Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally restructure public procurement by making cloud service recognition a mandatory eligibility criterion. Article 16(1) establishes a four-tier "Union assurance framework" (Levels 1–4). Article 30 then ties these tiers directly to procurement obligations: all public sector purchases must meet a minimum of Union assurance level 1, while activities identified as preserving "public order" via risk assessments (Article 29) must procure only services recognised at levels 2, 3, or 4. This creates a legally binding link where the nature of the public activity dictates the minimum sovereignty tier a provider must hold to bid.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a mechanism where cloud sovereignty is no longer a voluntary preference but a statutory prerequisite for public contracts. The interaction between the recognition system and procurement rules is the operational engine of the Act, governed primarily by Title IV, specifically Articles 16, 29, 30, 32, and 33.

The Foundation: The Union Assurance Framework (Article 16)

The core of the procurement interaction is the Union cloud computing sovereignty framework established in Article 16(1). This article mandates that cloud computing service providers seeking to serve Union entities and public sector bodies must be formally recognised as offering one of four distinct Union assurance levels.

These levels are not arbitrary; they correspond to cumulative criteria set out in Annex II, which escalate in strictness:

  • Level 1: Focuses on Union establishment, data residency within the Union, and basic cybersecurity standards.
  • Level 2: Adds requirements for Union-based personnel (conditional on public body requests), stricter third-country control safeguards, and a "substantial" cybersecurity certification.
  • Level 3: Mandates Union citizenship for personnel (where appropriate), "substantial" cybersecurity certification, and strict prohibitions on third-country control unless a specific derogation under Article 18 applies.
  • Level 4: Requires Union citizenship for personnel, "high" cybersecurity certification, and absolute prohibitions on third-country control.

Crucially, Article 17 establishes that recognition is granted by the national competent authority of establishment and recorded in a central repository (Article 22). Without a valid recognition decision for a specific level, a provider is legally ineligible to supply cloud services to the public sector under the proposed regime.

The Procurement Mandate: Risk-Based Tiering (Articles 29 & 30)

CADA replaces the traditional "best value" procurement model with a risk-based tiered approach. The interaction between recognition and procurement is defined by a two-step process: first, determining the required level via risk assessment, and second, enforcing that level in the tender.

1. The Universal Baseline: Article 30(2)

For the broad spectrum of public sector activities that do not involve high-risk public order concerns, Article 30(2) establishes a mandatory floor. It stipulates that Union entities and public sector bodies must use cloud computing services recognised as having at least Union assurance level 1.

This means that even for non-sensitive administrative tasks, a public buyer cannot contract with a provider that has not been formally recognised at Level 1. The provider must be established in the Union, and customer data must remain exclusively within the Union unless the public body explicitly requires otherwise.

2. The Public Order Requirement: Article 30(3)

For activities deemed critical to the Union's security, the rules become significantly stricter. Article 30(3) mandates that contracting authorities whose activities contribute to the preservation of public order must procure only services recognised at Union assurance levels 2, 3, or 4.

The definition of "public order" is not left to the discretion of individual procurement officers. Instead, Article 29 obliges Member States and Union entities to conduct comprehensive risk assessments to identify which activities fall into this category. These assessments must cover:

  • Sectors listed in Annex I or II of the NIS2 Directive.
  • Areas of national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

The risk assessment must evaluate the sensitivity of data, the risk of unlawful third-country access, and the risk of service disruption. Based on this assessment, the Member State determines the specific assurance level (2, 3, or 4) required for each activity. For instance, a defence ministry might mandate Level 4 for operational systems, while a justice department might require Level 3 for case management. Once this mapping is established, Article 30(3) legally binds the contracting authority to restrict the tender to providers holding that specific recognition.

Enhancing Sovereignty: Added Value and Innovation (Articles 32 & 33)

Beyond the mandatory "hard gates" of assurance levels, CADA introduces soft incentives to further strengthen the European ecosystem.

Article 32 empowers contracting authorities to include Union added value as a non-price award criterion in public procurement procedures. This allows buyers to evaluate a tenderer's contribution to the European cloud and AI ecosystem, such as:

  • Strengthening the digital technology supply chain in the Union.
  • Integrating technologies developed in the Union.
  • Using hardware components designed or manufactured in the Union.

However, Article 32(2) imposes strict limits: these criteria must be linked to the subject matter of the contract, expressly set out in procurement documents, and ancillary (not decisive) to the award. They cannot override technical and financial criteria but can tip the balance between equally qualified bidders.

Furthermore, Article 33 requires Member States to monitor and report on their procurement of innovation in cloud and AI. It sets a specific objective for Member States to award at least 25% of relevant innovation procurement procedures to SMEs, ensuring that the sovereignty framework also drives market diversity and innovation.

Derogations and Exceptions

The proposal acknowledges that strict adherence to assurance levels may occasionally be impossible. Article 30(4) provides limited derogations where a contracting authority may decide not to procure recognised services. These exceptions apply only if:

  1. The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
  2. A similar procurement process launched within the previous year received no suitable tenders.
  3. Applying the requirements would result in disproportionate costs.

These derogations are narrow and require justification, ensuring that the default position remains the procurement of recognised, sovereign-compliant services.

What this means for you

For public-sector procurement officers and legal teams, CADA would transform the tendering process from a purely commercial exercise into a compliance-driven procedure.

  1. Mandatory Pre-Tender Verification: You can no longer assume a provider is eligible. Before launching a tender, you must consult the central repository (Article 22) to verify which providers hold the specific Union assurance recognition required for your activity. A provider without the correct tier is legally ineligible to bid.
  2. Reliance on National Risk Assessments: You cannot independently decide the assurance level for your project. You must align your tender requirements with the risk assessments conducted by your Member State under Article 29. If your activity is mapped to "public order" relevance, you must explicitly require Level 2, 3, or 4. If not, Level 1 is the mandatory minimum.
  3. Updated Evaluation Matrices: Your tender documents must include the Union added value criteria from Article 32. You must develop clear, non-discretionary metrics to score a provider's contribution to the European supply chain, ensuring these criteria are ancillary and linked to the contract subject matter.
  4. Contractual Continuity Clauses: Your contracts must include clauses referencing the provider's ongoing obligation to maintain their recognition status. Under Article 23, providers must notify authorities of material changes affecting their assurance level. Your contract should stipulate that a loss of recognition constitutes a material breach, potentially triggering termination or migration clauses.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers entirely. This is incorrect. CADA does not impose a blanket ban. Non-EU providers can still compete for Level 1 recognition if they meet establishment and data residency criteria. Furthermore, under Article 18, the Commission may adopt decisions allowing providers controlled by third countries to be audited for Level 3 recognition if that third country meets strict adequacy and sovereignty safeguards. The restriction applies to public procurement for sensitive activities, not the general market.

Misconception 2: Procurement officers can choose the assurance level based on budget. No. The assurance level is determined by the nature of the activity and the risk assessment mandated by Article 29, not by the budget. If the risk assessment dictates that an activity requires Level 3 due to public order relevance, you cannot lower this to Level 2 simply because Level 3 providers are more expensive. The only exception is the "disproportionate cost" derogation in Article 30(4), which is a high bar to clear.

Misconception 3: "Sovereign cloud" is a marketing term. Under CADA, "sovereignty" is legally defined and audited. It is not a marketing label. Article 16 and Annex II provide specific, technical criteria for each assurance level, covering everything from software supply chain transparency to personnel citizenship. A provider is only "sovereign" to the extent that it has been formally recognised by a national competent authority as meeting these cumulative criteria.

Related

This is general information about a draft EU regulation, not legal advice.