Summary Under the proposed Cloud and AI Development Act (CADA), a "public sector body" and a "Union entity" are distinct categories. As proposed, a public sector body is defined in Article 2(6) by reference to the Open Data Directive — covering the State, regional and local authorities, and bodies governed by public law. A Union entity is defined in Article 2(7) as the EU institutions, bodies, offices, and agencies established by the Treaties. Both face the same Union assurance levels, but the procedural rules differ: Union entities procure under the EU Financial Regulation, while public sector bodies procure under national procurement law.
Detail
CADA creates a unified framework for cloud autonomy and AI deployment, but it carefully separates actors at the Member State level from those at the EU level. For procurement officers and legal teams, the distinction matters because the administrative execution of risk assessment, procurement, and reporting differs, even where the technical assurance standards are identical.
The legal definitions
Public sector body (Article 2(6)). As proposed, Article 2(6) defines a "public sector body" by reference to Article 2, point (1), of Directive (EU) 2019/1024 (the Open Data Directive). That definition typically covers:
- the State;
- regional or local authorities;
- bodies governed by public law;
- associations formed by one or more such authorities or bodies.
In practice this covers most government IT purchasers — national ministries, regional health services, municipal councils, public universities — all operating under their Member State's jurisdiction.
Union entity (Article 2(7)). As proposed, Article 2(7) defines "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community." This includes the European Commission, the European Parliament, the Council, and EU agencies (for example ENISA or Europol). These operate at the supranational level and are subject to EU financial rules rather than national procurement directives.
Where CADA addresses them separately
The technical requirements (the Union assurance levels) apply to both, but CADA's demand-side measures reflect the legal divide.
1. Risk assessments (Article 29). As proposed, Article 29 obliges both Member States and Union entities to carry out risk assessments. These identify the public sector activities that contribute to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive and in areas such as national security, internal security, external border management, defence, justice, or law enforcement — and determine which Union assurance level (2, 3, or 4) is appropriate. Article 29(1) provides that where Union entities and Member States share responsibilities, they should, where appropriate, consider carrying out the risk assessment jointly.
2. Public procurement (Article 30). As proposed, Article 30 applies to contracting authorities procuring cloud computing services for their exclusive use and, without prejudice to Article 136 of Regulation (EU, Euratom) 2024/2509, also to Union entities procuring for their exclusive use.
- Where activities have not been identified as contributing to public order, the entity must use services recognised at Union assurance level 1 (Article 30(2)).
- Where activities have been identified as contributing to public order, the contracting authority must only procure services recognised at Union assurance level 2, 3, or 4 (Article 30(3)). The procedural mechanism differs: Union entities procure under the EU Financial Regulation (Regulation (EU, Euratom) 2024/2509), while public sector bodies procure under national procurement law (e.g. Directive 2014/24/EU as transposed).
3. Common procurement framework (Articles 37-40). As proposed, Article 37 lets the Commission carry out procurement for Union entities, for contracting authorities of Member States, and for partner organisations it selects. Here the distinction becomes operational: Union entities and national public sector bodies can participate together to leverage collective buying power.
Key differences in practice
| Feature | Public Sector Body (Art. 2(6)) | Union Entity (Art. 2(7)) |
|---|---|---|
| Jurisdiction | Member State (national/regional/local) | European Union (supranational) |
| Procurement law | National procurement law (e.g. Dir. 2014/24/EU) | EU Financial Regulation (Reg. (EU, Euratom) 2024/2509) |
| Risk assessment | Carried out by the Member State (Art. 29) | Carried out by the Union entity (Art. 29) |
| Scope | Ministries, cities, public agencies | Commission, Parliament, Council, EU agencies |
| Assurance levels | Same (Annex II, levels 1-4) | Same (Annex II, levels 1-4) |
What this means for you
For public-sector procurement officers (national, regional, or local):
- You are a public sector body. Your obligations flow from your Member State's risk assessment under Article 29, which your national authorities carry out.
- Procurement strategy: Your tenders must require the Union assurance level mandated by that risk assessment — at least level 1, or levels 2-4 where public-order relevance is identified. The assurance level is mandatory, not a price trade-off.
- Common procurement: You may participate in the Commission's common procurement framework (Articles 37-40) to access negotiated contracts and reduce administrative burden.
For Union entity procurement officers:
- You are a Union entity. You face the same assurance standards but operate under different procedural rules (the EU Financial Regulation).
- Coordination: Where your activities intersect Member State responsibilities, consider carrying out the Article 29 risk assessment jointly.
- Centralised procurement: You can benefit from the Commission acting under the common procurement framework alongside participating Member State authorities.
Common misconceptions
- "Union entities are just another type of public sector body." No. CADA defines them separately in Article 2. Union entities are supranational institutions established by the Treaties; public sector bodies are national/regional entities under Member State law. The distinction drives which procurement rules apply.
- "Only national governments need to do risk assessments." Article 29 requires both Member States and Union entities to carry out risk assessments.
- "Small public sector bodies can ignore Union assurance levels." No. As proposed, where activities are not public-order-relevant, Article 30(2) still requires at least Union assurance level 1 for cloud services procured for exclusive use — there is no small-body exemption.
Related
- What is a public sector body under CADA?
- What the public sector body definition means for buyers under CADA
- Is a state-owned company a public sector body under CADA?
- How is a public sector body different from a contracting authority under CADA?
- Does a public sector body that builds its own cloud become a CSP under CADA?
This is general information about a draft EU regulation, not legal advice.