Summary Under the proposed Cloud and AI Development Act (CADA), Article 30(1) applies strictly to contracting authorities and Union entities procuring cloud computing services for their "exclusive use." This term defines a procurement where the service is dedicated solely to that specific authority, triggering mandatory risk assessments (Article 29) and the obligation to procure services recognized at specific Union assurance levels (Level 1 for general use; Levels 2–4 for public-order-relevant activities). Crucially, this provision does not apply to services shared through the EuroCloud Federation (Article 34) or procured jointly under the common procurement framework (Chapter IV, Articles 37–40). In those shared models, different governance and fee structures apply, and the direct "exclusive use" trigger of Article 30 is bypassed.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a tiered sovereignty framework for public sector cloud adoption. A pivotal threshold for activating the strict procurement mandates of Article 30 is the concept of "exclusive use." As stated in Article 30(1):

"This Article applies to contracting authorities that procure cloud computing services for their exclusive use. Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, this Article also applies to Union entities that procure cloud computing services for their exclusive use."

This provision creates a binary distinction in how public bodies acquire cloud services, determining which legal regime governs the transaction.

Defining "Exclusive Use" in CADA

In the context of CADA, "exclusive use" refers to a procurement arrangement where the cloud computing service is dedicated entirely to a single contracting authority or Union entity. It implies that the infrastructure, data processing, and service management are not shared with other public bodies or private entities in a way that would constitute a shared service model. When a public body procures a service for its exclusive use, it assumes full, direct responsibility for ensuring that the service meets the sovereignty requirements laid out in Article 30, including the applicable Union assurance level.

The legislative intent behind this distinction is to ensure that authorities with direct control over their infrastructure can be held accountable for the sovereignty risks associated with that specific procurement. If an authority chooses to procure a service solely for its own operations, it must independently verify that the provider meets the Union assurance criteria (e.g., establishment in the Union, data location, personnel citizenship) and that the service is recognized in the central repository.

The Distinction: Exclusive Use vs. Shared/Federated Procurement

The scope of Article 30 is explicitly limited to "exclusive use" to avoid duplicating or conflicting with the mechanisms established for shared public sector cloud adoption. CADA provides two primary alternative pathways that fall outside the scope of Article 30(1):

  1. The EuroCloud Federation (Chapter III): Established under Article 34, the EuroCloud Federation facilitates the sharing of public sector data centre and cloud services between Union entities and public sector bodies. Article 35 governs the sharing of services within this federation, allowing members to share capacity under specific conditions (e.g., the sharing entity must own the hardware or exercise control over the intermediate legal entity). Because these services are shared by definition, they are not procured for "exclusive use" by a single authority. Instead, they are governed by the federation's internal rules, the fee structures in Article 36, and the requirement that sharing be anchored in public interest without pecuniary interest.
  2. Common Procurement Framework (Chapter IV): Articles 37–40 establish a framework where the Commission acts as a central purchasing body for contracting authorities of Member States and partner organisations. Under Article 37, the Commission may procure services on behalf of multiple entities or act as a wholesaler. Article 39 clarifies that a participating entity acquiring services through this framework is deemed to have fulfilled its obligations under applicable Union public procurement law. These joint procurement activities are distinct from the "exclusive use" scenario because the procurement is centralized and the resulting service is intended for multiple beneficiaries, not a single exclusive user.

Consequently, if a contracting authority procures a service through the EuroCloud Federation or via a Commission-led joint procurement agreement, Article 30 does not apply directly to that specific transaction. The authority is instead subject to the conditions of the federation or the joint agreement, which may incorporate sovereignty requirements but operate under a different legal logic (cooperation and cost-recovery rather than direct sovereign procurement mandates).

Why "Exclusivity" Defines the Article 30 Trigger

The exclusivity requirement is the linchpin for the risk-based assurance model in CADA. The logic is as follows:

  • Direct Accountability: When an authority procures for exclusive use, it is the sole decision-maker regarding the provider and the service configuration. Therefore, it must bear the direct burden of compliance with the sovereignty framework.
  • Risk Assessment Linkage: The assurance level required depends on the outcome of a risk assessment under Article 29. Article 30(2) mandates that entities whose activities have not been identified as contributing to the preservation of public order must use services recognized at Union assurance level 1. Conversely, Article 30(3) requires that authorities whose activities have been identified as contributing to public order (e.g., national security, defense, law enforcement) must procure only services recognized at Union assurance levels 2, 3, or 4.
  • The Trigger: This risk-based obligation is only triggered if the procurement is for "exclusive use." If the service is shared, the risk assessment and assurance requirements are managed at the federation or joint procurement level, or the service is assumed to meet the baseline requirements of the shared framework.

Derogations for Exclusive Use Procurement

Even when a service is procured for exclusive use, Article 30(4) provides limited derogations. A contracting authority may decide not to procure a recognized service if:

  1. The subject matter cannot be supplied by recognized services available in the central repository (Article 22), and no adequate alternative exists, provided this is not due to artificial narrowing of parameters.
  2. A similar procurement process within the previous year yielded no suitable tenders.
  3. Applying the requirements would result in disproportionate costs.

These exceptions are narrow. The burden of proof lies with the authority to demonstrate that the market failure or cost disproportionality is genuine.

What this means for you

For in-house counsel, procurement officers, and compliance teams, the definition of "exclusive use" in Article 30(1) requires a strategic review of current and future cloud contracts.

  1. Audit Current Contracts: Identify all cloud computing services currently procured by your authority. Determine if they are for "exclusive use" or if they are part of a shared service model (e.g., a regional cloud federation or a consortium purchase). If they are for exclusive use, they fall squarely under Article 30.
  2. Verify Assurance Levels: For services identified as exclusive use, verify that the provider holds the correct Union assurance level. This requires checking the central repository established under Article 22. If your authority's activities are deemed to preserve public order (per your Article 29 risk assessment), you must ensure the service is at Level 2, 3, or 4. For non-public-order activities, Level 1 is mandatory.
  3. Prepare for Risk Assessments: Ensure your Article 29 risk assessment is up to date. This assessment dictates the minimum assurance level required for exclusive-use procurements. The assessment must be conducted by the date of entry into force plus one year, and thereafter every two years or whenever necessary.
  4. Distinguish from Shared Models: If you are considering moving to a shared model (like the EuroCloud Federation), understand that you are exiting the "exclusive use" scope of Article 30. You will instead be subject to the conditions of the federation (Article 35) and the fees associated with it (Article 36). This may offer cost benefits but requires adherence to different governance and security protocols.
  5. Document Justifications for Derogations: If you believe no suitable recognized service exists, document this thoroughly. Under Article 30(4), you must prove that the absence of services is not due to artificial narrowing of parameters and that you have attempted procurement in the previous year without success. Failure to properly justify a derogation could lead to non-compliance findings.

Common misconceptions

  • "All public sector cloud procurement is under Article 30." This is incorrect. Article 30(1) explicitly limits its scope to services procured for "exclusive use." Procurements conducted through the EuroCloud Federation (Chapter III) or joint procurement frameworks (Chapter IV) are governed by separate articles and conditions. While the sovereignty principles may still apply indirectly through the requirements placed on the federation or joint framework, the direct contractual obligations of Article 30 do not apply to the individual authority in the same way.

  • "Exclusive use means only one user." "Exclusive use" refers to the contracting authority as the sole customer of the service, not the number of individual end-users within that authority. A large ministry with thousands of employees using a dedicated cloud instance is still procuring for "exclusive use."

  • "If a provider is EU-based, it automatically meets the requirements." No. CADA introduces a formal recognition mechanism. A provider must submit an application for recognition to the national competent authority of establishment (Article 17) and be listed in the central repository (Article 22). Simply being established in the EU is a criterion for Union assurance level 1 (Annex II, 1.1(a)), but it does not constitute automatic recognition or compliance with the higher levels (2–4) which require independent audits (Article 20) and stricter criteria regarding data location, personnel, and third-country control.

  • "Derogations allow me to ignore sovereignty requirements indefinitely." Derogations under Article 30(4) are exceptional and temporary. They require specific justifications (e.g., market failure). They do not exempt the authority from the broader objectives of the Regulation. If the market evolves and recognized services become available, the authority must transition to compliant services.

Related

This is general information about a draft EU regulation, not legal advice.