Summary Under the proposed Cloud and AI Development Act (CADA), procurement officers buying AI systems face a dual compliance obligation: they must ensure the underlying cloud infrastructure meets specific "Union assurance levels" determined by a risk assessment (Article 30), and they must include non-price award criteria evaluating the supplier's contribution to the European ecosystem (Article 32). Furthermore, officers must actively monitor and report on how their procurement supports small and medium-sized enterprises (SMEs) and innovation, with a specific objective to award at least 25% of relevant contracts to innovative SMEs (Article 33).

Detail

The Cloud and AI Development Act (CADA) fundamentally restructures public procurement for AI by treating the software (the AI system) and the infrastructure (the cloud) as an interconnected compliance chain. Because AI systems are frequently hosted and operated via cloud computing services, CADA mandates that the procurement of AI cannot be separated from the procurement of the sovereign cloud environment that supports it. The following provisions are the critical levers for procurement officers.

Mandatory Cloud Assurance Levels for AI Workloads

Article 30 establishes the core procurement obligation regarding the security and sovereignty of the infrastructure supporting AI systems. It mandates that all contracting authorities procure cloud computing services that have been recognised as offering at least "Union assurance level 1" under the CADA framework. This serves as the baseline for all public sector cloud procurement.

However, the required level is not static; it depends on the outcome of a mandatory risk assessment. Under Article 29, Member States and Union entities must assess public sector activities to determine if they contribute to the preservation of public order (e.g., national security, justice, law enforcement, or critical infrastructure). If a risk assessment identifies that an AI system's use case is critical to public order, the contracting authority is prohibited from using lower-tier services. Instead, Article 30(3) requires that they "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a strict dependency: the utility of an AI system is legally contingent on the sovereignty certification of its hosting environment. A procurement officer cannot simply select the most advanced AI model if the cloud provider hosting it lacks the necessary Union assurance recognition for that specific public-order-relevant use case. The AI system must be procured alongside, or verified to run on, a cloud service that meets the assurance level dictated by the risk assessment.

Union Added Value in Innovative Procurement

Article 32 introduces "Union added value" as a mandatory consideration in the quality evaluation of tenders for innovative cloud computing services and AI systems. This provision requires procurement officers to include non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Article 32(1) and Article 32(3) require authorities to assess factors such as:

  • The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including results from Union-funded research and development programmes.
  • Whether the service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These criteria must be "ancillary and not decisive" in the award of the contract (Article 32(2)(d)). This means they cannot override core technical and financial performance requirements, nor can they confer unrestricted freedom of choice on the contracting authority. However, they provide a structured, legally mandated mechanism for procurement officers to favor suppliers that reduce dependencies on non-European technologies, thereby supporting the EU's strategic autonomy. The criteria must be expressly set out in the procurement documents and linked to the subject matter of the contract.

Monitoring Innovation and SME Participation

Article 33 places an active monitoring and reporting burden on Member States regarding the procurement of innovation in cloud and AI. Procurement officers are expected to contribute to data collection that helps identify barriers to SME participation and to actively design strategies to improve access.

Under Article 33(4), Member States must pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, Article 33(2) requires authorities to use monitoring data to design "simplified, proportionate and SME-friendly procurement strategies," such as dividing contracts into lots. Procurement officers must therefore document their efforts to facilitate SME access and report on trends in SME participation, including the number of contracts awarded to SMEs, their share of the total contract value, and the share of cross-border SME participation (Article 33(3)). This transforms procurement from a transactional activity into a strategic tool for ecosystem development.

What this means for you

For public-sector procurement officers, CADA transforms AI procurement from a purely technical or commercial exercise into a strategic compliance activity. You must adjust your workflows in three key areas:

  1. Integrate Sovereignty Checks Early: Before drafting technical specifications for an AI system, you must consult with your national competent authority to determine the required Union assurance level for your specific use case. If your AI application involves sensitive data or critical public order functions, you must restrict your tender to cloud providers recognised under Article 30 as meeting Level 2, 3, or 4. Ignoring this renders the procurement non-compliant, regardless of the AI model's performance. You must verify the provider's status in the central repository established under Article 22.
  2. Draft New Award Criteria: Update your standard procurement templates to include the "Union added value" criteria mandated by Article 32. Clearly define how you will score a supplier's use of European-designed hardware or software. Ensure these criteria are explicitly set out in your procurement documents and are linked to the subject matter of the contract, avoiding unrestricted freedom of choice. Remember, these are quality criteria, not exclusionary rules.
  3. Track SME Metrics: Establish internal reporting mechanisms to track the share of AI and cloud contracts awarded to SMEs. Article 33 requires you to actively remove barriers for smaller providers. Consider using dynamic purchasing systems or dividing large AI infrastructure contracts into smaller lots to make them accessible to innovative European SMEs, and record this data for annual reporting to the Commission.

Common misconceptions

  • "CADA only applies to cloud providers, not AI buyers." Incorrect. While the technical audits apply to providers, Article 30 imposes direct obligations on contracting authorities (procurement officers) to only buy from recognised services. If you buy an AI system hosted on non-compliant infrastructure, you are in violation of CADA.
  • "Union added value means I must buy European products." Incorrect. Article 32 states that these criteria must be "ancillary and not decisive." You cannot use Union added value to exclude a technically superior or financially better bid from a non-European provider. It is a scoring factor to encourage European supply chains, not a mandatory exclusionary rule.
  • "The 25% SME target is a hard quota." Incorrect. Article 33(4) states that Member States shall "pursue as objective" that 25% of procurement be awarded to innovative SMEs. It is a policy target requiring active effort and reporting, not a strict legal quota that invalidates a procurement if missed. However, failure to demonstrate efforts to improve SME access may draw scrutiny during monitoring.
  • "AI systems are exempt from cloud rules." Incorrect. Because AI systems rely on cloud infrastructure, Article 30 applies to the procurement of the cloud services underpinning the AI. The AI system itself is subject to the AI Act, but the infrastructure hosting it is subject to CADA's sovereignty framework.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.