Summary Under the proposed Cloud and AI Development Act (CADA), "contracting authorities" are not given a new definition. As proposed in Article 2, point (22), the term means contracting authorities as defined in Article 2(1), point (1), of Directive 2014/24/EU (the Public Procurement Directive): the State, regional or local authorities, bodies governed by public law, and associations formed by one or more such authorities or bodies. This definition matters because, as proposed, contracting authorities are the entities bound by CADA's public-procurement obligations in Articles 30, 32 and 33 β€” the rules that would require them to buy cloud services meeting specified Union assurance levels.

Detail

To understand who would be bound by CADA's procurement rules, you first need to know how the proposal identifies the entities that buy cloud and AI services. CADA does not create a standalone definition of "contracting authority." Instead, as proposed it anchors the term in existing EU procurement law for consistency across the single market.

The legal definition

As proposed in Article 2, point (22), "contracting authorities" means contracting authorities as defined in Article 2(1), point (1), of Directive 2014/24/EU.

Under the Public Procurement Directive, that definition covers four categories of entity:

  1. The State β€” central government bodies, ministries and national administrations.
  2. Regional or local authorities β€” sub-national entities such as regions, counties, municipalities, cities and provinces.
  3. Bodies governed by public law β€” entities established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character, and which are either financed for the most part by, subject to management supervision by, or have a board more than half appointed by, the State, regional or local authorities, or other bodies governed by public law. Public hospitals, universities and certain public agencies often qualify.
  4. Associations formed by one or more of the above authorities or bodies.

Why this definition matters in CADA

As proposed, identifying a "contracting authority" is the trigger for the procurement obligations in Title IV of CADA. The relevance runs across three main areas.

1. Risk assessments (Article 29)

Before procuring, a public buyer needs to know which services are safe to use. As proposed, Article 29 obliges Member States and Union entities to carry out risk assessments that identify the public-sector activities contributing to the preservation of public order. The outcome of that assessment would determine the minimum Union assurance level (levels 1 to 4) a service must offer. Note the precise wording: Article 29 frames the duty in terms of Member States and Union entities, while the procurement duties in Article 30 are addressed to contracting authorities, Union entities and public sector bodies depending on the paragraph. Private entities in high-criticality sectors listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) may carry out similar assessments voluntarily under Article 31.

2. Procurement obligations based on assurance levels (Article 30)

As proposed, Article 30 sets a tiered requirement:

  • Baseline: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised under Article 17 as offering Union assurance level 1.
  • Public-order activities: Contracting authorities whose activities have been identified under Article 29(1) as contributing to the preservation of public order β€” in NIS2 Annex I or II sectors, or in national security, internal security, external border management, defence, justice or law enforcement β€” must only procure services recognised as offering Union assurance level 2, 3 or 4.

Article 30 also allows narrow, duly justified derogations (for example, where no recognised service can supply what is needed, or where compliance would be at disproportionate cost).

3. EU added value and SME participation (Articles 32 and 33)

As proposed, Article 32 requires contracting authorities, in procurement procedures for innovative cloud computing services and AI systems, to include non-price award criteria measuring a tenderer's contribution to a European cloud and AI ecosystem (for example, use of hardware designed or manufactured in the Union). Those criteria must be ancillary and not decisive. As proposed, Article 33 requires Member States to monitor and report on this procurement and to pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.

Distinction from "public sector bodies"

"Contracting authorities" and "public sector bodies" overlap but are not identical. As proposed, Article 2, point (6) defines "public sector body" by reference to Directive (EU) 2019/1024 (the Open Data Directive). The two terms are used deliberately in different places: Article 30(2)'s baseline duty is framed around Union entities and public sector bodies, while Article 30(3)'s public-order duty is framed around contracting authorities. Reading the operative article β€” not just the labels β€” is essential.

What this means for you

If you work in a public-sector procurement office, IT department or legal team, check your status against the proposal.

  1. Confirm your status. Check whether your organisation fits Article 2(1), point (1), of Directive 2014/24/EU. A ministry, municipality, public hospital or public university is very likely a contracting authority.
  2. Prepare for the risk-assessment step. As proposed, the assurance level you may buy would depend on the Article 29 risk assessment that maps your activities against "preservation of public order."
  3. Update procurement templates. As proposed, tenders for public-order activities would have to require services recognised at Union assurance level 2, 3 or 4; other activities would require at least level 1.
  4. Use the EU added-value criteria. As proposed, Article 32 lets you score the European supply-chain contribution of bids β€” but only as ancillary, non-decisive criteria linked to the contract.
  5. Track SME participation. As proposed, Member States must report SME participation and pursue the 25% objective in Article 33; expect data requests on contracts awarded to SMEs.

Common misconceptions

  • "Only central government is a contracting authority."
    • Correction: No. Regional and local authorities, and bodies governed by public law such as hospitals and universities, are included where they meet the Directive 2014/24/EU criteria.
  • "A good data-processing agreement is enough to buy any cloud service."
    • Correction: As proposed, a contracting authority would have to procure services recognised under Article 17 at the required Union assurance level. A contractual DPA would not substitute for that recognition.
  • "Private companies don't need to understand this."
    • Correction: Private companies are not contracting authorities, but providers selling to the public sector would need the appropriate Union assurance level recognition to be eligible, so the definition shapes who can win these contracts.

Related

This is general information about a draft EU regulation, not legal advice.