What counts as disproportionate cost in CADA procurement?

Summary Under the proposed Cloud and AI Development Act (CADA), a contracting authority may derogate from mandatory Union assurance levels only if applying the Regulation would require procuring services at "disproportionate cost" (Article 30(4)(c)). This exception is strictly limited to exceptional circumstances and must be duly justified. It is not a blanket waiver for budget constraints or a mechanism to avoid higher assurance levels simply because sovereign providers are more expensive. To invoke this, a public buyer must demonstrate that the cost imbalance is objectively gross and that the high cost is not the result of artificially narrowing the procurement parameters. Rigorous documentation of market analysis, cost-benefit comparisons, and the "exceptional" nature of the case is mandatory to withstand audit.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework for public procurement. Article 30 sets out the mandatory procurement obligations for cloud computing services. Specifically, Article 30(2) requires that public sector bodies whose activities do not contribute to public order procure services recognised at Union assurance level 1. More stringently, Article 30(3) mandates that contracting authorities whose activities do contribute to public order (e.g., national security, defence, law enforcement) must only procure services recognised at Union assurance levels 2, 3, or 4.

However, the proposal acknowledges that market realities may occasionally prevent immediate compliance. Article 30(4) provides three narrow derogations from these mandatory levels. The third derogation, found in Article 30(4)(c), addresses the issue of cost. It states that, "on an exceptional basis and where duly justified," a contracting authority may decide not to procure services recognised at the required assurance level where "applying the requirements of this Regulation would require the contracting authority to procure services at disproportionate cost."

The Legal Threshold: Defining "Disproportionate Cost"

The term "disproportionate" in EU law carries a specific, high threshold. It does not mean "expensive," "higher than the previous contract," or "outside the current budget." As proposed, the derogation requires a gross imbalance between the cost of compliance and the benefit achieved, or a cost that is fundamentally unreasonable relative to the authority's financial capacity or the specific contract value.

To successfully invoke Article 30(4)(c), a contracting authority must satisfy three cumulative conditions derived from the text:

1. Exceptional Basis: The situation must be rare and not routine. The derogation cannot be used as a standard justification for retaining incumbent non-sovereign providers simply because they offer lower prices. The "exceptional" nature implies that the market for sovereign cloud services is generally capable of meeting the need, but a specific, unique circumstance prevents it.
2. Duly Justified: The authority must provide a robust, evidence-based justification. A simple statement that "sovereign options are too expensive" is insufficient. The justification must explain why the cost is disproportionate in the context of the specific procurement.
3. No Artificial Narrowing: The high cost must not be the result of the contracting authority artificially narrowing the parameters of the procurement procedure. This is explicitly cross-referenced in Article 30(4)(a), which prohibits derogations where the absence of suitable services is "not the result of an artificial narrowing down of the parameters of the public procurement procedure." If the authority wrote specifications that only non-sovereign providers could meet, they cannot then claim the cost of a sovereign alternative is disproportionate.

Interaction with Other Derogation Conditions

The "disproportionate cost" derogation does not exist in isolation. It is one of three conditions in Article 30(4). A contracting authority must ensure that the cost argument is not being used to circumvent the spirit of the law.

• Availability vs. Cost: If no recognised service is available in the central repository (Article 22), the authority might look to Article 30(4)(a). If a service exists but no suitable tenders were received in a previous year, Article 30(4)(b) might apply. However, Article 30(4)(c) is distinct: it applies when a service is available and could be procured, but the cost is deemed disproportionate.
• Public Order Relevance: The threshold for "disproportionate" is significantly higher for activities identified as contributing to public order under Article 29(1). For critical sectors like defence or law enforcement, the public order benefits of a higher assurance level (Levels 2–4) are substantial. Therefore, a cost increase must be extreme to outweigh the risk of using a lower-assurance service.

Evidencing and Documenting the Assessment

The requirement that the derogation be "duly justified" imposes a heavy burden of proof on the contracting authority. Compliance officers must build a comprehensive "paper trail" that can withstand scrutiny from national competent authorities and the European Commission. The following elements are essential for the documentation:

1. Comprehensive Market Analysis:

   • Evidence that the authority searched the central repository established under Article 22 for all recognised services at the required assurance level.
   • Documentation showing that the authority contacted potential providers to confirm availability and pricing.
   • Proof that the high cost is not due to a lack of competition caused by the authority's own specifications (avoiding the Article 30(4)(a) trap).

2. Detailed Cost-Benefit Analysis:

   • A side-by-side comparison of the total cost of ownership (TCO) for the most suitable sovereign provider versus the non-sovereign alternative.
   • The analysis must quantify the "disproportionate" nature of the cost. For example, a 10% or 20% price increase is unlikely to qualify. The documentation must show a gross imbalance (e.g., a 300% increase for a marginal service difference) or a cost that would fundamentally jeopardise the authority's ability to deliver other essential public services.
   • Consideration of long-term risks (e.g., vendor lock-in, extraterritorial data access) as part of the "benefit" side of the equation.

3. Risk Assessment Context:

   • Reference to the risk assessment conducted under Article 29. If the activity is critical to public order, the authority must explicitly explain why the financial burden outweighs the specific public order risks identified in the assessment.
   • If the Commission has issued implementing acts specifying assurance levels for the activity (under Article 29(5)), the threshold for "disproportionate" is even higher, as the Commission has already deemed the risk significant.

4. Formal Justification Statement:

   • A written decision by the competent leadership of the contracting authority, explicitly citing Article 30(4)(c).
   • The statement must detail the "exceptional" circumstances and the specific reasons why the cost is disproportionate.
   • This decision must be kept in the procurement file and made available for audit.

Penalties and Oversight

While CADA does not set a fixed EU-wide fine for misusing this derogation, Article 24(1) mandates that Member States lay down rules on penalties for infringements of the sovereignty chapter that are "effective, proportionate and dissuasive." Misusing the disproportionate cost derogation could be deemed an infringement, exposing the authority to national fines and reputational damage.

Furthermore, Article 29(5) empowers the Commission to intervene. If the Commission concludes that a Member State's risk assessment (which triggers the assurance level requirement) is inadequate, or if it observes a pattern of derogations being used to avoid higher assurance levels for critical activities, it may adopt implementing acts to specify the required assurance levels. This could effectively override a national decision to use the cost derogation.

What this means for you

For in-house counsel, procurement officers, and compliance teams in the public sector, the "disproportionate cost" derogation is a high-risk tool that should be used only as a last resort.

1. Do Not Assume "Expensive" Equals "Disproportionate": A higher price tag is not a valid legal ground. You must conduct a formal, documented cost-benefit analysis that proves a gross imbalance.
2. Document the "Exceptional" Nature: Your procurement file must clearly articulate why this specific case is exceptional. If you are procuring standard IT services, the bar is extremely high. If you are procuring highly specialised services for a niche public order activity, the justification may be more plausible, but it still requires rigorous evidence.
3. Audit Your Specifications: Before claiming disproportionate cost, ensure your technical specifications are not written in a way that excludes sovereign providers. If you narrow the parameters to exclude them, you cannot then claim the remaining options are too expensive.
4. Prepare for Scrutiny: Store all market research, cost comparisons, risk assessments, and the formal justification statement. The "duly justified" requirement means you must be able to prove your decision-making process to national competent authorities and the European Commission.
5. Monitor Market Evolution: As the market for sovereign cloud services matures and more providers achieve Union assurance levels, the argument of "disproportionate cost" will become increasingly difficult to sustain. Stay updated on the central repository (Article 22) and emerging EU providers.

Common misconceptions

• Misconception 1: "Disproportionate cost" means "more expensive than our current contract."
  • Reality: It means the cost is grossly unreasonable relative to the benefit or the authority's capacity. A 20–30% price increase is likely not "disproportionate." A 500% increase for a marginal service improvement might be, but only if the service is truly exceptional.
• Misconception 2: We can use this derogation if no sovereign provider bids.
  • Reality: If no sovereign provider bids, you may fall under Article 30(4)(b) (no suitable tenders received). However, you must still justify why the cost is disproportionate if a sovereign provider exists but is expensive. You cannot ignore available sovereign options.
• Misconception 3: This derogation applies to all cloud services.
  • Reality: It applies strictly to the procurement of cloud computing services for exclusive use by the contracting authority (Article 30(1)). It does not apply to private sector entities, which are subject to different impact assessment rules under Article 31.
• Misconception 4: Once we use this derogation, we are exempt from CADA.
  • Reality: The derogation is specific to the assurance level requirement for that specific procurement. You are still subject to other CADA obligations, such as transparency, reporting, and the requirement to migrate within a reasonable transition period if a suitable service becomes available (Article 29(6)).

Related

• CADA Procurement: Can 'Disproportionate Cost' Justify Skipping a Sovereignty Tier?
• What counts as an innovative cloud or AI procurement under CADA?
• Will small public bodies be able to afford CADA procurement fees?
• Why does CADA add a Union added value criterion to procurement?
• Who pays for CADA procurement fees? Article 40 explained

This is general information about a draft EU regulation, not legal advice.