Summary Under the proposed Cloud and AI Development Act (CADA), a public contracting authority may derogate from mandatory Union assurance level requirements if a previous, similar procurement process failed to yield suitable results. Article 30(4)(b) specifically permits this exception if the authority launched a similar process within the previous year but received no suitable tenders or suitable participants. This "safety valve" prevents public service disruption while the sovereign cloud market matures, but it requires strict documentation and a "duly justified" rationale to prevent abuse.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for public-sector cloud procurement. Article 30 generally mandates that contracting authorities procure only cloud services recognized at Union assurance level 1 (for standard activities) or levels 2, 3, or 4 (for activities contributing to the preservation of public order, as determined by risk assessments under Article 29).

However, the Commission acknowledges that the market for fully sovereign, EU-based cloud services is still developing. To prevent public bodies from being forced to halt essential services due to a temporary lack of compliant vendors, Article 30(4) introduces specific derogations. These allow authorities to procure services that do not meet the standard assurance level requirements under exceptional circumstances.

The specific provision relevant to failed tenders is Article 30(4)(b). It states that a derogation is permissible where:

"the contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants"

This clause is distinct from other derogations because it ties the exception directly to the authority's own recent procurement history. It effectively creates a "market failure" defense: if the authority genuinely attempted to buy sovereign services recently and the market did not respond with viable options, the authority is temporarily relieved of the strict assurance level obligation.

The Three Pillars of Article 30(4)(b)

To validly invoke this derogation, a contracting authority must satisfy three cumulative conditions derived from the text of Article 30(4):

  1. Recency (The "Previous Year" Constraint): The prior procurement process must have been launched within the previous year. This temporal limit is critical. It prevents authorities from citing a failed tender from two or three years ago as a justification for bypassing sovereignty rules today. The regulation assumes that the market for sovereign cloud services evolves rapidly; therefore, a failure from 13 months ago does not necessarily reflect the current market reality. If the last attempt was outside this 12-month window, this specific derogation is unavailable.

  2. Similarity of Process: The prior process must be "similar" to the current procurement. This implies that the technical specifications, scale, scope, and intended use cases of the previous tender must be comparable to the current needs. An authority cannot cite a failed tender for a small-scale, low-risk email hosting service to justify bypassing assurance levels for a massive, high-risk national health data platform. The similarity ensures that the market failure is relevant to the specific requirements of the current project.

  3. Absence of Suitable Tenders or Participants: The authority must demonstrate that it "did not receive any suitable tenders or suitable participants." This covers two scenarios:

    • No bids received: The tender received zero responses.
    • No suitable bids received: Bids were received, but none met the mandatory Union assurance level criteria (as defined in Annex II) or other essential technical requirements.

    Crucially, if the authority received bids from sovereign providers but rejected them solely due to price, this derogation does not apply. In that case, the authority must look to Article 30(4)(c) (disproportionate cost) or proceed with the sovereign bids. "No suitable" refers to compliance with the assurance framework and essential technical needs, not commercial preference.

The "Duly Justified" Obligation

Article 30(4) opens with a mandatory condition: any decision to derogate must be "duly justified." This is not a formality; it is a substantive legal requirement.

For Article 30(4)(b), a "duly justified" decision requires robust evidence, including:

  • Proof of the prior tender: Documentation showing the launch date (to prove it was within the previous year) and the scope (to prove similarity).
  • Evaluation records: Detailed reports demonstrating why no tenders were suitable. If bids were received, the authority must show why they failed to meet the Union assurance level criteria (e.g., failure to prove data localization, lack of Union citizenship for personnel, or third-country control issues).
  • Market analysis: Evidence that the lack of suitable bids was due to genuine market conditions and not due to "artificial narrowing" of the tender parameters. Article 30(4)(a) explicitly warns against narrowing parameters artificially; this principle applies by extension to the justification of a failure under (b).

Interaction with Other Derogations and Mechanisms

It is vital to distinguish Article 30(4)(b) from the other exceptions in Article 30(4):

  • Article 30(4)(a) applies when the subject matter cannot be supplied by recognized services in the central repository (established under Article 22) and no adequate alternative exists. This is a static market availability check, independent of whether the authority launched a tender.
  • Article 30(4)(c) applies when applying the assurance requirements would result in "disproportionate cost." This is a financial test, not a market participation test.

Article 30(4)(b) is unique because it is procedural and historical. It validates the authority's effort to comply. It essentially states: "We tried to buy sovereign, we failed recently, so we are allowed to buy non-sovereign temporarily."

Furthermore, this derogation interacts with the risk assessment under Article 29. If an authority identifies an activity as contributing to public order (requiring Level 2, 3, or 4), and then invokes Article 30(4)(b), they are effectively procuring a service that does not meet the required assurance level. The "duly justified" documentation becomes the primary evidence that the authority is acting in good faith to preserve public order while navigating market constraints.

What this means for you

For public-sector procurement officers and legal counsel, Article 30(4)(b) is a critical, yet high-risk, tool for managing the transition to sovereign cloud services.

1. Maintain a "Derogation File"

If you anticipate needing to invoke this exception, you must maintain a dedicated file for every cloud tender launched in the last 12 months. This file should include:

  • The tender notice and specifications.
  • The list of all participants and their status (suitable/unsuitable).
  • The evaluation report explicitly stating why no bids met the Union assurance level criteria.
  • A timeline proving the launch date was within the 12-month window.

2. Verify the "Similarity"

Before citing a past failure, ensure the current procurement is truly similar. If the new project requires significantly higher security (e.g., moving from Level 1 to Level 3), a failed Level 1 tender from last year may not justify a Level 3 derogation. The "similarity" must be robust enough to cover the assurance level gap.

3. Avoid "Artificial Narrowing"

The most common reason for a derogation to be challenged is that the previous tender was designed in a way that excluded sovereign providers. If your previous tender required a specific proprietary technology that only a non-EU provider possessed, you cannot claim "no suitable participants." The parameters must be open to Union assurance level providers.

4. Understand the Temporary Nature

This derogation is not a permanent exemption. It is a bridge. Once invoked, the authority should immediately re-evaluate the market. If the market has not improved, the authority may need to rely on Article 30(4)(c) (cost) or adjust the technical specifications to make the service more accessible to sovereign providers.

5. Reporting Obligations

Member States are required to monitor and report on their procurement of innovation and barriers to SMEs under Article 33. Frequent use of the Article 30(4)(b) derogation may signal a systemic market gap. This data feeds into the Cloud and AI Leadership Initiatives (Title II) and the EuroCloud Federation (Article 34), which aim to expand the supply of sovereign services.

Common misconceptions

Misconception 1: "If we got no bids last year, we can buy any cloud service forever." False. The derogation is strictly tied to the timeline: "within the previous year." It is a temporary measure to ensure continuity of service while the market matures. You must reassess your needs and the market annually. If you launch a new tender next year and still get no bids, you must re-evaluate the justification; you cannot rely on the old failure indefinitely.

Misconception 2: "We can use this if the sovereign bids were too expensive." False. Article 30(4)(b) applies only when there are no suitable tenders or participants. If you received bids from sovereign providers but rejected them due to price, you cannot claim "no suitable tenders." In that scenario, you must look to Article 30(4)(c) (disproportionate cost) or accept the sovereign bids. Price is a commercial criterion, not a suitability criterion under the assurance framework.

Misconception 3: "We don't need to document why the previous tender failed." False. The regulation explicitly requires the derogation to be "duly justified." You must be able to show that the previous process was conducted properly, that the parameters were not artificially narrow, and that the lack of suitable bids was due to genuine market conditions. Without this documentation, the procurement could be challenged as non-compliant.

Misconception 4: "This applies to private sector entities." False. Article 30 applies specifically to "contracting authorities" and "Union entities." Private sector entities operating in high-criticality sectors (under Annex I of the NIS2 Directive) may conduct impact assessments under Article 31, but they are not subject to the same mandatory procurement derogations. The "no suitable bids" exception is a public procurement tool.

Misconception 5: "Any failed tender counts." False. The tender must be "similar" to the current one. A failed tender for a generic SaaS application cannot justify a derogation for a specialized, high-security national defense cloud. The technical and functional scope must align.

Related

This is general information about a draft EU regulation, not legal advice.