How is a public sector body different from a contracting authority under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a "public sector body" is the broader category — defined by reference to the Open Data Directive (Article 2(6)) — while a "contracting authority" is the procurement-specific subset defined by reference to Directive 2014/24/EU (Article 2(22)). Every contracting authority is a public sector body, but not every public sector body acts as a contracting authority. The distinction matters because CADA's mandatory procurement duties — such as procuring at a minimum Union assurance level — attach to contracting authorities, whereas broader adoption and reuse expectations apply to public sector bodies generally.

Detail

CADA leans on two existing EU definitions to spread obligations across the public sector. The terms overlap heavily in practice but trigger different duties under the proposal, so getting the boundary right matters for compliance mapping.

The definitions

Public sector body. Article 2(6) of CADA defines a "public sector body" by reference to Article 2, point (1), of Directive (EU) 2019/1024 (the Open Data Directive). That definition is expansive and typically covers the State and regional or local authorities, bodies governed by public law, and associations formed by such authorities or bodies. The core idea is an entity meeting needs in the general interest without an industrial or commercial character — a wide net that catches bodies which may do little procurement but still perform public functions or hold public data.

Contracting authorities. Article 2(22) of CADA defines "contracting authorities" by reference to Article 2(1), point (1), of Directive 2014/24/EU (the Public Procurement Directive). This is narrower and tied to procurement. The categories of entity overlap with the Open Data Directive list, but the concept is functional: it bites when the entity acts as a purchaser of works, supplies or services.

Overlap and divergence

1. Subset relationship. Every contracting authority is a public sector body. But a public sector body acting outside procurement is not, in that capacity, exercising contracting-authority duties.
2. Procurement focus. "Contracting authorities" is the term CADA uses for purchasing obligations; "public sector body" is used more broadly for adoption, reuse and data-sharing.

Obligations attached to each term

Contracting authorities (procurement-specific). CADA, as proposed, places procurement mandates on contracting authorities:

• Minimum assurance levels. Under Article 30, contracting authorities whose activities are not identified as contributing to the preservation of public order must use cloud computing services recognised at least at Union assurance level 1, drawing on the central repository (Article 22). Where a risk assessment under Article 29 identifies activities that contribute to public order, services at the higher Union assurance levels are required.
• Risk assessments. Article 29 obliges Member States (and Union entities) to conduct risk assessments; the results feed directly into contracting authorities' procurement choices.
• EU added value. Article 32 addresses non-price award criteria evaluating a tenderer's contribution to the European cloud and AI ecosystem.
• Innovation procurement. Article 33 addresses monitoring of innovation procurement of cloud and AI services.

Public sector bodies (adoption and reuse). Bodies acting outside procurement still face broader expectations:

• Open source reuse. Article 41 would have public sector bodies use and facilitate the reuse of open standards and components released under an open source licence.
• Software reuse. Article 42 addresses publishing reusable software via a catalogue connected to the EU Open Source Solutions Catalogue.
• General adoption. The Cloud and AI Leadership Initiatives (Title II) aim to promote uptake of cloud and AI across the public sector regardless of procurement status.

Union entities are separate

Note that Union entities (EU institutions, bodies, offices and agencies) are defined separately in Article 2(7). The proposal aligns their procurement outcomes with the same sovereignty standards but situates them within EU financial rules rather than national transpositions of Directive 2014/24/EU.

Why the distinction matters for compliance

If your entity is a contracting authority, you face the procurement playbook: verify the assurance level of any provider you engage, rely on the national risk assessment (Article 29) to learn whether your activities touch public order, build EU added-value criteria into tenders (Article 32), and engage with innovation-procurement monitoring (Article 33).

If your entity is a public sector body but not acting as a contracting authority, Article 30's procurement requirements are not engaged in that capacity, but the broader ecosystem expectations still apply — open source reuse (Article 41) and publishing reusable software via the EU Open Source Solutions Catalogue (Article 42).

What this means for you

For compliance officers and in-house counsel, start with classification:

1. Audit your status for the transaction. If you are buying cloud or AI services, you are very likely acting as a contracting authority for that procurement.
2. Check the risk assessment. As a contracting authority, find out whether your activities are flagged under the Member State's Article 29 risk assessment as contributing to public order — that decides whether you are confined to the higher assurance levels or may use level 1.
3. Review tender templates. Reflect EU added-value criteria (Article 32) and confirm you are inviting only providers recognised at the appropriate assurance level in the central repository (Article 22).
4. Set an open source policy. As a public sector body, align software reuse with Article 42 and publish via a catalogue connected to the EU Open Source Solutions Catalogue.
5. Watch the timeline. Implementation duties such as risk assessments and competent-authority designation run on the proposal's transposition schedule; align procurement cycles accordingly.

Common misconceptions

"If we are a public body, we must buy from EU-only providers." Incorrect. CADA, as proposed, does not ban non-EU providers outright; it requires procurement at specified Union assurance levels. A provider under third-country control may still be audited for level 3 where the Commission recognises that country under the associated-third-countries mechanism (Article 18). That derogation is specific to level 3 — level 4 has no such derogation, and level 4 requires establishment in the Union.

"Only large ministries are contracting authorities." Small local authorities and associations of public bodies are also contracting authorities when they procure. The definition in Article 2(22) is broad.

"Public sector bodies have no procurement obligations." The procurement duties in Article 30 attach to contracting authorities, but most public sector bodies act as contracting authorities when they buy, and all face the broader reuse expectations (Articles 41 and 42).

"Union entities are the same as Member State contracting authorities." No. Union entities (Article 2(7)) are EU-level and sit under EU financial rules rather than national transpositions of Directive 2014/24/EU, even as CADA aligns their procurement outcomes with the same sovereignty standards.

Related

• What is the difference between a public sector body and a Union entity under CADA?
• What is a public sector body under CADA?
• What the public sector body definition means for buyers under CADA
• Is a state-owned company a public sector body under CADA?
• Does a public sector body that builds its own cloud become a CSP under CADA?

This is general information about a draft EU regulation, not legal advice.