CADA Cloud Procurement for Energy Operators

Summary Under the proposed Cloud and AI Development Act (CADA), energy operators face a bifurcated regulatory landscape driven by the sector's classification as critical under the NIS2 Directive. For public energy bodies, the high systemic risk of energy infrastructure means their cloud activities will likely be deemed to "contribute to the preservation of public order." Consequently, Article 30(3) would mandate that they procure only cloud services recognised at Union assurance levels 2, 3, or 4. For private energy operators, while mandatory procurement rules do not apply, Article 31 provides a framework for voluntary impact assessments to manage similar sovereignty risks. Furthermore, Article 32 empowers public buyers to apply "Union added value" criteria, allowing them to prioritize innovative bids that strengthen the European digital supply chain, provided these criteria remain ancillary to technical and financial requirements.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereignty framework that intersects directly with the energy sector's existing regulatory obligations. The energy sector is explicitly listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) as a critical entity. This classification is the primary trigger for CADA's stringent procurement obligations, as the Act links public-order relevance directly to sectors covered by NIS2.

The Public Order Trigger: Why Energy Likely Requires Level 2-4

The core mechanism of CADA's procurement rules is the risk assessment mandated by Article 29. Member States and Union entities must identify public sector activities that contribute to the preservation of public order. Article 29(1) explicitly lists sectors falling under Annex I or II of the NIS2 Directive, including energy, alongside areas such as national security, defence, and law enforcement.

Given the critical nature of energy grids, the potential for service disruption to cause widespread societal harm, and the sensitivity of grid data, it is highly probable that national risk assessments will classify energy-related cloud activities as having "public order relevance."

If an activity is so classified, Article 30(3) imposes a strict procurement obligation:

"Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a significant shift from current practices. Public energy operators would be prohibited from procuring standard commercial cloud services (which typically only meet Level 1 or no assurance level) for critical grid management, consumer data processing, or operational technology (OT) support. They would be restricted to providers who have undergone independent third-party audits and been formally recognised by national competent authorities as meeting the rigorous criteria for Levels 2, 3, or 4. These criteria include strict data localisation, personnel requirements, and guarantees against third-country control.

For public energy activities not identified as affecting public order (e.g., internal HR or non-critical administrative functions), Article 30(2) sets a baseline: they must procure services recognised at Union assurance level 1.

Private Energy Operators: The Voluntary Path Under Article 31

Private energy companies, while subject to NIS2 cybersecurity obligations, are not "contracting authorities" under CADA and thus are not bound by the mandatory procurement rules of Article 30. However, the Act recognises that private entities in critical sectors face identical geopolitical and operational risks.

Article 31 addresses this by allowing entities listed in Annex I of the NIS2 Directive to "carry out similar assessments as those set out in Article 29." These are voluntary impact assessments.

• Purpose: To identify risks related to third-country control, data access, and service continuity.
• Guidance: The Commission may issue guidance on the methodology for these assessments.
• Delegated Acts: In cases of specific high criticality, the Commission may adopt delegated acts specifying the need for such assessments and required mitigation measures for private entities.

While voluntary, these assessments are strategically vital. As public procurement shifts toward Level 2-4 providers, the market for high-assurance cloud services will expand. Private energy firms conducting these assessments can proactively align their supply chains with the emerging sovereign market, ensuring resilience and potentially qualifying for future public-private partnerships or joint procurement initiatives.

Union Added Value: Innovation in Procurement

Beyond the binary choice of assurance levels, Article 32 introduces a mechanism to drive European innovation through public procurement. For public energy operators procuring "innovative cloud computing services and AI systems," Article 32(1) requires the inclusion of non-price award criteria to evaluate the tenderer's contribution to the European ecosystem.

Article 32(3) specifies that these criteria must enable authorities to evaluate:

• Contributions to strengthening the digital technology supply chain in the Union.
• Integration of technologies developed in the Union.
• Use of hardware components designed or manufactured in the Union.

Crucially, Article 32(2) mandates that these criteria be "ancillary and not decisive." This means a public energy body cannot disqualify a bid solely because it lacks European hardware if the bid offers superior technical performance or lower cost. However, it allows the authority to award additional points to bids that demonstrate a commitment to European sovereignty, effectively using public spending to foster a more resilient domestic cloud industry.

What this means for you

For procurement officers, legal counsel, and CTOs in the energy sector, the proposed CADA framework requires immediate strategic preparation.

For Public Energy Bodies (Contracting Authorities)

1. Initiate Risk Assessments Immediately: Do not wait for the regulation to enter into force. Work with your national competent authority to map your cloud use cases against Article 29. Given the NIS2 classification, assume that grid operations and critical data processing will be flagged as "public order" relevant.
2. Audit Your Provider Portfolio: Verify the status of your current cloud providers in the central repository (to be established under Article 22). If your activities are deemed public-order relevant, you must migrate to providers recognised at Level 2, 3, or 4.
3. Plan for Migration: Article 29(6) sets a transition period of "not exceed[ing] 12 months" for migrating to a compliant service. Start technical feasibility studies now to ensure you can meet this deadline without disrupting critical energy services.
4. Revise Tender Documents: Update your procurement templates to include the Article 32 "Union added value" criteria. Ensure your evaluation matrices can score bids on their contribution to the European supply chain, while maintaining compliance with the "ancillary" requirement.

For Private Energy Operators

1. Conduct Voluntary Impact Assessments: Utilise Article 31 to perform a self-assessment of your cloud dependencies. Identify where you rely on providers subject to third-country control or where data flows outside the EU.
2. Monitor the Market: As public bodies shift to Level 2-4 providers, the supply of these services will grow. Aligning your strategy now with these standards will future-proof your operations and may offer competitive advantages in B2B contracts where public-sector clients demand sovereign supply chains.
3. Engage with Guidance: Watch for Commission guidance on Article 31 methodologies. Early adoption of these standards can serve as a differentiator in the market.

Common misconceptions

"All energy cloud services must be Level 4." Reality: CADA is proportionate. The required level depends on the specific risk assessment outcome. While critical grid control might require Level 4 (highest sovereignty), less critical administrative functions might only require Level 2 or 3. The regulation does not mandate Level 4 for all energy activities automatically.

"Private energy firms are exempt from CADA." Reality: Private firms are exempt from the mandatory procurement rules of Article 30, but they are explicitly included in the scope of Article 31 for voluntary impact assessments. Furthermore, if a private firm supplies cloud services to a public energy body, it must meet the assurance level required by that public body.

"Union added value criteria allow us to exclude non-EU providers." Reality: Article 32(2) is explicit: non-price criteria must be "ancillary and not decisive." You cannot use these criteria to automatically disqualify a non-EU provider if they offer the best technical solution. The criteria are for scoring and evaluating contribution to the ecosystem, not for creating a protectionist barrier that violates EU internal market principles.

Related

• Why does CADA add a Union added value criterion to procurement?
• What is the Union added value criterion in CADA procurement?
• CADA Procurement & WTO GPA: How Union Added Value Criteria Work
• Which procurements does the Union added value criterion apply to under CADA?
• What is the Union added value test for cloud and AI tenders under CADA?

This is general information about a draft EU regulation, not legal advice.