What are Union entities under CADA?

Under the proposed Cloud and AI Development Act (CADA), Article 2(7) defines "Union entities" as "the Union institutions, bodies, offices and agencies set

Summary Under the proposed Cloud and AI Development Act (CADA), Article 2(7) defines "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community." That covers the major institutions (such as the Commission and the Parliament) and the decentralised agencies (such as ENISA). Union entities carry obligations alongside, but distinct from, Member State public sector bodies — notably the risk assessments in Article 29 and the procurement duties in Article 30. As CADA is a proposal, the wording could change before adoption.

Detail

CADA distinguishes between different public actors so that its sovereignty obligations reach EU-level bodies as well as national ones. "Union entities" is the term that captures the EU's own institutions and agencies.

The definition: Article 2(7)

As proposed, Article 2(7) provides:

"'Union entities' means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community".

The definition is broad. It is not confined to the principal institutions; it extends across the EU's administrative apparatus.

Examples

Institutions — for example the European Commission, the European Parliament, the Council of the European Union, the Court of Justice of the European Union and the European Central Bank.
Bodies, offices and agencies — decentralised or specialised bodies established under the treaties, such as the European Union Agency for Cybersecurity (ENISA), the European Data Protection Supervisor (EDPS), the European Medicines Agency and the European Border and Coast Guard Agency (Frontex).

When any of these procures cloud computing services or AI systems, it acts as a "Union entity" for CADA's purposes.

Why the distinction matters

CADA treats Union entities and Member State authorities as parallel actors with comparable but separately framed obligations. Defining Union entities separately ensures EU-level procurement follows the same sovereignty logic as national procurement, so the EU's own bodies are not a gap in the framework. Union entities feature in several places in the proposal:

Risk assessments (Article 29). Union entities, like public sector bodies, would carry out risk assessments to identify which of their activities contribute to the preservation of public order, which in turn sets the required Union assurance level.
Procurement (Article 30). For activities not identified as contributing to the preservation of public order, Union entities would use services recognised at Union assurance level 1; for activities that are so identified (in the NIS2 Annex I/II sectors or in national security, internal security, external border management, defence, justice or law enforcement), they would procure services recognised at level 2, 3 or 4.
Commission procurement activities (Article 37). The Commission may carry out procurement activities to procure data centre services, cloud computing services, software and AI systems for itself, for Union entities and for Member State contracting authorities, leveraging collective buying power.

Relationship with public sector bodies

Union entities are distinct from "public sector bodies" (Article 2(6)), which is defined by reference to Directive (EU) 2019/1024 and covers Member States' national, regional and local authorities and bodies governed by public law. Both groups are within CADA's framework, but they differ in their administrative and supervisory arrangements: Member States designate national competent authorities to oversee bodies in their territory, while Union entities operate within EU-level governance.

What this means for you

If you work in procurement, legal or IT strategy for an EU institution or agency, CADA would introduce specific requirements for how you buy and use cloud and AI services.

Mandatory risk assessments. You would conduct Article 29 risk assessments, identifying which activities contribute to the preservation of public order and mapping them to the required assurance level — rather than buying off-the-shelf without regard to sovereignty.
Procurement constraints. You would procure at the assurance level your assessment requires: level 1 for non-critical activities, levels 2–4 for activities tied to public order. This can narrow your provider options, particularly excluding services that cannot meet the higher tiers.
Common procurement. You may participate in procurement activities run by the Commission under Article 37, which can streamline buying while aligning with EU-wide specifications.
Open source. Under Article 41, Union entities are to encourage open standards and open-source solutions; weigh those options in architecture and procurement decisions.

Common misconceptions

"Union entities means just the Commission." No. Article 2(7) covers all Union institutions, bodies, offices and agencies — the Parliament, the Court of Justice, ENISA and others included.

"Union entities are automatically sovereign because they are European." As proposed, they are subject to the same assurance-level framework as Member State buyers. Being an EU body does not exempt an entity from procuring at the required Union assurance level.

"Union entities and public sector bodies are the same." They are defined separately. Public sector bodies (Article 2(6)) are Member State authorities and public-law bodies; Union entities (Article 2(7)) are EU-level bodies. The distinction affects which governance and supervisory arrangements apply.

This is general information about a draft EU regulation, not legal advice.