Summary As proposed in the Cloud and AI Development Act (CADA), Article 30 establishes a mandatory "sovereignty floor" for public sector bodies procuring cloud services for their own exclusive use, requiring specific Union assurance levels based on risk. Chapter IV (Articles 37–40) creates a voluntary, Commission-led joint procurement framework that allows entities to pool demand, leverage economies of scale, and benefit from deemed compliance with public procurement rules. Article 30 dictates what level of trust is required; Chapter IV offers a mechanism for how to buy it collectively. Crucially, entities using Chapter IV must still ensure the procured services meet the Article 30 assurance levels applicable to their specific activities.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a dual-track approach to public procurement of cloud computing services and AI systems. One track is a mandatory compliance obligation rooted in sovereignty risk (Article 30), while the other is an optional structural mechanism for collective buying (Chapter IV). Distinguishing between these two is essential for legal counsel, procurement officers, and public sector bodies to avoid non-compliance or missed efficiency opportunities.

Article 30: The Mandatory Sovereignty Floor for Exclusive Use

Article 30 applies specifically to contracting authorities and Union entities that procure cloud computing services for their exclusive use. It functions as a demand-side filter, ensuring that the infrastructure underpinning public sector activities meets a baseline of trustworthiness determined by the nature of the activity.

The obligation is tiered based on the outcome of the risk assessment required under Article 29:

  1. Baseline Requirement (Article 30(2)): For Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order, the regulation mandates the use of cloud computing services recognised as having at least Union assurance level 1. This serves as the minimum standard for all public procurement under CADA.
  2. Enhanced Requirement (Article 30(3)): For contracting authorities whose activities have been identified as contributing to the preservation of public order, the requirement is stricter. These authorities must procure only cloud computing services recognised as having Union assurance level 2, 3, or 4.
    • The regulation explicitly identifies these high-sensitivity areas as sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), and areas including national security, internal security, external border management, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

Derogations (Article 30(4)) Article 30(4) provides a narrow, exceptional pathway for authorities to procure services that do not meet the required assurance levels. A contracting authority may decide not to procure a recognised service only if one or more of the following conditions are met:

  • The subject matter cannot be supplied by recognised services available in the central repository (Article 22), no adequate or reasonable alternative exists, and this absence is not the result of an artificial narrowing of the procurement parameters.
  • The authority launched a similar procurement process within the previous year but received no suitable tenders or participants.
  • Applying the requirements would result in disproportionate cost.

It is vital to note that Article 30 is a standalone obligation. It applies to any public body procuring for its own use, regardless of whether it participates in any joint procurement scheme. It defines the substantive minimum trustworthiness threshold.

Chapter IV (Articles 37–40): The Commission-Led Joint Procurement Framework

Chapter IV establishes a voluntary, Commission-led framework for joint procurement. Unlike Article 30, which is a mandatory compliance rule for individual authorities, Chapter IV is a structural tool designed to overcome market fragmentation, pool demand, and leverage economies of scale.

Scope and Participants (Article 37) Article 37 empowers the Commission to act as a central purchasing body or a wholesaler for:

  • Union entities (institutions, bodies, offices, and agencies);
  • Contracting authorities of Member States; and
  • Partner organisations selected by the Commission.

These participants are collectively termed "participating entities." The Commission may procure services on their behalf, conclude framework contracts, operate dynamic purchasing systems, or acquire services to resell (or, in exceptional circumstances, donate) to these entities.

Legal Framework and Deemed Compliance (Article 39) A primary incentive for joining this framework is the simplification of legal compliance. Under Article 39(1), a participating entity is deemed to have fulfilled its obligations under applicable Union public procurement law when it acquires supplies or services through contracts awarded by the Commission under this Chapter.

  • This "deemed compliance" shields participating authorities from the administrative burden of running complex, high-value procurement procedures individually.
  • However, this procedural simplification does not exempt the entity from the substantive sovereignty requirements of CADA.

Governance and Fees (Articles 38 and 40) The framework is governed by an agreement entered into by the Commission and at least two Member States (Article 38). A Steering Committee, composed of the Commission and representatives of participating Member States, provides strategic oversight of the procurement agenda but does not manage daily operations.

Participating entities fund this framework through fees levied by the Commission (Article 40).

  • These fees are designed to cover all direct and indirect costs of the procurement activities, including the development and maintenance of the common procurement platform.
  • The fees must be set in advance, be proportionate to estimated costs, and be sufficient to cover those costs.
  • Revenues generated constitute internal assigned revenues for the Union budget, ensuring the mechanism is financially self-sustaining.

When Each Applies: The Interplay

The relationship between Article 30 and Chapter IV is not "either/or" but rather "mandatory baseline" plus "optional execution mechanism."

  • Article 30 applies universally to every public sector body procuring cloud services for its exclusive use. It is a mandatory compliance check: you must assess your risk (Article 29) and ensure the service you buy meets the corresponding Union assurance level (1, 2, 3, or 4).
  • Chapter IV applies only if you choose to participate. It is an optional mechanism to execute the procurement mandated by Article 30 (or other needs) more efficiently.

Crucial Interaction: A public authority participating in Chapter IV joint procurement must still ensure that the services awarded by the Commission meet the Union assurance levels required by Article 30 for their specific use case. The Commission, acting as the procuring entity, is obligated to ensure that tenders include the necessary sovereignty criteria to allow participating authorities to comply with Article 30. If a participating entity requires Level 3 services (due to law enforcement activities), but the Commission's joint tender only offers Level 2 services, that entity cannot use the joint framework for that specific requirement unless a derogation applies.

What this means for you

For in-house counsel and compliance officers, navigating CADA requires a two-step strategy that integrates both the mandatory floor and the optional framework:

  1. Conduct the Risk Assessment First (Article 29): Before initiating any procurement, your authority must complete the risk assessment to determine if your activities contribute to the preservation of public order. This determines your mandatory floor under Article 30. If you handle critical infrastructure or national security data, you cannot accept a service with only Union assurance level 1; you must seek level 2, 3, or 4.
  2. Evaluate Participation in Chapter IV: Assess whether joining the Commission's joint procurement framework offers strategic advantages. Benefits include reduced administrative burden (deemed compliance under Article 39) and potentially lower costs through economies of scale. However, participation requires accepting the Commission's governance structure and paying fees under Article 40.
  3. Verify the "Deemed Compliance" Scope: Remember that Article 39 only deems you compliant with public procurement procedural law. It does not automatically verify that the service meets the sovereignty criteria of Article 30. You must verify that the specific contract awarded by the Commission includes the assurance level your risk assessment demands.
  4. Monitor the Central Repository: If you do not participate in Chapter IV, or if you seek a derogation under Article 30(4), you must regularly consult the central repository of recognised services (Article 22) to verify that potential suppliers hold the necessary Union assurance level.
  5. Penalty Awareness: Non-compliance with Article 30's sovereignty requirements exposes your authority to penalties under Article 24, which Member States must ensure are "effective, proportionate and dissuasive." While Chapter IV participation simplifies procedural compliance, it does not absolve you from ensuring the underlying service meets the substantive sovereignty criteria of Article 30.

Common misconceptions

"Chapter IV replaces national procurement rules entirely."

  • Correction: Chapter IV does not replace the substantive requirements of CADA, such as the sovereignty levels in Article 30. It only simplifies the procedural compliance with public procurement law (Article 39). You must still buy a service that meets your risk-based assurance level.

"Article 30 only applies to high-risk sectors like defence."

  • Correction: Article 30 applies to all public sector bodies procuring for exclusive use. Even non-critical bodies must procure at least Union assurance level 1. The higher levels (2, 3, 4) are reserved for activities identified as preserving public order, but the baseline applies everywhere.

"Joint procurement is mandatory for all public bodies."

  • Correction: Participation in the Chapter IV framework is voluntary. Authorities may continue to procure individually, provided they comply with Article 30 and standard EU public procurement directives.

"The Commission sets the price of the cloud service."

  • Correction: The Commission acts as a central purchasing body or wholesaler. While it negotiates contracts, the fees charged to participating entities under Article 40 are strictly for cost recovery of the procurement activity (administration, platform, legal support), not for the cloud service itself. The price of the cloud service is determined by the market tender.

Related

This is general information about a draft EU regulation, not legal advice.