Which CADA defined terms matter most for public-sector buyers?

Summary For public-sector buyers, the defined terms in the proposed Cloud and AI Development Act (CADA) that matter most are "public sector body," "Union entities," and "contracting authorities" — all set out in Article 2 of the proposal. These definitions would determine which organisations are bound by CADA's procurement rules, its risk assessments, and the Union assurance levels it would require. Working out which label applies to you is the first step in understanding your obligations.

Detail

CADA, as proposed, sets up a framework intended to strengthen Europe's cloud and AI ecosystem. Its impact on public administration turns on a threshold question: who is bound by its rules? Article 2 ("Definitions") provides the terms that scope the regulation. For procurement officers and public-sector leaders, three of them are decisive: public sector body, Union entities, and contracting authorities.

Public sector body (Article 2, point 6)

CADA would define a "public sector body" by cross-reference to "public sector body as defined in Article 2, point (1), of Directive (EU) 2019/1024" (the Open Data Directive). In practice that directive covers the State, regional and local authorities, bodies governed by public law, and associations formed by such authorities or bodies.

This label matters because it identifies the buyers who would carry CADA's public-sector duties. Under the proposal, public sector bodies and Union entities are the entities required to carry out risk assessments (Article 29) and to procure recognised cloud computing services at the appropriate Union assurance level (Article 30). They are also the intended participants in the European public sector cloud federation ("EuroCloud Federation") established under Article 34, and they are subject to the open-source obligations in Article 41.

Union entities (Article 2, point 7)

CADA would define "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

This captures the EU's own administrative machinery — the Commission, the Parliament, the Council, and EU agencies. As proposed, the same procurement and risk-assessment duties that apply to Member State public sector bodies would apply to Union entities: they would carry out risk assessments under Article 29 and procure at the assurance level those assessments identify under Article 30.

Contracting authorities (Article 2, point 22)

For procurement officers, "contracting authorities" is often the most operationally significant term. CADA would define it by cross-reference to "contracting authorities as defined in Article 2(1), point (1), of Directive 2014/24/EU" (the Public Procurement Directive) — the State, regional or local authorities, bodies governed by public law, and associations of such authorities or bodies.

This is the term that triggers the procurement obligations in Article 30. As a baseline, Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order would have to use cloud computing services recognised under Article 17 as having Union assurance level 1 (Article 30(2)). Where a risk assessment under Article 29 identifies activities that do contribute to public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) or in national security, internal security, external border management, defence, justice or law enforcement — contracting authorities would have to procure only services recognised as offering Union assurance level 2, 3 or 4 (Article 30(3)).

Separately, Article 32 ("Union added value") would require contracting authorities to include non-price award criteria, in procurement of innovative cloud computing services and AI systems, that assess the tenderer's contribution to a European cloud and AI ecosystem — for example, the use of software or hardware designed or manufactured in the Union.

What this means for you

For public-sector procurement officers, these definitions mark the boundaries of your responsibilities under the proposal.

1. Confirm your status. Establish whether your organisation is a "public sector body" or a "contracting authority." A municipal department, national agency or public hospital will typically fall within these definitions, which would mean you could not simply pick on price — you would have to procure a service recognised at the required Union assurance level.
2. Plan for risk assessments. As proposed, Member States and Union entities would carry out risk assessments under Article 29 to identify which activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate. Activities touching public order would be restricted to the higher levels.
3. Update procurement criteria. When drafting tenders for innovative cloud or AI services, build in the "Union added value" non-price criteria of Article 32. Consider the EuroCloud Federation (Article 34) as a route to share public-sector cloud and data centre services with other public bodies.
4. Plan for open source. Article 41 would require Union entities and public sector bodies to encourage open-source solutions and, in specified cases, to make software they hold available for reuse under an open-source licence via a repository connected to the EU Open Source Solutions Catalogue.

Common misconceptions

• "CADA only applies to large IT departments." The definitions of "public sector body" and "contracting authorities" are broad and include local authorities and specialised public bodies. If you procure cloud services or AI systems and fall within these definitions, the rules would apply regardless of size.

• "Union assurance levels are optional best practices." As proposed, procuring a recognised service at the required level would be a legal obligation under Article 30, not a recommendation. Article 30(4) allows narrow, duly justified derogations — for example, where no recognised service in the central repository can supply the subject matter.

• "Open source just means free software." Article 41 promotes open source for sovereignty and reuse, not merely cost. It does not preclude buying support or proprietary components; it would require public buyers to encourage open standards and open-source components when building their cloud and AI stacks.

Related

• What the public sector body definition means for buyers under CADA
• Which CADA definitions matter most for cloud providers?
• Which CADA definitions matter most for AI developers?
• What is the difference between a public sector body and a Union entity under CADA?
• What is a public sector body under CADA?

This is general information about a draft EU regulation, not legal advice.