Summary Under the proposed Cloud and AI Development Act (CADA), a "public sector body" is defined by reference to Article 2, point (1), of Directive (EU) 2019/1024 (the Open Data Directive) — see Article 2(6). For public-sector buyers, this definition is the threshold that switches on CADA's demand-side duties: procuring cloud services recognised at the appropriate Union assurance level and aligning cloud use with national sovereignty risk assessments.

Detail

The "public sector body" definition delimits which entities are bound by CADA's demand-side measures, especially around cloud procurement and sovereignty.

The definition: Article 2(6) CADA does not create a standalone definition. Article 2(6) provides that "'public sector body' means public sector body as defined in Article 2, point (1), of Directive (EU) 2019/1024." That Directive's text is not reproduced in the CADA corpus, so the precise wording should be read from it; in broad terms it covers the State and regional and local authorities, bodies governed by public law, and associations formed by such authorities or bodies. The effect is to reach well beyond central-government ministries — capturing, where the criteria are met, public universities, hospitals and publicly controlled bodies.

Distinguishing related defined terms

  • Contracting authorities — defined in Article 2(22) by reference to Article 2(1), point (1), of Directive 2014/24/EU. There is substantial overlap with public sector bodies, but CADA uses the two terms for different obligations: procurement duties often attach to contracting authorities, while broader usage and adoption duties attach to public sector bodies.
  • Union entities — defined in Article 2(7) as the Union institutions, bodies, offices and agencies. They face parallel but distinct obligations.

How the definition triggers obligations

  1. Risk assessments (Article 29). Member States and Union entities must carry out risk assessments to identify public-sector activities that contribute to the preservation of public order in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement, and to determine which Union assurance level (2, 3 or 4) is appropriate. These assessments are due within one year of entry into force and repeated every two years, or whenever necessary.

  2. Procurement at the right assurance level (Article 30).

    • Baseline. Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised under Article 17 as having at least Union assurance level 1 (Article 30(2)).
    • Higher tiers. Contracting authorities (including entities acting on their behalf) whose activities have been identified as contributing to public order must only procure services recognised as having Union assurance level 2, 3 or 4 (Article 30(3)).
    • Derogations are possible only on an exceptional, duly justified basis — for example where no recognised service can supply the subject matter and no adequate alternative exists, or where compliance would require procurement at disproportionate cost (Article 30(4)).

  3. Union added value in procurement (Article 32). In procurement of innovative cloud services and AI systems, contracting authorities must include non-price award criteria evaluating the tenderer's contribution to the European cloud and AI ecosystem — but those criteria must be ancillary and not decisive (Article 32(2)).

  4. Open source (Articles 41-42). The Union and Member States must encourage public sector bodies to use and reuse open standards and components under open source licences (Article 41); when a public sector body makes software it owns available for reuse under an open source licence, it must do so via a catalogue connected to the EU Open Source Solutions Catalogue (Article 42, with the catalogue established under Article 43).

What this means for you

For public-sector procurement officers and IT directors, Article 2(6) is the first checkpoint.

  • Verify your status. Confirm whether your organisation is a public sector body under the Open Data Directive. Public hospitals, state research institutes and publicly controlled bodies will often fall in scope.
  • Map to the risk assessments. Your procurement obligations depend on whether your activities are identified as contributing to public order under Article 29. If they are, you would need recognised level 2–4 services; if not, you would still need at least recognised level 1.
  • Update tender documents. Under Article 32, build in Union added-value criteria as part of the quality evaluation — kept ancillary and not decisive, and linked to the subject matter.
  • Check the central repository. Before awarding, confirm the provider's service is listed as recognised in the central repository (Article 22) at the required level.
  • Plan migrations early. Where a risk assessment requires migration to another service, Article 29(6) sets a reasonable transition period not exceeding 12 months.

Common misconceptions

  • "Only government ministries are affected." Incorrect. Article 2(6) reaches a wide range of entities — including publicly controlled bodies, universities and hospitals — where the Open Data Directive's criteria are met.
  • "Public sector body and contracting authority are the same thing." They are related but distinct. CADA uses "contracting authority" for specific procurement rules and "public sector body" for broader adoption and usage rules.
  • "Any GDPR-compliant cloud service is fine." GDPR compliance is necessary but not sufficient. CADA adds a sovereignty layer (the Union assurance levels). A provider can be GDPR-compliant yet fail Annex II criteria — for example on infrastructure location or third-country control.

Related

This is general information about a draft EU regulation, not legal advice.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.