Summary As proposed, Article 30 of the Cloud and AI Development Act (CADA) would govern public procurement of cloud computing services bought for a contracting authority's exclusive use. Authorities (and Union entities) whose activities have not been identified as contributing to the preservation of public order would have to use services recognised at Union assurance level 1 (Article 30(2)); those whose activities have been so identified — in NIS2 sectors and in national security, internal security, external border management, defence, justice or law enforcement — could only procure services recognised at level 2, 3 or 4 (Article 30(3)). The classification flows from the Article 29 risk assessment. Article 30(4) provides narrow, duly justified derogations.
Detail
Article 30 of the proposed CADA sets the binding procurement rules that translate the Annex II assurance-level criteria into purchasing obligations for the public sector.
Scope (Article 30(1))
By its terms, Article 30 applies to contracting authorities that procure cloud computing services for their exclusive use. It also applies — "without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509" — to Union entities procuring cloud computing services for their exclusive use. The reference to Article 136 of the EU Financial Regulation preserves the existing Union-level rules (notably on exclusion situations and sensitive procurement) rather than displacing them.
The two-tier obligation
The obligation depends on whether an activity has been identified as contributing to the preservation of public order in the risk assessment under Article 29(1).
Baseline — level 1 (Article 30(2)). Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1." Recognition for level 1 rests on an EU statement of conformity (Article 17(3)); for SMEs, that statement of conformity is directly and automatically recognised across the Union without prior recognition by the evaluating national competent authority. The level-1 criteria in Annex II include EU establishment of the provider, location of infrastructure and assets in the Union (subject to the public body requiring otherwise), exclusive Union residency of customer data including metadata and telemetry (same caveat), state-of-the-art cybersecurity, and subcontractor transparency.
Public-order activities — levels 2, 3 or 4 (Article 30(3)). Contracting authorities (including entities acting on their behalf) whose activities have been identified under Article 29(1) as contributing to the preservation of public order "in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence," shall only procure services recognised at level 2, 3 or 4. For these levels, recognition under Article 17(4) requires an audit report and a "positive" audit opinion under Article 20, not merely a self-issued statement of conformity. Annex II layers progressively stricter conditions onto the higher levels, including conditions on third-country control of the provider and the audited service.
The link to risk assessments (Article 29)
Article 30 cannot be applied without the Article 29 risk assessments, which Member States and Union entities must carry out by entry into force plus one year and every two years thereafter (or whenever necessary). Those assessments (a) identify which activities contribute to public order in the listed sectors and (b) determine which of levels 2, 3 or 4 is appropriate. The Commission specifies the methodology and templates by implementing act (Article 29(3)) and may, under Article 29(5), specify the required level if it finds a Member State's choice inadequate.
Derogations (Article 30(4))
By derogation from paragraphs 2 or 3, on an exceptional and duly justified basis, an authority may decide not to procure a recognised level 1, 2, 3 or 4 service where one or more of the following applies:
- the subject matter cannot be supplied by recognised services available in the central repository (Article 22), no adequate or reasonable alternative or comparable service exists, and that absence is not the result of an artificial narrowing of the procurement parameters;
- the authority launched a similar procurement within the previous year but received no suitable tenders or suitable participants; or
- applying the Regulation's requirements would require procurement at disproportionate cost.
The derogation is conditional and carries a justification burden on the authority; it is not a route to favour a preferred non-recognised provider.
What this means for you
For in-house counsel and procurement leads, Article 30 inserts a compliance gate into the cloud procurement lifecycle.
1. Confirm the risk-assessment classification first. Establish whether the relevant activity has been identified under Article 29 as contributing to public order. That determines whether level 1 (Article 30(2)) or levels 2–4 (Article 30(3)) applies.
2. Check the central repository. Article 22 would establish a public repository of recognised services maintained by the Commission and national authorities. Procuring outside it, absent an Article 30(4) derogation, is a compliance risk.
3. Require the right evidence in the tender. For level 1, the EU statement of conformity; for levels 2–4, the audit report and positive opinion from an auditing organisation.
4. Track the technical criteria. The Annex II criteria can be amended by delegated act (Article 16(2)) and are reviewed at least every 18 months, so "recognition" content may evolve before and after application.
5. Mind the boundary with penalties. Article 30 binds the buyer. Penalties under Article 24 are addressed at providers that infringe Chapter I; Member States must make them effective, proportionate and dissuasive. Buying a non-recognised service does not itself trigger Article 24, but it can expose the authority to procurement-law challenges and unmet public-order safeguards.
Common misconceptions
"Level 1 is optional with a strong internal security policy." Incorrect. Article 30(2) makes level 1 the minimum for the relevant procurements, independent of internal measures; the level-1 criteria are sovereignty-specific (EU establishment, EU data residency) and go beyond generic cybersecurity.
"Encryption substitutes for the assurance level." Incorrect. The assurance-level criteria concern establishment, data location, subcontracting and third-country control. Encryption does not satisfy them.
"Private companies are directly bound by Article 30." Incorrect. Article 30 binds contracting authorities and Union entities. Private NIS2 entities may carry out similar assessments under Article 31, but Article 30's procurement obligation does not apply to them directly; Recital 66 notes likely spillover effects in regulated industries.
"The Article 30(4) derogations are easy to invoke." Incorrect. They are exceptional and require due justification; the no-alternative ground is defeated where the gap results from artificial narrowing of the tender parameters.
Related
- CADA Article 32: Can authorities add criteria beyond Union added value?
- Who pays for CADA procurement fees? Article 40 explained
- Article 31 CADA: Voluntary impact assessments for private critical entities
- CADA Article 39: Which procedural rules apply to specific contracts?
- CADA Article 32: What non-price criteria must be used in EU cloud tenders?
This is general information about a draft EU regulation, not legal advice.