Summary Under the proposed Cloud and AI Development Act (CADA), Article 2(6) defines a "public sector body" by reference to Article 2, point (1) of Directive (EU) 2019/1024 (the Open Data Directive). That definition covers the State and regional and local authorities, bodies governed by public law, and associations formed by one or more such authorities or bodies. The classification matters because public sector bodies are the entities that would, as proposed, run cloud risk assessments (Article 29) and procure cloud services at the Union assurance level those assessments require (Article 30). As CADA is a proposal, the wording could change before adoption.

Detail

CADA places specific demand-side obligations on public buyers — chiefly the risk assessment and procurement duties in Title IV. To know whether those duties apply to an organisation, you first have to know whether it is a "public sector body".

The definition: an import from the Open Data Directive

As proposed, Article 2(6) does not create a new test. It provides that "public sector body" means a public sector body as defined in Article 2, point (1) of Directive (EU) 2019/1024 — the Open Data Directive. That source definition covers:

  1. the State, and regional or local authorities;
  2. bodies governed by public law; and
  3. associations formed by one or more such authorities or one or more such bodies governed by public law.

This is broad. It spans national governments down to municipal councils, and includes public-law bodies such as many public universities, hospitals and agencies that perform public tasks. (The precise boundaries of "body governed by public law" are a matter for the Open Data Directive and EU public-procurement case law, which CADA inherits.)

Why the classification matters

Being a public sector body is the trigger for CADA's core demand-side obligations. As proposed, these include:

  1. Risk assessments (Article 29). Public sector bodies (and Union entities) would carry out risk assessments to identify which of their activities contribute to the preservation of public order. The outcome drives the minimum Union assurance level required for the cloud services supporting those activities.
  2. Procurement (Article 30). Where activities have not been identified as contributing to the preservation of public order, the entity would use services recognised at Union assurance level 1. Where activities have been so identified — in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), or in national security, internal security, external border management, defence, justice or law enforcement — the entity would only procure services recognised at assurance level 2, 3 or 4. Article 30(4) allows narrow, justified derogations.
  3. Open source (Article 41). The proposal includes obligations for Union entities and public sector bodies to encourage the use of open standards and open-source solutions.
  4. EuroCloud Federation (Article 34). Public sector bodies may, on a voluntary basis, join the European public sector cloud federation to share data centre and cloud services.

Public sector bodies versus Union entities

CADA keeps "public sector body" distinct from "Union entities", defined separately in Article 2(7) as the Union institutions, bodies, offices and agencies set up by or pursuant to the TEU, the TFEU or the Euratom Treaty. In practice, a national ministry or a city authority is a public sector body, whereas the European Commission, the European Parliament or an EU agency is a Union entity. Both groups are subject to the same assurance-level logic in Articles 29 and 30, but they sit under different supervisory and administrative arrangements.

What this means for you

For public-sector and procurement officers, this definition is the starting point for CADA readiness.

  • Confirm your status. If you are a State, regional or local authority, or a body governed by public law (for example, many public hospitals or universities), you are likely a public sector body under the Open Data Directive definition that CADA adopts.
  • Prepare for the risk assessment. Plan to run the Article 29 assessment: map your cloud workloads and identify which support activities that contribute to the preservation of public order.
  • Update procurement criteria. Tender documents would need to specify the required Union assurance level, and you would verify that providers have been recognised at that level.
  • Consider open source. Article 41 points public bodies toward open standards and open-source solutions; factor that into procurement and architecture decisions.

Common misconceptions

  • "Public sector body means only government ministries." It is far broader — local and regional authorities and bodies governed by public law (public universities, hospitals, transport authorities and the like), plus associations of such bodies.
  • "CADA writes its own definition." It does not. Article 2(6) imports the Open Data Directive definition, keeping it consistent with the wider EU acquis.
  • "Only national government faces sovereignty rules." As proposed, the procurement duty in Article 30 reaches all public sector bodies, including small municipalities — even where their activities require only assurance level 1.
  • "Private companies are entirely outside this." Private firms are not public sector bodies. But under Article 31, entities in NIS2 high-criticality sectors that are not public sector bodies may carry out similar impact assessments, and the Commission may, in defined circumstances, require them to. The mandatory procurement duties, though, attach to public sector bodies and Union entities.

Related

This is general information about a draft EU regulation, not legal advice.