Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies are mandated to conduct risk assessments to determine the necessary sovereignty level for their cloud services, as set out in Article 29. If an SME is bidding for contracts involving activities that contribute to the preservation of public order, it must provide services that meet the specific Union assurance level (2, 3, or 4) identified in that assessment, pursuant to Article 30(3). There is no separate "SME exemption" from these sovereignty requirements; instead, SMEs must ensure their services achieve formal recognition under Article 17 to remain eligible for these critical public contracts. The path to eligibility is not through general cybersecurity certification alone, but through the specific CADA recognition procedure.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous framework for cloud sovereignty designed to protect the EU's public order and operational autonomy. For small and medium-sized enterprises (SMEs) acting as cloud service providers or subcontractors in the public sector, understanding the interplay between the mandatory risk assessments and the resulting procurement rules is essential for compliance and market access.

The Role of Risk Assessments (Article 29)

The cornerstone of CADA's demand-side measures is the obligation for Member States and Union entities to conduct risk assessments. Article 29 requires these public bodies to identify which of their activities contribute to the preservation of public order. This scope explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

Crucially, Article 29(1) mandates that these risk assessments must determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities. The assessment must consider the sensitivity, criticality, and magnitude of the non-personal and personal data processed, the risk of unlawful access by a third country, and the risk of service disruption. These assessments must be carried out within one year of the regulation's entry into force and repeated every two years, or whenever necessary.

For an SME contractor, this means the "sovereignty bar" is not a fixed standard for all public contracts. It varies dynamically depending on the specific public order activity the client is performing. An SME supplying cloud infrastructure for a non-critical administrative task might only need to meet Union assurance level 1. However, if that same SME is supplying infrastructure for a law enforcement database or a defence project, the client's risk assessment under Article 29 will likely require Union assurance level 3 or 4. The SME must align its service offering with the specific level dictated by the client's assessment.

Procurement Obligations for Public Order Activities (Article 30)

Once the risk assessment is complete, it directly dictates procurement rules. Article 30 sets out the minimum requirements for contracting authorities. While most public bodies must use services recognised as offering Union assurance level 1, Article 30(3) imposes stricter rules for activities identified as contributing to public order.

Article 30(3) states: "Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This provision creates a direct link between the client's risk assessment and the SME's eligibility to bid. If an SME's cloud service does not hold a recognition for the specific assurance level required by the client's assessment, the SME cannot be awarded the contract. There are limited derogations under Article 30(4), such as when no adequate alternative exists or where applying the requirements would require disproportionate cost, but these are exceptional and require justification. They are not a standard route for SMEs to bypass sovereignty requirements.

The Route to Compliance: Recognition under Article 17

To meet the requirements of Article 30(3), an SME must have its cloud computing service formally recognised. This recognition process is detailed in Article 17. The SME must submit an application for recognition to the national competent authority of its establishment.

For Union assurance level 1, recognition is based on a conformity self-assessment and an EU statement of conformity. However, for levels 2, 3, and 4β€”which are the levels required for public order activitiesβ€”the SME must undergo independent third-party audits. The SME must submit the audit report and a "positive" audit opinion to the competent authority, along with all evidence provided to the auditing organisation.

The recognition process involves a 60-day review period where other Member States can raise reasoned objections. If no objections are raised, or if they are resolved, the service is recognised throughout the Union. This "once recognised, accepted everywhere" principle is vital for SMEs, as it allows them to bid for public contracts across the EU without undergoing separate national sovereignty checks, provided they meet the assurance level specified in the client's risk assessment.

What this means for you

For SME cloud providers and data centre operators, preparing for CADA's risk assessment requirements involves several concrete steps to ensure eligibility for public-order contracts:

  1. Map Your Clients' Activities: Understand whether your public sector clients are engaged in activities that preserve public order. Ask them about their ongoing risk assessments under Article 29. If they are in defence, law enforcement, or critical infrastructure, they will likely require Union assurance level 2, 3, or 4. Do not assume a standard public contract implies Level 1.
  2. Prepare for Audits: Unlike general cybersecurity certifications, CADA's sovereignty framework requires specific audits against the criteria in Annex II. Start documenting your supply chain, data residency, and personnel controls now. For levels 2-4, you will need an independent auditing organisation to issue a positive opinion. Note that for Level 3 and 4, personnel requirements are strict: personnel must be Union citizens (conditional at Level 2 if the public body requires it, mandatory at Levels 3 and 4).
  3. Apply for Recognition: Do not assume your existing ISO certifications or EUCS (once adopted) are sufficient on their own. You must apply for recognition under Article 17. This involves submitting evidence to your national competent authority. For SMEs, there is a slight simplification for Level 1 (automatic recognition of the statement of conformity), but for the higher levels required by public order contracts, the full audit and recognition process applies.
  4. Monitor Client Assessments: Since risk assessments are repeated every two years, stay in communication with your public sector clients. If their risk assessment changes, their required assurance level may change, impacting your compliance status. A service recognised at Level 2 may become ineligible if a client's assessment upgrades a project to Level 3.
  5. Leverage Common Procurement: CADA encourages common procurement and the EuroCloud Federation. As an SME, participating in these frameworks can help you meet the scale and assurance requirements more efficiently than bidding individually for large public contracts, potentially reducing the administrative burden of multiple recognition applications.

Common misconceptions

  • "SMEs are exempt from sovereignty requirements." This is incorrect. CADA does not exempt SMEs from the Union assurance levels. While there are support measures for SMEs in innovation procurement (Article 33), the sovereignty criteria in Annex II apply to all providers bidding for public contracts. The only simplification is for Union assurance level 1, where SMEs' self-assessments are automatically recognised across the Union.
  • "GDPR compliance is enough for public order contracts." GDPR protects personal data, but CADA addresses broader sovereignty risks, including operational autonomy and protection against third-country access to non-personal data. Article 30(3) explicitly requires Union assurance levels 2-4 for public order activities, which go beyond GDPR's scope.
  • "I can bid if I have a cybersecurity certificate." While cybersecurity is a component (requiring at least 'substantial' assurance for Levels 2 and 3, and 'high' for Level 4), CADA's assurance levels include criteria on data localisation, personnel citizenship, and absence of third-country control. A standard cybersecurity certificate does not equate to CADA recognition under Article 17.
  • "Risk assessments are only for large government bodies." Article 29 applies to all Member States and Union entities. This includes local and regional authorities if they engage in activities contributing to public order, such as local law enforcement or emergency services.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.