What happens to existing public-sector cloud contracts under CADA tiers?

Summary Under the proposed Cloud and AI Development Act (CADA), existing public-sector cloud contracts are not automatically voided, but they must align with the new Union assurance levels within a defined transition period. As proposed, public procurement will be strictly tiered: entities with non-critical activities must use services recognized at Union assurance level 1, while those with activities contributing to the preservation of public order must procure services recognized at levels 2, 3, or 4. Member States and Union entities must conduct risk assessments to determine the appropriate tier. If migration is required, Article 29(6) mandates a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility and data portability.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonized sovereignty framework designed to reduce the EU's dependence on non-European cloud providers and safeguard public order. For public-sector procurement officers, the most significant operational change is the mandatory alignment of cloud contracts with one of four "Union assurance levels." This section explains how these tiers function, how they apply to existing and new contracts, and the procedural steps required for compliance.

The Union Cloud Computing Sovereignty Framework

As proposed in Article 16(1), CADA establishes a "Union cloud computing sovereignty framework comprising four Union assurance levels." These levels define the criteria that cloud computing service providers must meet to offer their services to Union entities and public sector bodies. The criteria, detailed in Annex II of the proposal, range from basic establishment and data localization requirements (Level 1) to stringent controls on personnel citizenship, third-country control, and cybersecurity certification (Levels 2–4).

The framework is not merely advisory; it is a binding procurement requirement. Article 30 sets out the core obligations for contracting authorities, creating a two-tiered procurement regime:

• Baseline Requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1.
• High-Criticality Requirement: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in sectors listed in Annex I or II of the NIS2 Directive, or in areas of national security, internal security, external border management, defence, justice, or law enforcement) must only procure services recognized as having Union assurance level 2, 3, or 4.

Determining the Appropriate Tier: Risk Assessments

Before a contracting authority can determine which tier applies to its contracts, it must perform a formal risk assessment. Article 29 obliges Member States and Union entities to carry out these assessments by the date of entry into force plus one year, and subsequently every two years or whenever necessary.

The risk assessment must identify public sector activities that contribute to the preservation of public order. It must consider:

1. The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
2. The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
3. The risk and consequent impact on public order of possible service disruption.

Based on this assessment, the authority determines whether its activities fall under the baseline requirement (Level 1) or the heightened requirement (Levels 2–4). The Commission will provide guidance and methodology for these assessments via implementing acts. If the Commission determines that a Member State's identified assurance level is inappropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance level.

Impact on Existing Contracts and Migration

A critical question for procurement officers is whether existing contracts must be terminated immediately. CADA provides a structured transition rather than an abrupt cutoff.

Article 29(6) explicitly addresses the migration of existing services. It states that if a risk assessment requires migration to another cloud computing service, the Member State or Union entity shall migrate within a "reasonable transition period that shall not exceed 12 months." This period must take into account technical feasibility, continuity of service, and data portability requirements applicable to such migration. This implies that existing contracts can continue during this transition window, provided a migration plan is actively underway and the deadline is respected.

Furthermore, Article 30(4) introduces derogations that allow contracting authorities to not procure a recognized assurance level service under exceptional circumstances, provided the decision is duly justified. These circumstances include:

• The subject matter of the tender cannot be supplied by recognized cloud computing services available in the central repository, and no adequate or reasonable alternative exists (provided the absence is not the result of an artificial narrowing of parameters).
• The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or participants.
• Applying the requirements would require the contracting authority to procure services at disproportionate cost.

These derogations are intended for short-term continuity and do not exempt authorities from the long-term obligation to align with the sovereignty framework.

Procurement and Added Value Criteria

Beyond the mandatory assurance levels, CADA influences the quality evaluation of tenders. Article 32 requires contracting authorities to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. These "Union added value" criteria should assess:

• Strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• Integration of technologies developed in the Union, including research and development results from Union-funded programmes.
• The innovation required to deliver the service contributing to the security of supply.

While these criteria are ancillary and not decisive in the award of the contract, they provide a mechanism to favor European providers, further driving the market toward sovereign options. Article 33 also mandates that Member States monitor procurement of innovation and pursue an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.

The Central Repository

To facilitate compliance, the Commission will establish and maintain a central repository of recognized cloud computing services (Article 22). Procurement officers should use this repository to verify that a provider holds the necessary Union assurance level before contracting. Services recognized at Level 1 (via self-assessment for SMEs or standard conformity) or Level 2–4 (via independent third-party audit) are listed here. The repository is publicly available and regularly updated.

What this means for you

For public-sector procurement officers, the implementation of CADA requires a proactive review of your current cloud portfolio and future tender processes.

1. Audit Current Contracts: Map your existing cloud contracts against the anticipated Union assurance levels. Identify which services handle data critical to public order (e.g., justice, defense, essential services) and which are non-critical.
2. Prepare for Risk Assessments: Engage with your national competent authority and data protection officers early. The risk assessment mandated by Article 29 is the gateway to determining your procurement tier. Start documenting the sensitivity and criticality of your data now.
3. Plan Migration Paths: If your current provider does not hold a recognized Union assurance level, begin exploring migration options immediately. The 12-month transition window is tight for complex data migrations. Ensure your contracts include robust data portability clauses to facilitate this move.
4. Update Tender Documents: Revise your standard procurement templates to include the mandatory assurance level requirements. For critical sectors, explicitly require Level 2, 3, or 4 recognition. For non-critical sectors, require at least Level 1. Incorporate the "Union added value" criteria from Article 32 into your evaluation matrices to support European providers.
5. Monitor the Central Repository: Once operational, the central repository will be your primary source of truth for verifying provider status. Build checks into your procurement workflow to confirm a provider's listed status before awarding contracts.

Common misconceptions

"All public sector cloud must be Level 4." Incorrect. Level 4 is reserved for the most sensitive activities, likely involving classified information or critical national security functions. Most public sector activities will require Level 1 (baseline) or Level 2/3 (public order relevance). The risk assessment determines the specific tier.

"Existing contracts are immediately illegal." Incorrect. CADA provides a transition period of up to 12 months for migration (Article 29(6)). Additionally, derogations exist for cases where no suitable alternative is available (Article 30(4)). However, long-term reliance on non-compliant providers is not permitted.

"CADA replaces the AI Act or GDPR." Incorrect. CADA complements existing laws. It does not replace the GDPR's data protection rules or the AI Act's safety requirements. Instead, it adds a sovereignty layer focused on operational autonomy and data control. Providers must still comply with all applicable EU laws.

"Only EU-based providers can qualify." Incorrect. While the framework favors EU sovereignty, Article 18 allows for the recognition of third countries for Level 3 assurance if they meet strict criteria (e.g., adequacy decisions, no extraterritorial data access laws). However, this is an exception, not the norm.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA public sector body: definition, data residency powers & assurance tiers
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Recognition: What Public Buyers Need to Know About Sovereignty Tiers
• CADA Level 3: Sovereignty Requirements for Public Sector Buyers
• Why would a public body require CADA Level 4 over Level 3?

This is general information about a draft EU regulation, not legal advice.