Summary As proposed in the Cloud and AI Development Act (CADA), there is no direct financial penalty or fine for failing to meet the objective of awarding at least 25% of cloud and AI innovation procurement to small and medium-sized enterprises (SMEs). Article 33(4) explicitly frames this figure as an objective that Member States "shall pursue," rather than a strict mandatory quota with automatic sanctions for non-achievement.

However, the absence of a direct fine does not imply a lack of enforcement. Accountability is secured through a rigorous framework of mandatory monitoring, annual reporting to the European Commission, and the requirement to embed concrete implementation plans within national cloud and AI strategies (under Article 7). While missing the percentage target itself does not trigger an administrative fine under CADA, failure to establish the required plans or report data accurately would constitute a breach of the Regulation. Persistent failure to pursue the objective could also lead to political scrutiny, Commission recommendations, or broader infringement proceedings regarding the implementation of the Regulation's goals.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, seeks to reshape the European cloud and AI ecosystem by leveraging public procurement to foster innovation and reduce dependencies. A central pillar of this strategy is the support of smaller European providers. Article 33, titled "Monitoring of procurement of innovation in cloud and AI," establishes the specific framework for this support, distinguishing clearly between binding obligations and strategic objectives.

The Legal Nature of the 25% Figure: Objective vs. Quota

The core of the inquiry lies in the precise wording of Article 33(4). The provision states:

"Member States shall pursue as objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. Member States shall include, in their national strategies referred to in Article 7, plans on how they intend to achieve this objective."

The legislative choice of the phrase "pursue as objective" is legally significant in EU regulatory drafting. It distinguishes this requirement from "mandatory quotas" or "binding targets" often found in other sectors (such as certain environmental or social procurement rules) where failure to meet the threshold automatically triggers a sanction. Instead, Article 33(4) creates a "best efforts" obligation. The legal duty is not to guarantee the 25% outcome in every instance, but to actively strive for it through defined measures and to document that effort.

This distinction is reinforced by the structure of the article. While Article 33(1) imposes a mandatory duty to "monitor and report," and Article 33(3) mandates specific annual data submissions, the text does not link the outcome of the 25% target to the penalty regime found in Article 24. Article 24 explicitly addresses penalties for infringements by cloud computing service providers regarding the sovereignty framework (e.g., failing to meet Union assurance levels). It does not extend these penalty rules to Member States for missing the SME procurement objective.

The Accountability Framework: Planning, Monitoring, and Oversight

Although there is no direct fine for missing the target, CADA establishes a robust "compliance by transparency" mechanism. This framework ensures that Member States cannot ignore the objective without consequence.

1. Integration into National Strategies (Article 7)

The primary mechanism for enforcing the 25% objective is its integration into national planning. Article 7(1) requires Member States to establish national cloud and AI strategies within one year of the Regulation's entry into force. Article 7(2)(f) mandates that these strategies include measures to support development through public procurement.

Crucially, Article 33(4) adds a specific requirement: Member States must include in these national strategies "plans on how they intend to achieve this objective."

  • The Obligation: The failure to include a plan in the national strategy is a direct breach of the Regulation.
  • The Consequence: While missing the 25% number is not penalized, failing to submit the plan to achieve it is a procedural violation that could trigger infringement proceedings by the Commission for failure to transpose or implement the Regulation correctly.

2. Mandatory Monitoring and Annual Reporting (Article 33(1) & (3))

The Regulation shifts the focus from outcome-based penalties to process-based transparency. Article 33(1) obliges Member States to monitor their use of innovation procurement. Article 33(3) specifies that Member States must inform the Commission annually of:

  • The size of economic operators participating in such procurement.
  • SME participation trends, including the number of contracts awarded to SMEs, their share of total contract value (as a percentage), and cross-border participation.
  • Measures taken to improve SME access.

This creates a permanent, public record of performance. If a Member State consistently fails to meet the 25% objective, this data will be visible to the Commission and the public. The Commission is empowered to review these reports and, under Article 33(3), use the data to identify barriers and improve access.

3. Commission Oversight and Strategic Guidance

The Commission's role is one of oversight and guidance rather than direct sanctioning for the target itself. The Commission can:

  • Issue recommendations based on the annual reports.
  • Use the data to inform the development of delegated acts or implementing acts.
  • Initiate infringement proceedings if a Member State fails to submit the required national strategy or annual reports (procedural non-compliance).
  • Apply political pressure or adjust funding priorities if a Member State demonstrates a lack of effort in "pursuing" the objective, as evidenced by the absence of measures in their national strategy.

Distinction from Other CADA Penalties

It is vital to distinguish the SME procurement objective from the strict liability regimes elsewhere in CADA.

  • Sovereignty Framework (Title IV, Chapter I): Under Article 24, cloud computing service providers face "effective, proportionate and dissuasive" penalties for infringing sovereignty rules (e.g., failing to meet Union assurance levels). These are direct financial penalties imposed on private entities.
  • SME Objective (Article 33): This applies to Member States and contracting authorities. In EU law, penalties for Member States are typically reserved for the Court of Justice of the EU (CJEU) following infringement proceedings for systemic failure to implement the law, not for missing a specific statistical target where the law only requires "pursuit."

What this means for you

For legal counsel, public procurement officers, and compliance teams, the absence of a direct penalty for missing the 25% target requires a shift in compliance strategy from "outcome guarantee" to "process documentation."

1. Document the "Pursuit"

Since the legal obligation is to "pursue" the objective, the primary defense against scrutiny is evidence of active effort. Compliance teams should:

  • Maintain records of preliminary market consultations (encouraged by Article 33(5)).
  • Document matchmaking events between public buyers and innovative SMEs.
  • Archive the use of public contract clauses favourable to innovative SMEs.
  • If the 25% target is missed, these records demonstrate that the authority was actively "pursuing the objective" as required by Article 33(4), thereby fulfilling the legal duty even if the statistical outcome was not achieved.

2. Align with National Strategies

Procurement plans must align with the national cloud and AI strategy. Article 33(4) requires these strategies to contain specific plans for the 25% target. If a Member State's strategy outlines specific measures (e.g., "splitting contracts into lots," "reserving 30% of lots for SMEs"), deviation from these measures without justification could be viewed as a failure to implement the national strategy, which is a binding obligation under Article 7.

3. Prepare for Annual Reporting

The real "penalty" for non-compliance may be administrative or reputational. Article 33(3) requires detailed annual reporting. Failure to report accurate data on SME participation trends or contract values is a breach of the Regulation. Organizations should ensure their data collection systems can track:

  • The number of contracts awarded to SMEs.
  • The share of total contract value awarded to SMEs.
  • Cross-border participation rates.

4. Strategic Risk Management

While not a legal fine, consistent failure to meet the 25% objective may attract negative attention from the Commission. This could impact:

  • Future Funding: Access to EU funds linked to digital transformation may be influenced by performance on strategic objectives.
  • Regulatory Tightening: Persistent failure to meet the objective could lead the Commission to propose stricter measures in future amendments or delegated acts, potentially converting the "objective" into a binding quota.

Common misconceptions

"Missing the 25% target results in an automatic fine." This is incorrect. Article 33(4) uses the language "pursue as objective," which implies a best-efforts approach supported by planning and monitoring, not a strict quota with automatic financial penalties for non-achievement. The penalty regime in Article 24 applies to cloud providers, not Member States for this specific target.

"There are no consequences for failing to meet the SME target." This is misleading. While there is no direct fine, failure to meet the objective can lead to scrutiny during the Commission's review of national strategies and annual reports. It may also indicate broader failures in implementing the Regulation's goals, which could trigger infringement proceedings for failure to transpose the Regulation correctly (e.g., failing to include the required plans in the national strategy).

"The 25% target applies to all cloud and AI procurement." The target specifically applies to "procurement of innovation in cloud computing services and AI systems" as monitored under Article 33. It is part of a broader effort to foster innovation and support SMEs, not necessarily every routine cloud service contract. The Regulation encourages Member States to "monitor and report on their use of procurement of innovation," implying a specific subset of procurement activities.

Related

This is general information about a draft EU regulation, not legal advice.