Summary As proposed in the Cloud and AI Development Act (CADA), public-sector contracting authorities are generally mandated to procure cloud computing services that hold a specific Union assurance level. However, Article 30(4) provides a critical safety valve: if no recognised service exists in the central repository, authorities may derogate from these requirements. This exception applies only if three cumulative conditions are met: the subject matter cannot be supplied by recognised services; no adequate or reasonable alternative exists; and the absence is not the result of an "artificial narrowing" of the tender parameters. This mechanism prevents procurement paralysis while strictly guarding against market manipulation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive sovereignty framework to reduce the EU's dependence on third-country cloud providers. A cornerstone of this framework is the Union cloud computing sovereignty framework (Article 16), which defines four assurance levels (1 to 4) based on criteria such as establishment, data localisation, personnel citizenship, and third-country control.

The General Procurement Obligation

Article 30 of the proposal sets out the binding rules for public procurement. The obligation is tiered based on the risk profile of the public activity:

  • Baseline Requirement: Union entities and public sector bodies whose activities do not contribute to the preservation of public order must procure services recognised at Union assurance level 1 (Article 30(2)).
  • Public Order Requirement: For activities identified as contributing to the preservation of public order (e.g., national security, defence, law enforcement), contracting authorities must procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

To operationalise this, Article 22 mandates the Commission to establish and maintain a central repository of cloud computing services that have been formally recognised as offering these Union assurance levels. Contracting authorities are expected to source their cloud solutions exclusively from this list, ensuring a harmonised baseline of sovereignty across the Union.

The Derogation Mechanism: Article 30(4)

Recognising that the market for sovereign, recognised cloud services is currently in a developmental phase, the proposal includes a derogation mechanism to prevent procurement failure. Article 30(4) allows contracting authorities to decide not to procure a recognised service on an exceptional basis, provided they can justify the decision based on specific, cumulative circumstances.

The most critical provision for procurement officers facing a lack of suitable bids is Article 30(4)(a). As proposed, a derogation is permitted only if all of the following conditions are satisfied:

  1. Absence in Repository: The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository referred to in Article 22.
  2. No Adequate Alternative: No adequate or reasonable alternative or comparable cloud computing service exists.
  3. No Artificial Narrowing: The absence of recognised services is not the result of an artificial narrowing down of the parameters of the public procurement procedure.

Additionally, the proposal outlines two other grounds for derogation:

  • Article 30(4)(b): The contracting authority launched a similar procurement process within the previous year but received no suitable tenders or suitable participants.
  • Article 30(4)(c): Applying the sovereignty requirements would require the contracting authority to procure services at disproportionate cost.

The "Artificial Narrowing" Safeguard

The prohibition against "artificial narrowing" in Article 30(4)(a) is a pivotal legal safeguard designed to preserve the integrity of the single market. It prevents contracting authorities from deliberately drafting overly restrictive technical or functional specifications to exclude existing recognised providers, thereby creating a false vacuum that justifies the use of a non-sovereign or unrecognised provider.

If a recognised provider exists in the central repository but is effectively excluded because the tender specifications were written to match a specific non-recognised vendor's unique, proprietary features, the derogation under Article 30(4)(a) would be invalid. The parameters of the procurement procedure must remain open, transparent, and non-discriminatory, allowing any recognised provider capable of meeting the genuine needs of the authority to compete. This ensures that the sovereignty framework drives market evolution rather than being circumvented by poor procurement design.

Procedural Requirements and Burden of Proof

While the text of Article 30 outlines the conditions, the implementation of these derogations imposes a rigorous burden of proof on the contracting authority. To lawfully invoke the exception, authorities must demonstrate that they have:

  • Consulted the Central Repository: Formally checked the repository (Article 22) to confirm that no suitable recognised service exists for the specific subject matter.
  • Conducted Market Analysis: Assessed the market to confirm that no "adequate or reasonable alternative" is available. This implies a proactive engagement with potential suppliers to prove that the gap is genuine and not a result of insufficient market research.
  • Validated Technical Specifications: Ensured that the technical requirements of the tender are aligned with the genuine needs of the public body and do not unfairly exclude recognised providers through restrictive parameters.

If these conditions are met, the authority may proceed with the procurement of a non-recognised service. However, this should be viewed as a temporary or exceptional measure. The broader strategic goal of CADA is to stimulate demand for recognised services; therefore, repeated reliance on derogations may attract scrutiny from national competent authorities or the Commission, potentially triggering enforcement actions under Article 24.

What this means for you

For public-sector procurement officers and legal counsels, the absence of recognised cloud services in the central repository does not automatically exempt you from sovereignty requirements, but it does provide a legally defined pathway to proceed. To navigate this correctly under the proposed CADA framework:

  1. Verify the Repository First: Before drafting the tender or deciding to invoke a derogation, you must formally check the central repository (Article 22). Document this search meticulously. If a recognised service exists that meets your needs, you cannot rely on Article 30(4)(a).
  2. Document the "Adequate Alternative" Test: You must prove that no other recognised service can meet your needs. This may require market research, Requests for Information (RFIs), or engagement with potential suppliers to confirm their inability to deliver. Keep detailed records of these interactions and the reasons for rejection.
  3. Audit Your Specifications for "Artificial Narrowing": Review your technical requirements to ensure they are not "artificially narrowed." Ask yourself: Could a recognised provider meet these specs if they adapted their solution? If the specs are tailored to a specific non-recognised vendor's proprietary features, you risk invalidating the derogation under Article 30(4)(a).
  4. Justify in the Procurement File: If you proceed with a non-recognised service, explicitly state in the procurement file which condition of Article 30(4) you are relying on. For Article 30(4)(a), clearly articulate why no adequate alternative exists and why the tender parameters were not artificially restrictive.
  5. Consider Alternative Grounds: If the issue is not just availability but cost, consider Article 30(4)(c) (disproportionate cost). If you previously failed to get bids, consider Article 30(4)(b) (failed previous tender). These provide additional layers of justification if the market is immature.

Common misconceptions

Misconception 1: "If no one bids, I can buy from anyone." Incorrect. The absence of bids from recognised providers does not automatically grant carte blanche. You must still prove that the lack of bids was not due to artificial narrowing of the tender specs (Article 30(4)(a)) and that no adequate alternative exists. If you narrowed the specs to fit a non-recognised vendor, the derogation is invalid.

Misconception 2: "I can ignore the central repository if I find a better deal elsewhere." Incorrect. The central repository (Article 22) is the primary source for identifying recognised services. You cannot bypass it simply because a non-recognised provider offers a lower price or faster delivery, unless you can demonstrate that no recognised service can meet the technical requirements (adequacy) or that the cost difference is disproportionate (Article 30(4)(c)).

Misconception 3: "Artificial narrowing only applies to price." Incorrect. Artificial narrowing refers to the parameters of the procurement procedure, including technical specifications, functional requirements, and eligibility criteria. It is a structural issue in how the tender is designed, not just a pricing issue.

Misconception 4: "This derogation is permanent." Incorrect. The derogation is for exceptional cases. As the market for recognised services matures, the expectation is that more providers will join the central repository. Repeated reliance on derogations may indicate a failure to plan for sovereignty requirements or a lack of market engagement.

Related

This is general information about a draft EU regulation, not legal advice.