Summary When the proposed Cloud and AI Development Act (CADA) enters into force, public cloud tenders will shift from voluntary best practices to mandatory sovereignty requirements. Contracting authorities must procure cloud services based on a risk assessment: Union assurance level 1 for standard activities, and levels 2, 3, or 4 for activities safeguarding public order. Additionally, tenders for innovative cloud and AI services must include non-price award criteria evaluating "Union added value," and Member States must begin monitoring and reporting annually on their procurement of innovation, with a specific target of awarding at least 25% of such contracts to innovative SMEs.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally restructures how public authorities in the EU procure cloud computing services and AI systems. While existing procurement directives govern the process of tendering, CADA introduces specific substantive requirements regarding the sovereignty, origin, and innovation impact of the services being purchased. These changes are anchored in three key provisions of Title IV: Article 30 (Public procurement), Article 32 (Union added value), and Article 33 (Monitoring of procurement of innovation).

Mandatory Assurance Levels Based on Risk (Article 30)

The most immediate operational change for tender specifications is the introduction of mandatory "Union assurance levels." Under Article 30, contracting authorities can no longer select cloud providers based solely on price or technical performance; they must first verify that the service meets specific sovereignty criteria defined in the regulation.

The required assurance level is not a choice but a legal obligation determined by a prior risk assessment conducted by the Member State or Union entity under Article 29. The regulation establishes a binary threshold based on the nature of the public sector activity:

  1. Standard Public Services: If a public sector body's activities have not been identified as contributing to the preservation of public order, they must procure cloud computing services recognized as offering Union assurance level 1 (Article 30(2)). This serves as the baseline requirement for all public procurement.
  2. Public Order Relevance: If a contracting authority's activities have been identified as contributing to the preservation of public orderβ€”specifically in sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2) or in areas such as national security, internal security, external border management, defence, justice, or law enforcementβ€”they must only procure services recognized as offering Union assurance level 2, 3, or 4 (Article 30(3)).

This creates a mandatory floor for security and sovereignty. A tender document must explicitly require the winning bidder to hold a valid recognition for the appropriate assurance level. The regulation provides for limited derogations only in exceptional circumstances, such as when no recognized service exists for the specific subject matter, or if applying the requirements would impose disproportionate costs (Article 30(4)).

Union Added Value Criteria for Innovation (Article 32)

For tenders involving innovative cloud computing services and AI systems, Article 32 introduces a new dimension to the evaluation process. Contracting authorities are required to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must adhere to strict conditions:

  • They must be linked to the subject matter of the contract.
  • They must be "ancillary and not decisive in the award of the contract," meaning they cannot outweigh technical or financial performance criteria (Article 32(2)).
  • They must be expressly set out in the procurement documents.

The regulation specifies that authorities must evaluate the extent to which the tenderer:

  • Contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Has integrated technologies developed in the Union, including research results from Union-funded programs.
  • Delivers the service using critical computing, storage, and networking hardware components designed and/or manufactured in the Union, to the greatest extent feasible (Article 32(3)).

This shifts procurement strategy by formally recognizing and scoring "European added value" as part of the quality evaluation, encouraging providers to align their supply chains with Union strategic interests without compromising the primacy of technical and financial criteria.

Monitoring and Reporting Obligations (Article 33)

Beyond the tender process itself, Article 33 imposes ongoing obligations on Member States to monitor and report on their use of procurement of innovation in cloud and AI. This is not merely a procedural formality but a mechanism to ensure that public procurement actively supports the Union's industrial base and innovation capacity.

Key obligations include:

  • SME Targets: Member States must pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)).
  • Annual Reporting: Member States must inform the Commission annually on:
    • The size of economic operators participating in such procurement.
    • SME participation trends, including the number of contracts awarded to SMEs and their share of the total contract value.
    • Measures taken to improve SME access to public procurement (Article 33(3)).

Procurement officers must therefore ensure their internal systems can track these metrics, as this data will feed into national strategies and Union-level monitoring.

What this means for you

For public-sector procurement officers, the entry into force of CADA requires immediate adjustments to your tender planning, evaluation, and post-award management processes.

1. Update Your Risk Assessment Protocols Before drafting a new cloud tender, you must consult your national risk assessment (conducted under Article 29). You need to definitively classify your service: does it touch on public order, national security, or critical infrastructure?

  • If no, your tender must specify that bidders must hold a Union assurance level 1 recognition.
  • If yes, you must specify Union assurance level 2, 3, or 4. You cannot accept a level 1 service for these critical functions. Ensure your technical specifications reference the central repository of recognized services (Article 22) to verify bidders' status.

2. Revise Award Criteria for Innovative Projects If you are procuring innovative cloud or AI solutions, review your evaluation grid. You must add a specific criterion for "Union added value" as mandated by Article 32. Clearly define how you will score factors like the use of Union-designed hardware or software. Remember, this criterion must be "ancillary and not decisive," so it should be weighted appropriately within the overall quality score, subordinate to core performance requirements.

3. Implement SME Tracking Mechanisms Your procurement department must begin tracking the size of bidders and the value of contracts awarded to SMEs. Under Article 33, your Member State has a target of 25% award value to innovative SMEs. You will need to report this data annually to the Commission. Ensure your contract management systems can capture and categorize this data accurately from the start of the next fiscal cycle.

4. Verify Recognitions, Not Just Claims Do not rely solely on a provider's marketing claims about sovereignty. The regulation establishes a formal recognition mechanism. Your tender should require proof of recognition by the national competent authority. For Level 1, this may be a self-assessment statement, but for Levels 2-4, it requires an independent audit report. Verify these documents against the central repository maintained by the Commission.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers entirely. This is incorrect. CADA does not impose a blanket ban on third-country providers. Instead, it creates a tiered system. Non-EU providers can still compete for Union assurance level 1 contracts if they meet the criteria (such as being established in the Union or having infrastructure located in the Union, depending on the specific criteria in Annex II). For higher assurance levels (2-4), the criteria become stricter regarding data localization and personnel, but the framework is based on meeting technical and sovereignty criteria, not merely on the provider's nationality.

Misconception 2: "Union added value" is the primary factor in winning a tender. Article 32(2) explicitly states that the Union added value criteria must be "ancillary and not decisive in the award of the contract." This means a provider cannot win a tender solely because they use European hardware if their technical solution is inferior. The core technical and financial criteria remain paramount. The added value criterion is a tie-breaker or a bonus within the quality evaluation, not a replacement for performance.

Misconception 3: Only large public authorities need to worry about this. While large authorities handle significant budgets, the obligations apply to all "contracting authorities" as defined in the regulation. Furthermore, the monitoring obligations under Article 33 apply to Member States collectively, meaning even smaller local authorities contribute to the national data on SME procurement. All public buyers need to align their processes to ensure national targets are met.

Misconception 4: The assurance levels are permanent once awarded. Recognition is not static. Providers must undergo annual reviews for levels 2-4 (Article 20(8)), and must report material changes that could affect their status (Article 23). Procurement officers should include clauses in their contracts that require providers to notify the authority immediately if their assurance level is downgraded or revoked, triggering a migration or remediation plan.

Related

This is general information about a draft EU regulation, not legal advice.