CADA public procurement

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket ban on non-EU cloud providers bidding for public contracts, but it creates a high-barrier "sovereignty gate" that significantly narrows their addressable market. Access is conditional on a service being formally recognised under the Union assurance framework (Article 17). While non-EU providers can technically compete for Union assurance level 1 contracts (non-public order), they face near-total exclusion from levels 2, 3, and 4 (public order) unless their parent country has a specific implementing act under Article 18 and they meet strict data-localisation and personnel requirements. Furthermore, even if recognised, non-EU providers face a scoring disadvantage under Article 32, where "Union added value" criteria (up to 15 points) favour EU supply chains. Crucially, Article 32(3)(d) permits third-country hardware only where EU alternatives are not feasible, and Article 32(2) ensures these criteria remain "ancillary and not decisive" to comply with WTO GPA safeguards.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally reshapes the EU public procurement landscape for cloud services. Its primary mechanism is not a direct exclusion of foreign entities, but a requirement that all public procurement be tied to a Union cloud computing sovereignty framework comprising four assurance levels. For a non-EU provider, the path to a contract is no longer just about price and technical merit; it is about proving that the service does not compromise the Union's strategic autonomy or public order.

1. The Gateway: Recognition Under Article 17

Before a non-EU provider can even submit a tender, their service must be recognised as offering a specific Union assurance level. This is a mandatory precondition under Article 30.

• The Mechanism: Article 17 establishes the recognition procedure. A provider must submit an application to the national competent authority of establishment.
• Level 1 (Baseline): Requires an EU statement of conformity (self-assessment) under Article 19. While less burdensome, Annex II (1.1) still requires the provider to be established in the Union. A non-EU provider must therefore establish a legal entity within the EU to qualify.
• Levels 2, 3, and 4 (High Assurance): These require independent third-party audits under Article 20. The provider must submit an audit report and a "positive" audit opinion to the competent authority. Article 17(4) explicitly mandates this for levels 2–4.
• The "Establishment" Trap: Annex II requires that for all levels, the provider and its subcontractors be established in the Union. For non-EU providers, this means setting up a subsidiary. However, for levels 3 and 4, Annex II (3.1(d) & 4.1(d)) further requires that personnel be Union citizens (conditional at Level 2 if the public body requires it; mandatory at Levels 3 and 4).

2. The Market Filter: Article 30 Procurement Mandates

Article 30 dictates which assurance level a contracting authority must procure based on a risk assessment under Article 29. This is the primary filter for non-EU providers.

• Non-Public Order (Level 1): Under Article 30(2), public bodies whose activities do not contribute to public order must procure services recognised at Union assurance level 1. This is the only tier where non-EU providers have a realistic, albeit narrow, chance, provided they have established an EU entity and met the baseline criteria.
• Public Order (Levels 2–4): Under Article 30(3), authorities procuring for activities contributing to public order (e.g., national security, defence, law enforcement, critical infrastructure under NIS2) must only procure services recognised at Union assurance levels 2, 3, or 4.
  • The Barrier: Achieving Level 2 requires a European cybersecurity certificate of at least "substantial" assurance (Annex II 2.1(e)). Levels 3 and 4 require "substantial" and "high" assurance respectively.
  • The Third-Country Control Derogation: Annex II (3.1(g)) states that providers subject to third-country control are generally barred from Level 3. However, it includes a critical derogation: a provider may be audited for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances.
  • Correction on Citation: While the text of Annex II (3.1(g)) contains a drafting slip referencing "Article 19" for this derogation, the correct legal basis is Article 18 ("Associated third countries"). Article 18(1) empowers the Commission to identify third countries where providers subject to their control may be audited for Level 3, provided the country has an adequacy decision, no laws enabling control over data/service continuity, and reciprocal market access. Without such an act, a non-EU provider controlled by a third country cannot achieve Level 3 or 4 recognition.

3. The Scoring Disadvantage: Article 32 Union Added Value

Even if a non-EU provider secures the necessary recognition, they face a structural disadvantage in the evaluation phase due to Article 32, which mandates "Union added value" criteria for innovative procurements.

Article 32(1) requires contracting authorities to include non-price award criteria evaluating the tenderer's contribution to the EU ecosystem. Article 32(3) details these criteria:

• (a) Strengthening the digital supply chain in the Union.
• (b) Integrating technologies developed in the Union.
• (c) Contributing to security of supply.
• (d) Delivering services using hardware components designed/manufactured in the Union.

The Hardware Exception (Article 32(3)(d)): Crucially, Article 32(3)(d) includes a feasibility clause. It states that hardware should be EU-designed/manufactured "to the greatest extent feasible with regard to market availability and technical requirements." Where this is not feasible, the criterion allows for hardware from a third country, provided it "contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem."

• Implication: Non-EU providers are not automatically disqualified for using non-EU hardware. However, they bear the burden of proof to demonstrate that EU alternatives are technically or commercially unavailable and that their third-country components still enhance, rather than undermine, EU security.

GPA Safeguards (Article 32(2)): To ensure these criteria do not violate international trade obligations (specifically the WTO Agreement on Government Procurement), Article 32(2) imposes strict limits:

• No Unrestricted Freedom (Art 32(2)(b)): The criteria must not confer unrestricted freedom of choice on the contracting authority. This prevents arbitrary discrimination.
• Ancillary and Not Decisive (Art 32(2)(d)): The Union added value criteria must be ancillary and not decisive in the award of the contract. This ensures that technical and financial criteria remain the primary drivers, with Union added value serving only as a secondary differentiator (e.g., a tie-breaker or a limited weighting, often capped around 15 points in practice, though the text does not specify a hard cap).

What this means for you

If you are a non-EU cloud provider targeting EU public contracts, CADA as proposed requires a fundamental restructuring of your market entry strategy. You cannot rely on "best price" alone; you must navigate a sovereignty-compliance maze.

1. Establish and Recognise First

You cannot bid without recognition.

• Action: Establish a legal entity in an EU Member State immediately.
• Action: Determine your target assurance level. If targeting critical infrastructure (Level 2+), engage an auditing organisation early.
• Action: If your parent company is in a third country, verify if that country has an implementing act under Article 18. If not, you are effectively barred from Level 3 and 4 contracts, limiting you to Level 1 (non-public order) or requiring a complete restructuring of your control chain.

2. Prepare Your "Union Added Value" Narrative

You will be scored against EU providers on supply chain resilience.

• Hardware Strategy: If you use non-EU chips or servers, prepare a robust technical justification under Article 32(3)(d) proving EU alternatives are not feasible. Simultaneously, demonstrate how your supply chain still contributes to EU security (e.g., through open-source contributions, local R&D, or secure manufacturing partnerships).
• Local Integration: Highlight any EU-based R&D, local data centres, or integration with EU-developed software stacks to maximise points under Article 32(3)(a) and (b).

3. Understand the "Ancillary" Limit

Do not assume the "Union added value" criteria will decide the contract.

• Strategy: Focus on technical excellence and cost efficiency. The criteria under Article 32(2)(d) are ancillary and not decisive. A non-EU provider with superior technical performance and lower cost can still win, provided they meet the baseline recognition requirements.
• Monitoring: Watch for tender documents that attempt to weight these criteria too heavily. Article 32(2)(b) prohibits "unrestricted freedom of choice," meaning authorities cannot arbitrarily set criteria that effectively exclude all non-EU bidders without objective justification.

4. Risk Assessment is Key

Your eligibility depends on the contracting authority's Article 29 risk assessment.

• Action: Engage with public bodies early to understand their risk assessment outcomes. If a body has classified its activity as "public order" (requiring Level 2+), and you cannot meet the Article 18 third-country control criteria, you should not waste resources bidding.

Common misconceptions

Misconception 1: "CADA bans all non-EU providers." Reality: CADA does not ban non-EU providers. It requires recognition under the Union assurance framework. Non-EU providers can bid for Level 1 contracts (non-public order) if they establish an EU entity. For higher levels, they can bid if their home country has an Article 18 implementing act and they meet strict criteria.

Misconception 2: "Using non-EU hardware automatically disqualifies a bid." Reality: Article 32(3)(d) explicitly allows third-country hardware where EU alternatives are not feasible due to market availability or technical requirements. The key is proving that such use still strengthens the EU's security of supply.

Misconception 3: "Union added value criteria will guarantee EU providers win." Reality: Article 32(2)(d) mandates that these criteria be ancillary and not decisive. They cannot override technical and financial performance. Furthermore, Article 32(2)(b) prevents authorities from using these criteria to exercise "unrestricted freedom of choice," ensuring a level playing field compliant with WTO GPA.

Misconception 4: "Article 19 allows third-country control for Level 3." Reality: This is a common confusion due to a drafting slip in Annex II (3.1(g)) which incorrectly cites "Article 19". The correct legal basis for the Commission to identify third countries allowing Level 3 recognition is Article 18 ("Associated third countries"). Article 19 strictly governs conformity self-assessment for Level 1.

Related

• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• Can a public body buy non-recognised cloud under CADA?
• Can a non-EU provider partner with an EU SME to bid under CADA?
• Will small public bodies be able to afford CADA procurement fees?
• CADA Procurement Compliance: Who is Responsible in a Public Body?

This is general information about a draft EU regulation, not legal advice.