How does CADA relate to the 2014 Procurement Directives?

Summary As proposed, the Cloud and AI Development Act (CADA) does not replace the 2014 Public Procurement Directives (Directive 2014/24/EU and Directive 2014/25/EU); rather, it establishes a sector-specific framework that layers sovereignty, innovation, and "Union added value" requirements on top of them. Under Article 39, if a public authority procures cloud or AI services through the Commission's new central purchasing body mechanism, it is deemed to have fulfilled its obligations under applicable Union public procurement law, effectively bypassing the need to run separate national tender procedures for those specific contracts. For all other procurements, the 2014 Directives remain the mandatory baseline legal framework, but contracting authorities must now integrate CADA's mandatory risk assessments (Article 29), minimum assurance levels (Article 30), and specific award criteria (Article 32) into their existing tender processes.

Detail

The relationship between the proposed CADA and the existing 2014 Public Procurement Directives is one of complementarity and specific derogation, rather than replacement. To understand this dynamic, one must distinguish between the baseline legal framework for general public spending and the new, targeted mechanisms CADA introduces to address strategic dependencies in cloud and AI technologies. The proposal explicitly acknowledges that the horizontal acquis of the 2014 Directives is insufficient to address the specific risks of third-country control and operational discontinuity in the cloud sector.

The 2014 Directives Remain the Baseline

Directive 2014/24/EU (the "Classic Directive") and Directive 2014/25/EU (the "Utilities Directive") continue to govern the general principles of public procurement in the EU, including transparency, non-discrimination, and proportionality. CADA explicitly acknowledges this hierarchy. The explanatory memorandum states that the "many layers of sovereignty and critical dependencies" cannot be addressed in the horizontal acquis that sets out general principles for the design of procurement procedures. Therefore, CADA provides a sector-specific approach that sits alongside, rather than supersedes, the general rules.

For any procurement of cloud computing services or AI systems that does not utilize the specific Commission-led mechanisms, the contracting authority must strictly adhere to the procedural rules of Directive 2014/24/EU or 2014/25/EU. CADA does not alter the fundamental definitions of contracting authorities, the thresholds for application, or the standard procedures (open, restricted, competitive dialogue, etc.) defined in those Directives. Instead, it imposes additional substantive constraints on what can be procured and how it is evaluated.

Article 33: Innovation Procurement and the 2014 Framework

Article 33 of CADA directly interacts with the innovation-focused provisions of Directive 2014/24/EU, specifically leveraging the existing "innovation procedure" (often referred to as pre-commercial procurement or innovation partnerships) to foster a domestic supply base.

Under Article 33(2), Member States must take appropriate measures to ensure that monitoring and reporting are actively used to identify barriers to SME participation, improve access to procurement markets, and support the design of simplified, proportionate, and SME-friendly procurement strategies. Crucially, this article explicitly references the "innovation procedure foreseen under Directive 2014/24/EU." This creates a direct link between CADA's strategic goals and the procedural tools available in the 2014 Directives.

Furthermore, Article 33(4) sets an aspirational target: Member States shall pursue as an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, Member States must include plans in their national cloud and AI strategies (under Article 7) on how they intend to meet this goal. This does not create a new legal procedure but rather mandates the use of existing flexibility within the 2014 Directives to prioritize European innovation.

Article 39: The "Deemed Compliance" Mechanism

The most significant procedural shift introduced by CADA is found in Article 39, which establishes a specific derogation from the standard procurement rules when using the Commission's central purchasing body mechanism. This mechanism is designed to harness collective purchasing power, achieve economies of scale, and ensure consistent application of CADA's sovereignty requirements across the Union.

Article 39(1) states: "A participating entity shall be deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services by means of contracts awarded by the Commission under this Chapter, including through framework contracts concluded by or dynamic purchasing systems operated by the Commission acting as a central purchasing body, or any ancillary support services referred to in Article 37."

This provision creates a "safe harbor" for contracting authorities. If a public authority participates in the common procurement framework managed by the Commission (established under Articles 37–40), it is considered compliant with the 2014 Directives without having to run a separate national tender process. This effectively bypasses the national implementation of the Directives for those specific contracts.

However, this does not absolve authorities of all obligations. Article 39(3) notes that a contracting authority that has acquired services from the Commission as a central purchasing body must ensure, in its agreements with the contracting authorities it serves, compliance with any contractual requirements by which it is itself bound. Additionally, Article 39(2) specifies that the procedural provisions applicable to Union institutions apply to the procedures for the award of specific contracts under framework contracts or dynamic purchasing systems. This means the Commission follows its own internal rules (derogated from the Financial Regulation where necessary), but the participating Member State authorities are "deemed" to have followed the 2014 Directives by virtue of their participation.

Union Added Value and Sovereignty Criteria

While the 2014 Directives provide the procedural skeleton, CADA adds substantive "Union added value" criteria that must be integrated into tenders. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Article 32(3) lists factors such as:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including research and development results stemming from Union funded research and development programmes.
• The delivery of services using critical computing, storage and networking hardware components designed and/or manufactured in the Union.

Critically, Article 32(2)(d) states that these criteria must be "ancillary and not decisive in the award of the contract." This ensures that while CADA promotes sovereignty, it does not violate the core competition principles of the 2014 Directives. The explanatory memorandum suggests a maximum weighting of 15 out of 120 points for these criteria to ensure they remain proportionate and subordinate to core technical and financial criteria.

Risk Assessments and Assurance Levels

CADA also mandates that procurement decisions be informed by risk assessments conducted under Article 29. These assessments determine the required "Union assurance level" (1–4) for cloud services based on the sensitivity of the data and the importance of the activity to public order.

While the 2014 Directives do not prescribe specific technical assurance levels, Article 30 of CADA mandates that contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., national security, justice, law enforcement) must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4. For other public sector bodies, a minimum of Union assurance level 1 is required. This creates a substantive constraint on the pool of eligible bidders that operates in parallel with the procedural rules of the 2014 Directives. A contracting authority cannot simply award a contract to the lowest bidder if that bidder does not meet the mandatory assurance level determined by the Article 29 risk assessment.

What this means for you

For in-house counsel and compliance officers, the interplay between CADA and the 2014 Directives requires a two-track approach to procurement strategy:

1. Assess Eligibility for the Commission Framework: Evaluate whether your organization can participate in the common procurement framework established by the Commission under Articles 37–40. If you do, leverage Article 39 to streamline your compliance. By procuring through this channel, you are deemed compliant with the 2014 Directives, significantly reducing administrative burden and legal risk associated with national tender procedures. Ensure you understand the fees and governance structures outlined in Articles 38 and 40, as participation involves contributing to the costs of this centralized mechanism.

2. Integrate CADA Criteria into National Tenders: For procurements not covered by the Commission framework, you must continue to follow the 2014 Directives strictly. However, you must now embed CADA's requirements into your tender documents:

   • Mandatory Risk Assessment: Conduct the risk assessment required by Article 29 to determine the necessary Union assurance level for the service. This dictates which providers are eligible to bid.
   • Union Added Value Criteria: Incorporate the non-price award criteria from Article 32 into your evaluation methodology. Ensure these criteria are linked to the subject matter, expressly set out in the procurement documents, and kept ancillary (not decisive). Document how these criteria support the Union's strategic autonomy goals.
   • Innovation Procurement Targets: Align your procurement plans with the 25% SME innovation target set out in Article 33. Use the innovation procedure under Directive 2014/24/EU to engage with European SMEs and startups, and report on your progress as required by Article 33(3).

3. Monitor Sovereignty Recognition: Verify that potential bidders hold valid recognition under the Union cloud computing sovereignty framework (Articles 16–18). For critical public order activities, ensure bidders meet at least Union assurance level 2. For general public sector use, level 1 is the minimum. Check the central repository established under Article 22 for recognized services.

Common misconceptions

• Misconception: CADA replaces the 2014 Public Procurement Directives for all cloud and AI purchases.

  • Reality: The 2014 Directives remain the foundational legal framework for public procurement. CADA only provides a derogation from these rules when using the specific Commission-led central purchasing body mechanism (Article 39). For all other contracts, the 2014 Directives apply fully, supplemented by CADA's specific criteria.

• Misconception: "Union added value" criteria can be the deciding factor in a procurement.

  • Reality: Article 32(2)(d) explicitly states that these criteria must be "ancillary and not decisive." They should be weighted appropriately (e.g., the suggested 15/120 points) to ensure they do not override technical quality or financial offer, maintaining compliance with the core competition principles of the 2014 Directives.

• Misconception: SMEs are exempt from CADA's sovereignty requirements.

  • Reality: While Article 33 encourages the award of 25% of innovation procurement to SMEs, these SMEs must still meet the applicable Union assurance levels and other CADA requirements. The goal is to foster a European supply base, not to lower sovereignty standards for smaller players.

• Misconception: Participation in the Commission framework is mandatory.

  • Reality: Participation in the common procurement framework is voluntary. However, if a contracting authority chooses not to use the Commission mechanism, it must independently ensure full compliance with both the 2014 Directives and all CADA obligations, including risk assessments and assurance level requirements.

Related

• Does CADA replace the 2014 Procurement Directives? Sovereignty vs. Procedure
• CADA Article 33: Innovation Procurement, SMEs and the 2014 Directive
• How does CADA procurement relate to the EuroCloud Federation?
• Does CADA affect procurement thresholds under the EU Directives?
• Will small public bodies be able to afford CADA procurement fees?

This is general information about a draft EU regulation, not legal advice.