities must evaluate tenders based on the extent to which they contribute to the development of a European cloud and AI ecosystem.

Specifically, authorities must assess:

• Supply Chain Strengthening: The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• Technology Integration: The integration of technologies developed in the Union, including research and development results stemming from Union-funded programmes.
• Innovation and Security: How the innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• Critical Hardware: The delivery of services using critical computing, storage, and networking hardware components designed and/or manufactured in the Union, or where not feasible, from third countries that contribute to security of supply.

While Article 32(2) clarifies that these criteria must be "ancillary and not decisive" in the award of the contract (meaning they cannot override core technical and financial criteria), they provide a formal mechanism to reward providers who invest in European technological capabilities, thereby countering the dominance of third-country supply chains in the evaluation process.

Supporting SMEs and Innovation (Article 33)

CADA recognises that a resilient ecosystem requires diversity and cannot rely solely on large incumbents. Article 33 focuses on procurement of innovation to foster a competitive market for smaller players. Member States are required to monitor their use of innovation procurement in cloud and AI and report annually on SME participation.

Key obligations include:

• SME Targets: Member States must pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.
• Barrier Removal: Authorities must use monitoring data to identify barriers to SME participation and implement measures such as dividing contracts into lots to improve access.
• National Strategies: Member States must include plans in their national cloud and AI strategies (Article 7) detailing how they intend to achieve this 25% objective.

This provision aims to prevent market concentration and encourages the growth of European SMEs and start-ups in the cloud and AI sector by ensuring they have a pathway to public contracts.

Aggregated Buying Power and Market Scale (Chapter IV)

Individual public authorities often lack the scale to negotiate favourable terms or drive significant market change. CADA addresses this through Chapter IV, which empowers the Commission to carry out procurement activities on behalf of Union entities and Member States.

• Common Procurement Framework: The Commission can act as a central purchasing body, negotiating framework contracts or dynamic purchasing systems for cloud services, data centre services, and AI systems. This allows the Commission to leverage collective purchasing power to lower costs and improve terms.
• EuroCloud Federation: Article 34 establishes the EuroCloud Federation, a voluntary platform for public sector bodies to share data centre and cloud computing services. This facilitates the pooling of idle capacity and reduces the need for fragmented, individual procurements.
• Economies of Scale: By aggregating demand, the Commission can signal strong, unified demand to European providers. This creates the market scale necessary for European cloud providers to compete globally and achieve the economies of scale needed for long-term viability, effectively building the EU market from the demand side.

What this means for you

For public-sector procurement officers and policy makers, CADA would fundamentally change how cloud and AI contracts are structured and awarded.

• Conduct Risk Assessments: You must carry out risk assessments (Article 29) to determine if your activities relate to public order. This dictates whether you are limited to Union assurance level 1 or must procure levels 2–4.
• Update Award Criteria: Your tender documents must include non-price award criteria for "Union added value" (Article 32). You will need to define how you will evaluate a bidder's contribution to the European supply chain, such as the origin of hardware or software.
• Monitor SME Participation: You must actively monitor and report on SME participation in innovation procurements (Article 33). Consider structuring contracts into lots to facilitate SME access and aim for the 25% award target.
• Check the Central Repository: Before launching a tender, check the central repository of recognised cloud services (Article 22) to ensure you are procuring from providers that meet the required Union assurance levels.
• Prepare for Aggregated Procurement: Be aware that the Commission may offer common procurement frameworks. Participating in these could simplify your procurement process and provide access to better-priced, sovereign cloud services.

Common misconceptions

"CADA bans third-country cloud providers." Incorrect. CADA does not impose a blanket ban. Instead, it uses a tiered assurance system. Third-country providers can still qualify for Union assurance level 1 if they meet strict criteria regarding data location, cybersecurity, and operational autonomy. However, for critical public order activities, only services meeting higher assurance levels (2–4) are permitted, which effectively limits third-country involvement in sensitive sectors unless they establish significant EU-based, autonomous operations.

"Union added value criteria are mandatory quotas." Incorrect. Article 32(2) states that Union added value criteria are "ancillary and not decisive." They cannot be used to exclude otherwise compliant bidders solely based on their origin. Instead, they serve as a quality evaluation factor, rewarding European supply chain integration without violating non-discrimination principles.

"SME targets are legally binding hard caps." Incorrect. Article 33(4) requires Member States to "pursue as objective" that at least 25% of innovation procurement be awarded to SMEs. It is a target to be actively pursued through measures like lot division and barrier removal, not a rigid legal quota that invalidates contracts if missed.

"CADA replaces existing procurement laws." Incorrect. CADA complements existing EU public procurement directives. It adds specific sovereignty and innovation requirements to cloud and AI procurements but does not replace the general procedural rules of the Public Procurement Directives.

Related

• How CADA uses public procurement to build EU tech sovereignty
• How does CADA support SME participation in public procurement?
• How does CADA procurement support EU digital autonomy?
• How does CADA procurement aim to grow the European cloud and AI ecosystem?
• Does CADA replace the 2014 Procurement Directives? Sovereignty vs. Procedure

This is general information about a draft EU regulation, not legal advice.