What is a contracting authority under CADA procurement rules?

Summary Under the proposed Cloud and AI Development Act (CADA), a contracting authority is not newly defined but is anchored to the existing definition in Directive 2014/24/EU (Article 2(1), point 1). This scope encompasses state bodies, regional/local authorities, and bodies governed by public law procuring cloud computing services for their exclusive use. Crucially, Article 30(1) explicitly extends these obligations to Union entities (EU institutions, bodies, offices, and agencies) and Article 30(3) clarifies that the rules bind the authority even when acting through intermediaries or entities acting on their behalf. As proposed, these authorities must procure cloud services meeting specific Union assurance levels (1, 2, 3, or 4) based on risk assessments of public order relevance.

Detail

The definition of a "contracting authority" under the proposed CADA is a matter of legal cross-reference rather than a standalone creation. This approach ensures alignment with the established EU public procurement framework while layering specific sovereignty requirements on top.

The Legal Definition: Anchored in Directive 2014/24/EU

CADA does not reinvent the wheel regarding who constitutes a public buyer. Instead, Article 2(22) of the proposal explicitly defines "contracting authorities" by reference to Article 2(1), point (1), of Directive 2014/24/EU.

This means that any entity qualifying as a contracting authority under the 2014 Procurement Directives falls within CADA's scope when procuring cloud computing services or AI systems. This typically includes:

• The State, regional, and local authorities.
• Bodies governed by public law (e.g., public hospitals, universities, or regulatory agencies established for specific public needs).

Scope of Application: Exclusive Use and Union Entities

The trigger for CADA's procurement obligations is found in Article 30(1). The text states:

"This Article applies to contracting authorities that procure cloud computing services for their exclusive use. Without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, this Article also applies to Union entities that procure cloud computing services for their exclusive use."

This provision establishes two critical boundaries for compliance:

1. Exclusive Use: The obligations apply when the public body is the sole user of the service. This distinguishes CADA from regulations governing services provided to third parties or the general public.
2. Union Entities: The scope is not limited to Member States. It explicitly includes Union entities—defined in Article 2(7) as Union institutions, bodies, offices, and agencies. This ensures that the European Commission, the European Parliament, and EU agencies are subject to the same sovereignty standards as national public bodies.

The "Acting on Behalf" Clause: Closing the Loophole

A common concern in public procurement is whether an authority can bypass strict rules by outsourcing the tender process to a central purchasing body, a consortium, or a third-party agent. Article 30(3) closes this potential loophole by stating:

"Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This phrasing confirms that the legal responsibility for compliance rests with the contracting authority, regardless of who physically executes the tender. If a central purchasing body acts on behalf of a public hospital, the hospital remains the "contracting authority" for the purposes of CADA, and the procurement must meet the required assurance level. The "entities acting on their behalf" clause ensures that the sovereignty framework cannot be circumvented by delegating procurement tasks.

The Sovereignty Obligation: Tiered Assurance Levels

The definition of the authority is only the first step; the consequence is a tiered obligation based on the nature of the activity.

• Baseline Requirement (Article 30(2)): For contracting authorities and Union entities whose activities are not identified as contributing to the preservation of public order, the minimum requirement is to use cloud services recognised as having Union assurance level 1.
• Public Order Requirement (Article 30(3)): If a risk assessment (conducted under Article 29) determines that the authority's activities contribute to the preservation of public order—specifically in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) or in areas of national security, internal security, external border management, defence, justice, or law enforcement—the authority shall only procure services recognised as having Union assurance levels 2, 3, or 4.

This creates a direct link between the definition of the authority, the risk assessment of its activities, and the mandatory procurement standard.

What this means for you

For in-house counsel, procurement officers, and compliance teams, understanding the definition of a "contracting authority" under CADA is the prerequisite for a compliant procurement strategy.

1. Verify Your Status and Scope

First, determine if your organisation qualifies as a contracting authority under Directive 2014/24/EU. If you are a public body, a body governed by public law, or a Union entity, you are subject to CADA's procurement rules for all cloud and AI system acquisitions intended for your exclusive use.

• Action: Review your legal status and the nature of your procurement activities. If you act as a central purchasing body, remember that Article 30(3) binds you to the requirements of the authorities you represent.

2. Map Activities to Risk Assessments

Before issuing a tender, you must determine if your activities contribute to the "preservation of public order." This is not a voluntary exercise. Article 29(1) requires Member States and Union entities to carry out risk assessments to identify which public sector activities require higher assurance levels.

• Deadline: Member States must carry out these initial risk assessments by the date of entry into force plus one year, and thereafter every two years (Article 29(1)).
• Action: Align your internal risk mapping with the national risk assessment results. If your activity falls under NIS2 sectors or law enforcement, you are likely subject to the Article 30(3) mandate for levels 2–4.

3. Update Procurement Specifications

Your tender documents must explicitly require the appropriate Union assurance level.

• Standard Functions: Require Union assurance level 1 (Article 30(2)).
• Critical Functions: Require Union assurance levels 2, 3, or 4 (Article 30(3)).
• Action: Ensure that any "entity acting on your behalf" (e.g., a framework agreement holder or central purchasing body) is contractually bound to meet these specific assurance levels. The obligation follows the authority, not just the tenderer.

4. Verify Recognition in the Central Repository

You cannot simply ask a provider if they are "sovereign." Under Article 22, the Commission must establish and maintain a central repository of recognised services.

• Action: Before awarding a contract, verify that the provider is listed in the central repository for the specific assurance level required. Procuring from a non-recognised provider constitutes a breach of CADA.

Common misconceptions

Misconception 1: "If we outsource procurement to a central purchasing body, we are exempt." False. Article 30(3) explicitly states that the rules apply to "Contracting authorities, including the entities acting on their behalf." The legal responsibility remains with the contracting authority. If the central purchasing body fails to procure a Level 2 service for a defence-related activity, the contracting authority is in breach.

Misconception 2: "Any EU-based provider is compliant." False. Being established in the EU is a necessary but insufficient condition. Under Article 16 and Annex II, providers must be formally recognised by a national competent authority as offering a specific Union assurance level. A provider might be EU-based but fail to meet the cybersecurity, data localisation, or personnel requirements for Level 2 or 3. You must verify the recognition status in the central repository.

Misconception 3: "CADA only applies to new contracts." False. While the regulation applies from one year after entry into force, Article 30 creates an ongoing obligation for procurement procedures. If a tender is launched after the application date, the assurance level requirements apply immediately. Furthermore, Article 29(6) mandates migration to a compliant service within a reasonable transition period (not exceeding 12 months) if a risk assessment requires a higher assurance level.

Misconception 4: "Private companies are contracting authorities." False. The definition in Article 2(22) is strictly tied to Directive 2014/24/EU, which applies to public bodies. Private companies, even those in critical sectors (NIS2 Annex I), are not "contracting authorities" under CADA. However, Article 31 allows them to carry out similar impact assessments, and the Commission may require risk mitigation measures for high-criticality private entities via delegated acts. But the strict procurement mandate of Article 30 applies only to public bodies and Union entities.

Related

• CADA procurement rules: Legal basis, WTO safeguards and the Financial Regulation
• CADA and US Hyperscalers: Public Procurement Rules Explained
• CADA Cloud Procurement in Healthcare: Assurance Levels & Rules
• CADA Procurement Fees Explained: Article 40 Rules & Costs
• CADA Procurement & the EU Financial Regulation: Rules, Derogations & Fees

This is general information about a draft EU regulation, not legal advice.