Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally reshape the market for US hyperscalers bidding on EU public contracts by introducing a mandatory, tiered sovereignty framework. Public authorities whose activities are deemed relevant to "public order" would be legally required to procure only cloud services recognized at Union assurance levels 2, 3, or 4, effectively barring standard commercial offerings that rely on global infrastructure or third-country control. Furthermore, Article 32 would require contracting authorities to apply "Union added value" criteria in innovation procurements, tilting the competitive landscape toward providers that strengthen the European digital ecosystem. To be procurable at all, a service must first undergo a rigorous recognition process under Article 17.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a structured approach to cloud sovereignty that directly impacts how US hyperscalers and other non-EU providers can compete for public sector work in the European Union. The legislation aims to reduce strategic dependencies on third-country providers and ensure that critical public services remain under EU control. For US hyperscalers, the most significant changes stem from the mandatory risk assessments for public buyers, the tiered recognition system for cloud services, and new procurement award criteria that favor local ecosystem contributions.

The Sovereignty Framework and Public Procurement Obligations

At the heart of CADA's impact on procurement is the establishment of a Union cloud computing sovereignty framework comprising four assurance levels. This framework is designed to provide a harmonized set of criteria for trusted cloud services, addressing risks related to data sovereignty, operational continuity, and third-country jurisdiction.

Under Article 30, the proposal sets out strict obligations for contracting authorities regarding the procurement of cloud computing services. The requirements are bifurcated based on the results of national risk assessments:

  1. Baseline Requirement (Level 1): Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized at Union assurance level 1. This is the minimum baseline for all public procurement.
  2. Public Order Requirement (Levels 2–4): Article 30(3) explicitly mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order—including sectors falling under Annex I or II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice, and law enforcement—must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4.

This distinction is critical. Many standard commercial cloud offerings from US hyperscalers, which often rely on global infrastructure and may be subject to third-country laws (such as the US CLOUD Act), may struggle to meet the stringent criteria for levels 2, 3, or 4 without significant structural changes. For instance, higher assurance levels require that infrastructure, assets, and personnel be located exclusively within the Union, and that customer data remain within the Union. Furthermore, providers subject to third-country control must demonstrate that such control does not compromise operational autonomy or allow for unauthorized access to data.

Recognition as a Prerequisite

To be procurable under these rules, a cloud service must first be formally recognized. Article 17 establishes the mechanism for this recognition. A cloud computing service provider must submit an application to the national competent authority of its establishment. For levels 2, 3, and 4, this process requires an independent third-party audit resulting in a "positive" audit opinion.

Only after a service is recognized across the Union at the appropriate assurance level can it be included in the central repository and subsequently procured by public authorities. This creates a high barrier to entry; US hyperscalers cannot simply offer their existing global services to EU public bodies. They must undergo a rigorous audit process, potentially restructuring their EU operations to ensure compliance with the specific localization and control requirements of the targeted assurance level. Without this recognition, a service is legally ineligible for procurement in the public order sector.

Union Added Value in Innovation Procurement

Beyond the sovereignty tiers, Article 32 introduces a new dimension to public procurement evaluation: "Union added value." In public procurement procedures for innovative cloud computing services and AI systems, contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria allow authorities to assess:

  • The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union.
  • Whether the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

While these criteria are described as "ancillary and not decisive" in the award of the contract, they effectively tilt the competitive landscape. For US hyperscalers, this means that even if their service meets the technical and sovereignty requirements, they may score lower than EU-based competitors who can demonstrate deeper integration into the European industrial base. The proposal suggests a maximum weighting of 15 out of 120 points for these criteria, ensuring they remain proportionate but still influential in close bidding scenarios.

Risk Assessments and Migration

The obligation to procure higher assurance levels is not automatic for all public bodies; it is triggered by a risk assessment. Article 29 requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must consider the sensitivity of data, the risk of unlawful access by third countries, and the risk of service disruption.

If a risk assessment determines that a public body's activities require a higher assurance level, and the current provider does not meet the required level, the public body must migrate to a compliant service. The proposal allows for a reasonable transition period, which shall not exceed 12 months, taking into account technical feasibility and data portability. This creates a looming deadline for US hyperscalers currently serving critical public sector functions in the EU: they must either achieve recognition at the required level or face the loss of these contracts.

What this means for you

For US hyperscalers and other non-EU cloud providers operating in the EU, CADA signals a shift from a market-driven approach to a sovereignty-driven regulatory environment. The following actions are critical:

  1. Audit and Restructure for Recognition: You must evaluate your EU operations against the criteria for Union assurance levels 2, 3, and 4 in Annex II of the proposal. This likely requires segregating EU data and infrastructure from global systems, ensuring no third-country personnel have access, and demonstrating that your corporate governance prevents third-country interference. Prepare for independent audits as mandated by Article 20.
  2. Map Public Sector Exposure: Identify which of your current public sector clients fall under the "public order" definition. These clients will be required to migrate to level 2–4 services under Article 30(3). Engage with them early to understand their risk assessment timelines and migration plans.
  3. Leverage Union Added Value: If you bid for innovation procurements under Article 32, you must document your contribution to the EU ecosystem. This could involve highlighting local R&D, partnerships with EU hardware manufacturers, or the use of EU-developed software components. While you cannot change your corporate nationality, you can maximize points by demonstrating deep local integration.
  4. Monitor Competent Authorities: Since recognition is handled by national competent authorities of establishment (Article 25), you must engage with the authority in the Member State where your main EU establishment is located. Ensure you are prepared to submit the necessary evidence for conformity self-assessment (for level 1) or audit reports (for levels 2–4).

Common misconceptions

  • "All public cloud contracts are banned for US providers." This is incorrect. US hyperscalers can still bid for contracts at Union assurance level 1, provided they meet the criteria (e.g., being established in the EU, keeping data in the EU). However, they are barred from contracts involving public order relevance unless they achieve level 2, 3, or 4 recognition.
  • "Union added value is a quota for EU companies." Article 32 states that Union added value criteria must be "ancillary and not decisive." They are part of the quality evaluation, not a mandatory requirement to win. However, they do provide a competitive edge to EU-integrated providers.
  • "The US CLOUD Act automatically disqualifies US providers." While the extraterritorial reach of third-country laws is a key concern, CADA allows for a nuanced assessment. Under Article 18, the Commission may recognize third countries as providing sufficient assurances for level 3 if they meet specific criteria, including having an adequacy decision under the GDPR. However, this is a complex political and legal determination, and providers cannot rely on it without a formal Commission decision.
  • "CADA only affects new contracts." The migration clause in Article 29(6) requires public bodies to migrate existing services to compliant levels within 12 months if a risk assessment deems it necessary. This applies to incumbent providers as well.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.