Summary Under the proposed Cloud and AI Development Act (CADA), the path to public procurement is a two-step process: Article 29 risk assessments determine which Union assurance level is required for a specific public sector activity, while Article 17 CSP recognition proves that a provider meets the criteria for that level. Crucially, Article 30(2) and 30(3) mandate that contracting authorities may only procure services that have been formally recognised at the specific level dictated by the risk assessment. A provider cannot bid on a Level 3 contract without Article 17 recognition for Level 3, regardless of their technical capabilities. This ensures that sovereignty requirements are strictly matched to the criticality of the public order activity.

Detail

The proposed CADA establishes a rigid, interlocking framework where the demand side (public buyers) and the supply side (cloud providers) are bound together by the Union assurance levels. The regulation deliberately separates the determination of need from the verification of capability, creating a system where procurement is legally impossible without the correct intersection of these two processes.

Step 1: Determining the Need (Article 29 Risk Assessments)

Before a single tender is published, the public sector must determine the sovereignty risk profile of its activities. Article 29 places the obligation on Member States and Union entities to carry out risk assessments to identify which activities contribute to the preservation of public order.

  • Identifying Critical Activities: The assessment must identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas such as national security, internal security, external border management, defence, justice, or law enforcement (Article 29(1)(a)).
  • Setting the Level: Based on the sensitivity of data, the risk of third-country access, and the risk of service disruption, the authority must determine whether Union assurance level 2, 3, or 4 is appropriate for those specific activities (Article 29(1)(b)).
  • Frequency: These assessments are not one-off events. They must be conducted within one year of the regulation's entry into force and updated every two years, or whenever necessary (Article 29(1)).

The output of Article 29 is a binding determination: "Activity X requires Union assurance level Y." This determination dictates the minimum threshold for any subsequent procurement.

Step 2: Proving Capability (Article 17 CSP Recognition)

On the supply side, a cloud computing service provider (CSP) cannot simply claim to be "sovereign." They must undergo a formal recognition process to prove they meet the cumulative criteria for a specific level.

  • The Application: A CSP submits an application for recognition to the national competent authority of its establishment (Article 17(1)).
  • Evidence Requirements:
    • For Level 1, the provider submits an EU statement of conformity based on a self-assessment (Article 17(3)).
    • For Levels 2, 3, and 4, the provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation, along with all evidence provided during the audit (Article 17(4)).
  • Union-Wide Validity: Once the evaluating authority assesses the evidence and no reasoned objection is raised by other Member States within the review period, the service is recognised across the entire Union at that specific assurance level (Article 17(7)).
  • The Repository: Recognised services are registered in a central repository maintained by the Commission (Article 22), which serves as the definitive list of eligible providers.

Step 3: The Procurement Mandate (Article 30)

Article 30 acts as the gatekeeper, legally binding the output of Article 29 to the input of Article 17. It explicitly prohibits the procurement of services that do not match the required assurance level.

  • The Baseline (Article 30(2)): For public sector bodies whose activities have not been identified as contributing to the preservation of public order under Article 29(1), the minimum requirement is to use cloud computing services recognised under Article 17 as having Union assurance level 1.
  • The Elevated Mandate (Article 30(3)): For contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., defence, law enforcement), they shall only procure cloud computing services that have been recognised as having Union assurance level 2, 3, or 4.
  • The "Only Recognised" Rule: The text of Article 30 is unambiguous: procurement is restricted to services that have been "recognised" under Article 17. A provider with a Level 2 recognition cannot bid on a contract requiring Level 3, even if they believe they are capable. Conversely, a provider with Level 3 recognition is eligible for Level 2 contracts, as the regulation requires meeting the minimum level set by the risk assessment.
  • Derogations: Limited exceptions exist under Article 30(4) for cases where no recognised service is available in the central repository, provided the absence is not due to artificial narrowing of the procurement parameters.

What this means for you

For cloud service providers, this framework transforms "sovereignty" from a marketing claim into a binary compliance status. Your eligibility for public contracts is entirely dependent on the intersection of your Article 17 recognition status and the Article 29 risk assessments of your target markets.

  1. Target Your Recognition Precisely: You must decide which assurance level to pursue based on market intelligence. If you only seek Level 1 recognition, you are legally barred from any public contract where the Member State's risk assessment (Article 29) has determined that Level 2, 3, or 4 is required. You cannot "upgrade" your status mid-tender; the recognition must exist before the procurement process begins.
  2. Map Your Market to Risk Assessments: Your sales strategy must align with the specific risk assessments conducted by Member States. You need to know which jurisdictions have classified specific sectors (e.g., healthcare, energy) as requiring Level 3. If a Member State classifies a sector as requiring Level 3, your Level 2 recognised service is ineligible for those contracts, regardless of your technical architecture.
  3. Prepare for the "Positive" Audit Opinion: For Levels 2–4, the Article 17 process is rigorous. You must secure a "positive" audit opinion from an independent organisation. This requires demonstrating compliance with Annex II criteria, including data localisation, personnel screening (Union citizenship where required), and supply chain transparency. Without this specific opinion, the national competent authority cannot grant recognition, and Article 30(3) will block your participation.
  4. Monitor the Central Repository: Contracting authorities will verify your eligibility against the central repository (Article 22). If your recognition is revoked due to a material change (Article 23) or an audit failure, you are immediately removed from the pool of eligible bidders for all public contracts requiring that level.

Common misconceptions

"A provider can bid on a higher-level contract if they promise to upgrade later." No. Article 30(3) states that authorities "shall only procure" services that have been recognised at the required level. The recognition must be in place at the time of procurement. A promise to obtain recognition later does not satisfy the mandatory requirement.

"All public sector activities require the highest assurance level (Level 4)." No. The framework is proportionate. Article 30(2) explicitly states that for activities not identified as contributing to public order, the minimum is Level 1. Only activities identified under Article 29(1) as critical to public order trigger the requirement for Levels 2, 3, or 4 under Article 30(3).

"National cybersecurity certifications are enough to bid." No. While national certifications may serve as evidence during the audit for higher levels (e.g., under the European Cybersecurity Certification Scheme), they do not replace the formal Article 17 recognition process. A service must be formally recognised by the national competent authority and listed in the central repository to be eligible for procurement under Article 30.

"Risk assessments are just internal guidelines." No. Article 29 risk assessments are the legal basis for Article 30 procurement mandates. The outcome of the risk assessment legally binds the contracting authority to procure only at the specified level. Ignoring the risk assessment result would constitute a breach of the procurement rules.

Related

This is general information about a draft EU regulation, not legal advice.