Summary Under the proposed Cloud and AI Development Act (CADA), "contracting authorities" keeps its established meaning from EU procurement law. Article 2(22) defines the term by reference to Article 2(1), point (1), of Directive 2014/24/EU. For public buyers, this classification is the main trigger for CADA's mandatory procurement duties: procuring cloud services at the appropriate Union assurance level, conducting (or relying on) sovereignty risk assessments, and applying Union added-value criteria in tenders.

Detail

The legal definition in CADA

CADA does not invent a new definition for public buyers. Article 2(22) provides that "'contracting authorities' means contracting authorities as defined in Article 2(1), point (1), of Directive 2014/24/EU." That Directive's text is not reproduced in the CADA corpus, so the precise wording should be read from it; broadly, it covers the State, regional and local authorities, bodies governed by public law, and associations formed by one or more such authorities or bodies.

Why the definition matters for cloud procurement

Being a contracting authority is the threshold that activates CADA's demand-side procurement measures. Where the AI Act addresses the safety and fundamental-rights aspects of AI systems, CADA addresses the sovereignty, resilience and market structure of the underlying cloud infrastructure. For a contracting authority, CADA would impose specific rules on how cloud services are procured.

Triggered obligations: risk assessments and assurance levels

1. Risk assessments (Article 29). Member States and Union entities must carry out risk assessments to identify which public-sector activities contribute to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement — and to determine which Union assurance level (2, 3 or 4) is appropriate. These assessments are due within one year of entry into force and repeated every two years, or whenever necessary (Article 29(1)).

2. Procurement at the right assurance level (Article 30). Article 30 ("Public procurement") applies to contracting authorities (and Union entities) procuring cloud services for their exclusive use.

  • Baseline level 1. Union entities and public sector bodies whose activities have not been identified as contributing to public order must use services recognised as having at least Union assurance level 1 (Article 30(2)).
  • Higher tiers for critical activities. Contracting authorities (including entities acting on their behalf) whose activities have been identified as contributing to public order must only procure services recognised as having Union assurance level 2, 3 or 4 (Article 30(3)).
  • Derogations. On an exceptional, duly justified basis, a contracting authority may decide not to procure a recognised service — for example where no recognised service in the central repository (Article 22) can supply the subject matter and no adequate alternative exists, where a similar procurement in the previous year drew no suitable tenders, or where compliance would require procurement at disproportionate cost (Article 30(4)).

Union added value and innovation procurement

Union added value (Article 32). In procurement of innovative cloud services and AI systems, contracting authorities must include, as part of the quality evaluation, non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem (Article 32(1)). Those criteria can address strengthening the Union's digital supply chain (including software or hardware designed or manufactured in the Union), integration of Union-developed technologies, contribution to security of supply, and delivery through critical hardware components designed or manufactured in the Union where feasible (Article 32(3)). They must be linked to the subject matter, not confer unrestricted freedom of choice, be set out in the procurement documents, and be ancillary and not decisive (Article 32(2)). The proposal's recitals suggest contracting authorities could consider a maximum weighting of 15 out of 120 points for European added value, to keep it proportionate.

Innovation procurement monitoring (Article 33). Member States must monitor and report on their procurement of innovation in cloud and AI, and pursue as an objective that at least 25% of their procurement for cloud services and AI systems be awarded to innovative SMEs (Article 33(4)). Union entities and contracting authorities are to promote preliminary market consultations, matchmaking with European SMEs and start-ups, and SME-friendly contract clauses (Article 33(5)).

What this means for you

For public-sector procurement officers, Article 2(22) is a compliance checkpoint.

  1. Verify your status as a contracting authority under national law transposing Directive 2014/24/EU.
  2. Plan for risk assessments (Article 29) to determine the sensitivity of your cloud workloads and the assurance level you need.
  3. Update tender templates to include Union added-value criteria (Article 32), kept ancillary and not decisive and linked to the subject matter.
  4. Check the central repository (Article 22) before awarding, to confirm providers are recognised at the required assurance level.
  5. Plan for migration: where a risk assessment requires migrating to another service, Article 29(6) sets a reasonable transition period not exceeding 12 months.

Common misconceptions

  • "Only large ministries are affected." Incorrect. The definition includes regional and local authorities and bodies governed by public law (for example, public hospitals, universities and transport agencies) where the criteria are met.
  • "Union added value means buying European exclusively." Incorrect. Article 32(2) requires these criteria to be ancillary and not decisive. You cannot disqualify a superior bid solely for lower Union added value; the criteria sit within the quality evaluation, not as a pass/fail gate.
  • "Level 1 is optional for non-critical services." Incorrect. Article 30(2) requires that activities not identified as contributing to public order still use services recognised as having at least Union assurance level 1.
  • "SMEs are exempt from these rules." Incorrect. Article 33 sets an aspiration to award at least 25% of innovation procurement to SMEs, but an SME acting as provider must still meet the relevant assurance levels, and an SME acting as a public buyer must still follow the procurement rules.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.