What are the exceptions to CADA procurement requirements?

Summary As proposed, Article 30(4) of the Cloud and AI Development Act (CADA) would let contracting authorities depart, on an exceptional and duly justified basis, from the assurance-level procurement rules in Article 30(2) and (3) where one or more of three circumstances applies: (a) the subject matter cannot be supplied by recognised services in the central repository (Article 22), no adequate or reasonable alternative exists, and that absence is not the result of an artificial narrowing of the procurement parameters; (b) a similar procurement in the previous year drew no suitable tenders or participants; or (c) compliance would require procurement at disproportionate cost. The derogation is conditional, fact-specific and carries a justification burden.

Detail

CADA would set a mandatory baseline for public-sector cloud procurement. Article 30(2) requires services recognised at Union assurance level 1 for activities not identified as contributing to the preservation of public order, and Article 30(3) requires services recognised at level 2, 3 or 4 for activities that are. Article 30(4) is the only safety valve, and it is deliberately narrow: "by derogation from paragraphs 2 or 3, on an exceptional basis and where duly justified," an authority may decide not to procure a recognised level 1, 2, 3 or 4 service where one or more of the listed circumstances applies.

1. No recognised service and no reasonable alternative

The first ground applies where the subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository (the public list the Commission maintains under Article 22), and no adequate or reasonable alternative or comparable cloud computing service exists, and that absence is not the result of an artificial narrowing down of the parameters of the public procurement procedure.

All three elements must hold. The "artificial narrowing" condition is the critical guardrail: if an authority writes specifications so tightly that only non-recognised providers can bid, it cannot then claim there is no recognised supply. The central repository is the reference point — if a recognised service there can meet the need, the ground fails.

2. No suitable tenders in a recent similar procurement

The second ground applies where the authority "has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants." This is a market-failure safeguard with three constraints:

• Recency — the failed procurement must be within the previous year;
• Similarity — it must be genuinely similar; a generic infrastructure tender cannot justify a derogation for a specialised, high-assurance application; and
• Outcome — the result must be the absence of suitable tenders or participants. Tenders received but rejected for other reasons (e.g. price) do not fit here; that scenario belongs under ground (c).

3. Disproportionate cost

The third ground applies where applying the Regulation's requirements would require the authority "to procure services at disproportionate cost." CADA does not define "disproportionate" in Article 30, so the term must be read in light of general procurement principles of proportionality and sound financial management. This is likely to be the most scrutinised ground: an authority would need to document the cost differential between recognised and non-recognised options and show that the premium is genuinely disproportionate, not merely a preference for a cheaper non-recognised vendor.

Reading "disproportionate" in context

Although Article 30 does not define the term, the surrounding framework helps frame it. CADA's procurement rules exist to protect public order and reduce strategic dependency; a cost premium for a recognised service is, to a degree, the intended price of those objectives. "Disproportionate" therefore should not be read as "any premium," but as a premium so large, relative to the public interest secured, that procurement at that price would be unreasonable — a balance familiar from the general proportionality principle in EU law and the sound-financial-management duties applicable to public spending. Authorities relying on this ground should be ready to show both the size of the premium and why it outweighs the sovereignty and public-order benefits in the specific case.

Interaction with the higher tiers

The three grounds bite differently across the two procurement tiers. For an ordinary (level-1) procurement under Article 30(2), a derogation removes a relatively light requirement. For a public-order procurement under Article 30(3), where the risk assessment has concluded that level 2, 3 or 4 is needed to protect public order, a derogation means knowingly accepting a service that does not meet the security level the assessment found necessary. The text places no formal extra hurdle on the higher tier, but in practice the public-order stakes raise the bar for what counts as "duly justified": the more critical the activity, the stronger the justification a derogation will need to withstand scrutiny.

Procedural and evidentiary burden

Article 30(4) requires the derogation to be exceptional and duly justified — it is not automatic. In practice an authority should expect to:

• document the chosen ground against the specific facts;
• evidence reliance on the central repository (Article 22) before asserting a supply gap; and
• apply heightened care where the activity is a public-order activity under Article 29, since the public interest in security raises the bar for departing from the level 2/3/4 requirement.

What this means for you

For in-house counsel and compliance officers, the Article 30(4) grounds are emergency valves, not escape hatches.

1. Build the "artificial narrowing" defence

If you rely on ground (a), audit your technical specifications. Parameters must reflect genuine operational needs, not legacy preferences for a particular non-recognised vendor. If a recognised service could meet the need with reasonable configuration, the "no reasonable alternative" element fails. Keep records of why recognised services were inadequate.

2. Keep a procurement history

For ground (b), retain records of cloud tenders so you can point to a specific, similar procurement in the last 12 months that drew no suitable tenders or participants, and show that suitability was assessed fairly.

3. Quantify disproportionate cost

For ground (c), develop a defensible cost-comparison methodology, ideally with quotes from both recognised and non-recognised providers, and articulate why the premium is disproportionate rather than merely higher.

4. Re-check the repository through the cycle

A supply-gap justification can become invalid mid-procedure if a new recognised service is registered. Procurement cycles are long; confirm your justification still holds at award.

Common misconceptions

"We can use any provider if it is cheaper." Incorrect. Ground (c) requires disproportionate cost, not a marginal saving.

"One failed tender exempts us indefinitely." Incorrect. Ground (b) is limited to a similar procurement that failed within the previous year; it is not a standing exemption.

"We can narrow the specs to exclude recognised providers." Incorrect. Ground (a) is expressly defeated where the supply gap results from artificial narrowing of the parameters.

"The central repository is just guidance." Incorrect. Ground (a) is tied to the absence of a suitable service in the Article 22 repository; a service listed there is treated as available.

Related

• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• Will small public bodies be able to afford CADA procurement fees?
• Why does CADA add a Union added value criterion to procurement?
• Who pays for CADA procurement fees? Article 40 explained
• CADA Procurement Compliance: Who is Responsible in a Public Body?

This is general information about a draft EU regulation, not legal advice.