Summary As proposed, the Cloud and AI Development Act (CADA) would transform public procurement into a primary engine for EU tech sovereignty. Under Article 30, public bodies handling public-order-sensitive data would be legally required to procure only cloud services recognized at Union assurance levels 2, 3, or 4, effectively excluding providers subject to third-country control from critical contracts. Simultaneously, Article 32 would empower contracting authorities to award contracts based on "Union added value" criteria, favoring hardware and software designed or manufactured in the EU, while Article 33 would set a strategic objective for Member States to award at least 25% of relevant innovation procurement to SMEs.

Detail

The proposed CADA explicitly recognizes that public procurement is a "primary signal of market direction." By harmonizing how public sector bodies across the Union purchase cloud and AI services, the regulation aims to reduce critical dependencies on non-European providers, strengthen the EU's digital supply chain, and foster a competitive domestic ecosystem. The proposal achieves this through three interconnected legal mechanisms: mandatory sovereignty tiers for critical sectors, non-price award criteria favoring European value, and targeted support for small and mid-sized enterprises (SMEs).

Mandatory Sovereignty Tiers for Public-Order Buyers (Article 30)

The core of CADA's sovereignty framework is the "Union cloud computing sovereignty framework," which defines four assurance levels (1 through 4) based on cumulative criteria set out in Annex II. Article 30 ties these assurance levels directly to public procurement obligations, creating a strict bifurcation between general public services and those critical to public order.

For the majority of public sector activities, the baseline requirement is Union assurance level 1. Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least this level. Level 1 requires providers to be established in the Union, with infrastructure and data remaining exclusively within the Union unless the public sector body explicitly requires otherwise.

However, for activities deemed critical to public order, the requirements are significantly stricter and mandatory. Article 30(3) mandates that contracting authorities whose activities contribute to the preservation of public orderβ€”specifically in sectors falling under Annex I or II of the NIS2 Directive, or in the areas of national security, internal security, external border management, defence, justice, or law enforcementβ€”shall only procure cloud computing services that have been recognized as having a Union assurance level 2, 3, or 4.

These higher assurance levels impose cumulative criteria that are difficult for providers subject to third-country control to meet. For instance, Union assurance level 2 requires that infrastructure, assets, and personnel are located in the Union, and that customer data is not used to train AI systems operated by third countries. Levels 3 and 4 add further stringency, including requirements for Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4) and higher cybersecurity certification standards (at least "substantial" for Levels 2 and 3, and "high" for Level 4). By legally binding public-order buyers to these tiers, CADA would effectively exclude many non-EU hyperscalers from critical government contracts, driving demand toward European providers who can meet these rigorous sovereignty criteria.

Steering the Market via Union Added Value (Article 32)

While Article 30 sets a mandatory floor for security and sovereignty, Article 32 provides the mechanism to actively steer procurement toward strengthening the European cloud and AI ecosystem beyond the minimum requirements. The proposal acknowledges that public procurement frequently serves as a primary signal of market direction. To leverage this, Article 32(1) requires contracting authorities to include non-price award criteria in their public procurement procedures for innovative cloud computing services and AI systems.

These criteria must allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. Specifically, Article 32(3) lists factors that authorities can evaluate, including:

  • The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Whether the tenderer has integrated technologies developed in the Union, including results from Union-funded R&D programs.
  • Whether the innovation required to deliver the service contributes to strengthening security of supply.
  • Whether the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2) ensures these criteria are proportionate and do not distort competition. They must be ancillary and not decisive in the award of the contract, preserving the primacy of technical and financial criteria. The explanatory memorandum (Recital 67) suggests a maximum weighting of 15 out of 120 points for Union added value, ensuring it remains subordinate to core performance requirements. This approach allows public buyers to prefer European solutions without violating non-discrimination principles, provided the preference is clearly linked to the subject matter of the contract and contributes to security of supply.

Supporting SMEs and Innovation (Article 33)

To prevent the market from consolidating solely around large incumbents and to ensure the sovereignty framework benefits the broader European innovation landscape, Article 33 introduces measures to support SMEs and innovation in public procurement. The proposal recognizes that smaller European providers are often better positioned to offer specialized, sovereign solutions but face barriers in accessing large public contracts.

Article 33(4) sets a clear strategic objective: Member States shall pursue as objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, Member States must include plans in their national cloud and AI strategies (required under Article 7) detailing how they intend to meet this target.

Furthermore, Article 33 requires Member States to monitor and report annually on their use of procurement of innovation. This reporting must include data on SME participation trends, such as the number of contracts awarded to SMEs and their share of total contract value. Based on this monitoring, Member States must take measures to identify barriers to SME participation and improve access to procurement markets. This could include dividing contracts into lots to make them more accessible to smaller firms, using pre-commercial procurement to help startups scale their solutions, and promoting matchmaking between public buyers and innovative European SMEs.

What this means for you

For public-sector procurement officers and policy makers, CADA would fundamentally change how you structure cloud and AI tenders.

  1. Conduct Rigorous Risk Assessments: Before issuing a tender, you must determine if your activities contribute to the preservation of public order. This requires carrying out risk assessments as outlined in Article 29, considering the sensitivity and criticality of the data processed. If your activities are deemed public-order relevant, you must restrict your tender to providers recognized at Union assurance levels 2, 3, or 4. You cannot accept bids from providers only meeting Level 1 criteria.
  2. Update Award Criteria: You should revise your tender templates to include non-price award criteria based on Article 32. Explicitly ask bidders to demonstrate how their solution strengthens the EU digital supply chain, such as by using EU-designed hardware or integrating EU-developed technologies. Ensure these criteria are clearly linked to the contract's subject matter and are not decisive in the final award.
  3. Plan for SME Participation: Review your procurement strategy to ensure you are meeting the 25% SME award target set out in Article 33. Consider splitting large contracts into smaller lots, using innovation partnerships, or providing clearer documentation to help SMEs understand the requirements. Monitor your outcomes and report them annually to your national authority.
  4. Verify Assurance Levels: When evaluating bids, you must verify the Union assurance level of each provider through the central repository maintained by the Commission (Article 22). Do not rely solely on provider self-declarations; use the official recognition status.

Common misconceptions

  • "CADA bans all non-EU cloud providers." This is incorrect. CADA creates a tiered system. Non-EU providers can still compete for Level 1 contracts (general public services) if they meet the strict establishment and data localization criteria. For Levels 2–4, non-EU providers are generally excluded unless they operate through EU-established entities that are not subject to third-country control, or if the Commission adopts a decision under Article 18 recognizing a third country as providing sufficient assurances for Level 3.
  • "Union added value means we must buy EU products." No. Article 32 explicitly states that Union added value criteria must not be decisive. They are ancillary factors used to break ties or slightly favor bids that contribute to the EU ecosystem. The primary decision must still be based on technical quality and price.
  • "SMEs are guaranteed 25% of contracts." The 25% figure in Article 33 is an objective for Member States to pursue, not a guaranteed quota for every individual tender. It is a strategic target to drive policy and monitoring, not a rigid legal mandate for each procurement file.

Related

This is general information about a draft EU regulation, not legal advice.