Summary As proposed, the Cloud and AI Development Act (CADA) would change how public authorities buy cloud services. Buyers would first run risk assessments to identify which of their activities contribute to the preservation of public order, then procure recognised "Union assurance level" services accordingly: Level 1 for ordinary activities, and Levels 2, 3 or 4 for public-order-relevant ones. Buyers would also have to include non-price "Union added value" criteria in tenders for innovative cloud and AI, while keeping those criteria ancillary. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The proposed CADA would create a procurement framework intended to reduce EU dependence on a few non-European cloud providers and safeguard public order. For public-sector buyers the core duties sit in three provisions: mandatory risk assessments (Article 29), procurement obligations tied to assurance levels (Article 30), and Union added value award criteria (Article 32).

Mandatory risk assessments (Article 29)

Before procuring, a buyer must understand the sensitivity of its operations. Article 29(1), as proposed, would require Member States and Union entities to carry out risk assessments by the date of entry into force plus one year, and thereafter every two years or whenever necessary. These assessments would:

  • identify the public sector activities, using or planning to use cloud services, that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in the areas of national security, internal security, external border management, defence, justice or law enforcement; and
  • determine which Union assurance level — 2, 3 or 4 — is appropriate for those activities.

Under Article 29(2), assessors must consider at least: the sensitivity, criticality and magnitude of non-personal data processed and the nature of any personal-data processing; the risk and impact of unlawful access to data by a third country or an entity established there; and the risk and impact of service disruption. Article 29(6) adds that where the assessment requires migration to a different cloud service, migration must happen within a reasonable transition period not exceeding 12 months. Article 29(9) requires buyers to consider whether a multi-vendor or multi-cloud strategy is appropriate.

Procurement obligations by assurance level (Article 30)

The assessment result drives what a buyer may procure.

Baseline — Union assurance level 1. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised under Article 17 as having Union assurance level 1. The Level 1 criteria in Annex II include the provider being established in the Union, infrastructure located in the Union, and customer data (including metadata and telemetry) remaining exclusively within the Union — in each case "unless the public sector body explicitly requires otherwise."

Higher tiers — Levels 2, 3 and 4. Under Article 30(3), contracting authorities whose activities have been identified as contributing to public order in the listed sectors and areas "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." The upper-level Annex II criteria are stricter; for example, Level 1 may permit a provider under third-country control subject to conditions, whereas Levels 3 and 4 require personnel involved in the service to be Union citizens and prohibit third-country control (the controlled provider may instead be audited only at a lower level, with conditions).

Derogations. Article 30(4) allows a buyer, on an exceptional and duly justified basis, not to procure a recognised service where: the subject matter cannot be supplied by recognised services in the central repository and no adequate alternative exists; a similar procurement in the previous year yielded no suitable tenders or participants; or applying the requirements would mean procuring at disproportionate cost.

Union added value criteria (Article 32)

Article 32(1) would require contracting authorities, in procurements for innovative cloud services and AI systems, to include non-price award criteria evaluating the tenderer's contribution to a European cloud and AI ecosystem. Under Article 32(3), authorities may evaluate the extent to which the tenderer: strengthens the Union digital supply chain (including software or hardware designed or manufactured in the Union); has integrated Union-developed technologies and Union-funded research results; contributes through its innovation to security of supply and the European ecosystem; and delivers the service, as far as feasible, through critical hardware components designed and/or manufactured in the Union, or from a third country that strengthens supply-chain security.

Article 32(2) requires these criteria to be linked to the subject matter, not confer unrestricted freedom of choice, be expressly set out in the procurement documents or contract notice, and remain "ancillary and not decisive in the award of the contract." A recital in the proposal notes that contracting authorities could consider a maximum weighting of 15 out of 120 points for such criteria, keeping them proportionate.

What this means for you

For procurement officers, CADA as proposed would add a structured, sovereignty-aware layer on top of normal procurement.

1. Conduct and document risk assessments. You cannot simply tender for cloud. First run the Article 29 assessment, mapping your activities against the NIS2 sectors and public-order areas. Activities touching, for example, law enforcement or critical infrastructure are likely to require Level 2, 3 or 4. Member States must provide the Commission with the results within three months of carrying out the assessment (Article 29(4)).

2. Verify levels in the central repository. Reference the required Union assurance level in your specifications and check the Article 22 central repository to confirm which services are recognised at that level. Procuring an unrecognised service for a level-restricted activity would breach Article 30.

3. Update your evaluation criteria. Build the Article 32 Union added value criteria into tender documents, scoring EU hardware, software and research. Define them clearly in the contract notice and keep them ancillary, to avoid challenges over unrestricted freedom of choice.

4. Plan for migration. If a current provider does not meet the required level, Article 29(6) allows a transition period of up to 12 months. Start planning exit and data-portability measures early.

Common misconceptions

"CADA bans all non-European cloud providers." No. CADA does not ban non-EU providers. A provider could in principle reach Level 1 by meeting the Annex II criteria (establishment in the Union, data kept in the Union, and so on). The upper levels are stricter — Levels 3 and 4 require Union-citizen personnel and prohibit third-country control — which may in practice exclude some incumbents unless they restructure. Article 18 also lets the Commission designate "associated third countries" whose controlled providers may be audited against the Level 3 criteria.

"All public bodies must use the highest level." No. Article 30 distinguishes ordinary activities from public-order-relevant ones. Most activities require only Level 1; only those identified under the Article 29 risk assessment in the sensitive sectors must use Levels 2, 3 or 4.

"Union added value is the main award criterion." No. Article 32(2) requires these criteria to be "ancillary and not decisive in the award of the contract." Performance-related technical and financial criteria remain primary; Union added value is a secondary weighting.

"CADA replaces the GDPR or NIS2." No. CADA would complement them. It does not displace GDPR's data-protection rules or NIS2's cybersecurity duties; indeed the Article 29 risk assessment references data sensitivity and third-country access. Compliance with CADA would not exempt a buyer from GDPR.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.