Summary As proposed, the Cloud and AI Development Act (CADA) would establish a framework to accelerate public-sector cloud adoption: standardised "Union assurance levels" for cloud services, mandatory sovereignty risk assessments, a voluntary EuroCloud Federation for sharing public-sector capacity, an open-source-first approach to reduce lock-in, and SME-friendly procurement measures. Fostering the adoption of cloud computing services across the public sector is named as one of the proposal's core objectives.

Detail

CADA proposes a multi-layered approach to modernising public-sector IT. Article 1(1)(e) lists "fostering the adoption of cloud computing services across the public sector" as one of the framework's measures, alongside enabling a sovereign cloud and AI offer to safeguard the Union's public order (Article 1(1)(c)).

The sovereignty framework and assurance levels

Central to CADA's support for public-sector adoption is a harmonised sovereignty framework. Today, public authorities face fragmented national approaches to what counts as a "sovereign" or "trusted" cloud. CADA would address this by establishing a "Union cloud computing sovereignty framework" comprising four Union assurance levels, with criteria set out in Annex II (Article 16).

Public authorities would conduct risk assessments (Article 29) to identify which public-sector activities contribute to the preservation of public order and to determine the appropriate assurance level. For activities identified as contributing to public order - in sectors falling under Annex I or II of the NIS2 Directive, or in national security, internal security, external border management, defence, justice, or law enforcement - authorities would only procure cloud services recognised as offering Union assurance levels 2, 3, or 4 (Article 30(3)). For other public-sector activities, services recognised at Union assurance level 1 would be used (Article 30(2)). This would create a clearer, standardised procurement path.

The EuroCloud Federation

CADA would establish the European public sector cloud federation, the "EuroCloud Federation" (Article 34), to facilitate the sharing of public-sector data centre services and cloud computing services between Union entities and public sector bodies. Participation would be voluntary, with entities requesting to join via the Commission. The Commission would establish a platform providing at least a catalogue of available services and a service platform for exchanging and orchestrating computing, storage, and network resources. This would let public authorities - particularly smaller ones - access shared capacity without building their own large-scale data centres.

Open-source first and vendor neutrality

CADA would promote open source as a lever for sovereignty and to reduce lock-in. Under Article 41, the Union and Member States would take the necessary measures to encourage Union entities and public sector bodies to use, and facilitate the reuse of, open standards and components released under an open-source licence. Article 42 would support this by requiring that software a public body makes available for reuse under an open-source licence be published via a catalogue connected to the EU Open Source Solutions Catalogue.

Procurement and added value

To drive market transformation, CADA would introduce procurement rules. In procurement of innovative cloud services and AI systems, Article 32 would require contracting authorities to include non-price award criteria assessing a tenderer's contribution to a European cloud and AI ecosystem - for example, use of hardware designed or manufactured in the Union. As proposed, these criteria must be ancillary and not decisive. Article 33 would set an objective that Member States pursue awarding at least 25% of their cloud and AI procurement to innovative SMEs.

What this means for you

For public-sector procurement officers and IT leaders, CADA would introduce a structured roadmap for cloud migration that balances security, sovereignty, and efficiency.

  1. Conduct risk assessments: You would carry out risk assessments (by entry into force plus one year, then every two years, or whenever necessary) to identify public-order-relevant activities and the assurance level needed.
  2. Leverage the EuroCloud Federation: Explore the federation as a source of shared public-sector capacity, potentially avoiding the capital cost of building your own infrastructure.
  3. Prioritise open source: Review current contracts and future tenders with open-source solutions in mind, consistent with Article 41, to support interoperability and reduce lock-in.
  4. Use added-value criteria: When procuring innovative cloud and AI services, apply the Union added-value criteria (Article 32) - as ancillary, non-decisive factors.
  5. Prepare for assurance levels: Ensure the services you procure are recognised under the new framework; this would become a procurement requirement.

Common misconceptions

  • "CADA bans all non-EU cloud providers." Incorrect. CADA would establish a tiered system. Lower-risk activities could use services recognised at Union assurance level 1. Providers subject to third-country control could, in principle, be audited for Union assurance level 3 where the Commission recognises that third country as meeting the criteria (Article 18). Union assurance level 4 would prohibit third-country control with no derogation.
  • "Open source means no cost." Article 41 would encourage open-source use to reduce lock-in and increase transparency, but it does not make software free. Support, maintenance, and integration still carry costs.
  • "The EuroCloud Federation is a mandatory single provider." It would be a voluntary framework for sharing capacity among public bodies - not a monopoly or mandatory source. Authorities could still procure from commercial providers meeting the required assurance levels.

Related

This is general information about a draft EU regulation, not legal advice.