Summary As proposed in the Cloud and AI Development Act (CADA), public buyers must follow a strict, four-step procurement checklist to safeguard public order and reduce third-country dependencies. This process requires: (1) conducting regular risk assessments under Article 29 to determine the necessary Union assurance level; (2) mandating at least Union assurance level 1 for all services, and levels 2–4 for public-order-relevant activities under Article 30; (3) verifying provider status in the central repository; and (4) applying specific Union added value criteria under Article 32. Buyers must also formally document any exceptional derogations from these rules under Article 30(4).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework for the public procurement of cloud computing services and AI systems. For public-sector procurement officers, the Act moves beyond traditional cost-based evaluation to embed sovereignty, resilience, and strategic autonomy into the purchasing lifecycle. The core of this obligation rests on three key provisions: Article 29 (Risk Assessments), Article 30 (Public Procurement), and Article 32 (Union Added Value).

As a proposal, CADA would require contracting authorities to align their procurement strategies with a tiered sovereignty framework. The following sections detail the mandatory steps for compliance.

1. Conduct and Update Risk Assessments (Article 29)

Before procuring any cloud computing service, a contracting authority must determine the appropriate level of sovereignty required. This is not a one-time exercise but an ongoing obligation designed to ensure proportionality.

  • Mandatory Timing: Member States and Union entities must carry out risk assessments by one year after the Regulation's entry into force, and thereafter every two years, or whenever necessary.
  • Scope of Assessment: The assessment must identify public sector activities that contribute to the preservation of public order. This explicitly includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
  • Determining Assurance Levels: The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities. The assessment must consider:
    • The sensitivity, criticality, and magnitude of non-personal data processed.
    • The nature, scope, context, and purpose of personal data processing, and the risk to the rights and freedoms of data subjects.
    • The risk of unlawful access to data by a third country or a legal entity established in a third country.
    • The risk of service disruption.
  • Multi-Cloud Strategy: As part of this assessment, authorities must consider whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience and limit dependency on a single provider.
  • Commission Guidance: The Commission will issue implementing acts specifying the methodology, templates, and elements to be taken into account, including how to use the highest level of assurance for the most critical public sector activities, such as defence.

2. Set the Minimum Assurance Level (Article 30)

Based on the risk assessment, Article 30 establishes mandatory procurement thresholds. Public buyers cannot simply choose the cheapest option; they must procure services that meet the specific assurance level dictated by the risk profile of the activity.

  • Baseline Requirement (Level 1): For public sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessment, the minimum requirement is to use cloud computing services recognised as having Union assurance level 1.
  • Elevated Requirements (Levels 2–4): For contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., defence, law enforcement, critical infrastructure), they must only procure cloud computing services recognised as having Union assurance level 2, 3, or 4.
  • Derogations: Article 30(4) allows for derogations from these requirements on an exceptional basis and where duly justified, but only if specific conditions are met (see the checklist below).

3. Verify via the Central Repository (Article 22)

To ensure compliance with Article 30, buyers must verify the status of the cloud computing service provider. The Commission will establish and maintain a central repository of cloud computing services recognised under Article 17. Procurement officers should use this repository to confirm that a provider holds the necessary Union assurance level before awarding a contract.

  • Recognition Process: For Level 1, providers submit a self-assessment (EU statement of conformity). For Levels 2–4, providers must undergo independent third-party audits and receive a "positive" audit opinion.
  • SME Derogation: For Union assurance level 1, the EU statement of conformity issued by SMEs shall be directly and automatically recognised in all Member States without prior recognition by the evaluating national competent authority.
  • Revocation: The repository will also publish revocations of recognition, which must remain available for five years.

4. Apply Union Added Value Criteria (Article 32)

Beyond sovereignty levels, CADA introduces specific non-price award criteria to strengthen the European cloud and AI ecosystem. Article 32 requires contracting authorities to include these criteria in the quality evaluation of tenders for innovative cloud computing services and AI systems.

  • Non-Decisive but Mandatory: These criteria must be ancillary and not decisive in the award of the contract, meaning technical and financial criteria remain primary. However, they must be expressly set out in procurement documents.
  • Evaluation Factors: Authorities must evaluate the extent to which the tenderer:
    • Contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
    • Has integrated technologies developed in the Union, including research and development results stemming from Union-funded programmes.
    • Delivers innovation that contributes to strengthening security of supply and the development of a European cloud and AI ecosystem.
    • Delivers the service, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union, or from a third country that contributes to strengthening security of supply.
  • Weighting Guidance: While the Regulation does not set a fixed percentage, Recital 67 suggests that contracting authorities could consider a maximum weighting of 15 out of 120 points for these Union added value criteria, ensuring they remain proportionate.

5. Document Derogations (Article 30(4))

If a public buyer cannot find a recognised service that meets the required assurance level, they may derogate from the requirement, but only under strict conditions. These must be duly justified and documented. The conditions include:

  • The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository, and no adequate or reasonable alternative or comparable cloud computing service exists, and such absence is not the result of an artificial narrowing down of the parameters of the public procurement procedure.
  • The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
  • Applying the requirements of the Regulation would require the contracting authority to procure services at disproportionate cost.

What this means for you

For public-sector procurement officers, CADA transforms cloud procurement from a standard IT purchase into a strategic security exercise. Here is how you should adapt your workflows:

Integrate Risk Assessment into Procurement Planning Do not wait for the tender process to begin. Ensure your organisation's risk assessment (per Article 29) is up to date before drafting tender specifications. If your department handles sensitive data or critical public order functions, you are likely bound to procure Union assurance levels 2, 3, or 4. Document this link explicitly in your procurement file, referencing the specific risk assessment that determined the required level.

Update Tender Evaluation Criteria Review your standard tender templates to include the Union added value criteria from Article 32. Ensure your evaluation matrix allows for the assessment of supply chain strength, Union-developed technologies, and hardware origin. While these criteria should not outweigh technical performance, they provide a structured way to favour providers that strengthen EU sovereignty.

Verify Provider Status Proactively Use the central repository (once established) as a primary filtering tool. If a provider claims to meet Union assurance level 1, 2, 3, or 4, verify this status in the repository. For Level 1, SMEs may have automatic recognition of their EU statement of conformity, but for Levels 2–4, a positive audit opinion and formal recognition are mandatory.

Prepare for Derogation Documentation If you anticipate that no EU-based provider can meet your specific technical needs, prepare your justification early. Under Article 30(4), you must prove that you have attempted to procure recognised services and that the lack of supply is not due to overly restrictive tender parameters. Keep records of previous failed procurements to support any future derogation claims.

Train Your Teams on Multi-Cloud Strategies Article 29 requires you to consider multi-vendor or multi-cloud strategies in your risk assessment. Procurement officers should be prepared to structure tenders that allow for splitting workloads across multiple sovereign providers to mitigate single-point-of-failure risks.

Common misconceptions

Misconception 1: CADA bans all non-EU cloud providers. This is incorrect. CADA does not impose a blanket ban on non-EU providers. Instead, it establishes a tiered sovereignty framework. Non-EU providers can still compete for Union assurance level 1 if they meet the criteria (e.g., being established in the Union, keeping data within the Union). For higher assurance levels (2–4), non-EU providers may be eligible if they are from an "associated third country" recognised under Article 18, which requires specific safeguards against third-country control and data access.

Misconception 2: Union added value criteria are optional "nice-to-haves". Article 32 makes it mandatory to include these criteria in public procurement procedures for innovative cloud and AI services. They are not optional extras; they are a statutory requirement to ensure that public spending contributes to the European digital ecosystem. However, they must be applied proportionately and cannot be the sole decisive factor for awarding the contract.

Misconception 3: Risk assessments are a one-time compliance task. Article 29 requires risk assessments to be carried out every two years, or whenever necessary. Given the rapid evolution of cloud technologies and geopolitical risks, a static assessment is insufficient. Procurement officers must ensure their risk assessments are dynamic and reflect current threats to public order and data sovereignty.

Misconception 4: Derogations are easy to obtain for convenience. Article 30(4) sets a high bar for derogations. You cannot derogate simply because a non-sovereign provider is cheaper or more convenient. You must demonstrate that no recognised service exists in the central repository, or that compliance would result in disproportionate costs. Artificially narrowing tender parameters to avoid sovereign providers is explicitly prohibited.

Related

This is general information about a draft EU regulation, not legal advice.