What happens if a CADA procurement derogation is challenged?

Summary If a CADA procurement derogation is challenged, the contracting authority faces a high risk of annulment if it cannot prove the exception was "exceptional" and "duly justified" under Article 30(4). The burden of proof rests entirely on the authority to demonstrate that no recognised sovereign service existed, that previous tenders failed, or that compliance would cause disproportionate costs. Without robust, contemporaneous documentation of these facts, the derogation will likely be overturned by national courts or procurement review bodies. Weak justifications are not merely procedural errors; they are substantive grounds for invalidating the award.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigid sovereignty framework for public procurement. Under Article 30, contracting authorities are generally mandated to procure cloud computing services that meet specific "Union assurance levels" (UALs) determined by risk assessments under Article 29. However, Article 30(4) introduces a narrow derogation mechanism, permitting authorities to bypass these sovereignty requirements only under three specific, cumulative circumstances. Because this derogation directly undermines the Act's core objective of reducing third-country dependencies, it is subject to intense legal scrutiny.

The Legal Standard: "Exceptional" and "Duly Justified"

Article 30(4) explicitly states that a derogation is permitted "on an exceptional basis and where duly justified." This phrasing sets a high legal threshold. It is not a convenience clause for budgetary savings or administrative ease; it is an emergency valve reserved for genuine market failures or insurmountable technical barriers. To withstand a challenge, the contracting authority must prove that the derogation was strictly necessary and proportionate.

The three statutory grounds for derogation are:

1. Unavailability: The subject matter cannot be supplied by recognised services in the central repository (established under Article 22), and no adequate or reasonable alternative exists. Crucially, the authority must prove that this absence is "not the result of an artificial narrowing down of the parameters of the public procurement procedure" (Article 30(4)(a)).
2. Failed Tender: The authority launched a similar procurement process within the previous year but received no suitable tenders or suitable participants (Article 30(4)(b)).
3. Disproportionate Cost: Applying the CADA requirements would require the contracting authority to procure services at a "disproportionate cost" (Article 30(4)(c)).

The Challenge Mechanism: National Procurement Review

CADA does not create a new EU-level judicial body for procurement disputes. Instead, challenges to derogations fall under existing national procurement review mechanisms, which are harmonised by the EU Public Procurement Directives (specifically Directive 2014/24/EU).

If a competitor, a potential bidder, or a civil society group challenges a derogation, the national court or review body will examine whether the authority met the Article 30(4) criteria. The challenge typically focuses on three pillars:

• Procedural Regularity: Did the authority follow its own national rules for granting derogations and did it document the decision before the award?
• Substantive Justification: Was the "exceptional" nature of the situation proven with concrete evidence, or was it a pretext to use a cheaper, non-sovereign provider?
• Proportionality: Was the derogation limited in scope and duration to what was strictly necessary to address the specific failure?

If the court finds the justification weak, the consequences are severe. The court may annul the contract award, order a re-tender, or impose damages on the authority.

The Critical Role of Documentation in Defence

The primary defence against a challenge is robust, contemporaneous documentation. Article 30(4) requires the derogation to be "duly justified." This implies a formal, written record created before or at the time of the procurement decision, not retrospectively.

To survive a challenge, the procurement file must contain:

• Market Analysis: Evidence that a thorough search of the central repository (Article 22) yielded no results. This includes screenshots of the repository, dates of searches, specific criteria used, and records of any queries made to potential EU providers to demonstrate good faith.
• Technical Specifications: Proof that the procurement parameters were not artificially narrowed to exclude EU providers. This often requires expert testimony or technical audits showing that the requirements were driven by genuine operational needs, not vendor lock-in.
• Previous Tender Records: For the "failed tender" ground, the authority must produce the previous tender documentation, the bids received (or the lack thereof), and the evaluation reports explaining why they were unsuitable.
• Cost-Benefit Analysis: For the "disproportionate cost" ground, a detailed financial comparison between the cost of compliant sovereign services and non-compliant alternatives. The term "disproportionate" suggests a significant, unreasonable burden, not merely a slight premium.

Interaction with the Risk Assessment (Article 29)

The derogation does not exist in a vacuum. It interacts critically with the risk assessments mandated by Article 29. Member States and Union entities must conduct risk assessments to determine which activities require UALs 2, 3, or 4. If an authority uses a derogation to procure a lower-assurance service for a high-risk activity, it must explain why the risk assessment allowed for this exception. A challenge may argue that the risk assessment itself was flawed, thereby invalidating the basis for the derogation. The authority must demonstrate that the public order risk was mitigated through other means or that the specific activity did not actually trigger the higher assurance level despite the initial assessment.

Penalties and Consequences

While Article 24 outlines penalties for cloud computing service providers (such as fines for false reporting or non-compliance), it does not explicitly list administrative fines for contracting authorities that misuse derogations. However, the consequences for the authority are severe:

• Contract Annulment: The most common outcome of a successful challenge is the annulment of the procurement procedure, potentially leaving the authority without a service and liable for damages.
• Reputational Damage: Authorities found to have bypassed sovereignty rules without justification may face political and administrative scrutiny, damaging their credibility in future procurement rounds.
• Liability: If the annulment causes damage to competitors or the public purse, the authority may face liability claims under national law.
• Commission Intervention: If the Commission determines that a Member State is systematically misusing derogations, it could initiate infringement proceedings for failing to properly implement CADA's objectives, potentially leading to EU-level sanctions.

What this means for you

For in-house counsel and compliance officers, the risk of a challenged derogation is a significant operational liability. You must treat every Article 30(4) derogation as a potential litigation event.

1. Build the File Early: Do not justify the derogation after the fact. Begin documenting the market failure, technical constraints, or cost disparities during the planning phase.
2. Involve Legal Review: Before invoking a derogation, have legal counsel review the justification against the strict "exceptional" standard. Ensure the language used in the procurement documents aligns precisely with Article 30(4).
3. Audit the Repository: If claiming unavailability, perform and document a rigorous search of the central repository. Keep records of any queries made to potential EU providers to demonstrate good faith.
4. Monitor Previous Tenders: If relying on a failed tender, ensure the previous process was transparent and that the reasons for rejection were clearly documented and legally sound.
5. Prepare for Transparency: Be ready to disclose this documentation to review bodies or competitors. Redacting sensitive information is possible, but the core justification must remain visible.

Common misconceptions

• "Disproportionate cost" means any price difference: Incorrect. "Disproportionate" implies a significant, unreasonable burden. A 10-20% price premium for sovereign services is rarely considered disproportionate in the context of strategic autonomy.
• We can use a derogation if we prefer a specific vendor: Incorrect. Derogations are for market failures, not vendor preference. Using a derogation to favour a non-EU provider without a genuine lack of EU alternatives is a clear violation.
• The Commission approves derogations: Incorrect. CADA does not require prior Commission approval for individual derogations. The authority acts autonomously but must be prepared to justify its decision to national courts and, potentially, the Commission in later audits.
• A derogation voids the need for a risk assessment: Incorrect. The risk assessment (Article 29) remains mandatory. The derogation only relaxes the assurance level requirement; it does not remove the need to assess public order risks.

Related

• CADA Procurement Derogation: What if a previous tender received no suitable bids?
• What happens to surplus CADA procurement fee revenue?
• What evidence justifies a CADA procurement derogation?
• How do I document a CADA procurement derogation?
• Will small public bodies be able to afford CADA procurement fees?

This is general information about a draft EU regulation, not legal advice.