Summary Article 31 and Article 33 of the proposed Cloud and AI Development Act (CADA) serve fundamentally different functions within the Act's "Autonomy" framework. Article 31 provides a voluntary mechanism for private-sector entities (specifically those in critical sectors under the NIS2 Directive) to conduct impact assessments regarding cloud sovereignty risks, with a potential pathway to mandatory status via Commission delegated acts. In contrast, Article 33 imposes a mandatory obligation on Member States to monitor, report, and actively promote the procurement of innovative cloud and AI services, setting a specific target to award at least 25% of such contracts to innovative SMEs. While Article 31 is a risk-management tool for the private sector, Article 33 is a market-shaping and reporting duty for the public sector.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dual-track approach to strengthening the European cloud ecosystem: one track focuses on the resilience and sovereignty of critical infrastructure (including private operators), while the other focuses on stimulating market innovation through public procurement. Articles 31 and 33, both located in Title IV (Autonomy), represent these two distinct tracks.

Article 31: Voluntary Impact Assessments for the Private Sector

Article 31, titled "Impact assessments," is designed to extend the logic of public-sector risk management to the private sector, but with a distinct voluntary character.

Scope and Actors The provision applies to "entities referred to in Annex I of Directive (EU) 2022/2555" (the NIS2 Directive) who are not public sector bodies. This covers critical private operators in sectors such as energy, transport, banking, health, and digital infrastructure.

Nature of the Obligation The text explicitly states that these entities "may carry out similar assessments as those set out in Article 29." Article 29 mandates public authorities to conduct risk assessments to determine the appropriate "Union assurance level" (Levels 2, 3, or 4) required for their cloud services. Article 31 allows private critical entities to adopt this same methodology voluntarily to evaluate their own exposure to third-country control, service disruption, or data access risks.

Commission Guidance and Future Mandates While currently voluntary, Article 31 contains a "teeth" mechanism in paragraph 3. It empowers the Commission to adopt delegated acts if it concludes that entities in sectors of high criticality require an impact assessment due to specific circumstances. If such a delegated act is adopted, the assessment would become mandatory for the specified entities. Furthermore, the Commission may issue non-binding guidance on the methodology for these assessments and potential mitigation measures.

Purpose The primary goal is to enable private critical operators to proactively identify sovereignty risks and align their cloud strategies with the Union's autonomy objectives before they are potentially mandated to do so. It serves as a bridge between voluntary market behavior and future regulatory requirements.

Article 33: Mandatory Monitoring and Reporting for Member States

Article 33, titled "Monitoring of procurement of innovation in cloud and AI," is a demand-side measure aimed at reshaping the public procurement market to favor European innovation and smaller players.

Scope and Actors This article imposes obligations directly on Member States. It requires national authorities to monitor their own procurement activities and report annually to the Commission.

Mandatory Reporting Requirements Member States must actively monitor and report on their use of "procurement of innovation" in cloud computing services and AI systems. The annual report to the Commission must include:

  • The size of the economic operators participating in such procurement.
  • SME participation trends, specifically the number of contracts awarded to SMEs, their share of the total contract value (as a percentage), and the share of cross-border SME participation.
  • Measures taken to improve SME access to public procurement procedures.

The 25% SME Target A core component of Article 33 is the establishment of a quantitative objective. Member States "shall pursue as objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs." To achieve this, Member States must include specific plans in their national cloud and AI strategies (under Article 7) detailing how they intend to reach this target.

Promotional Measures Beyond monitoring, Article 33 obliges Union entities and contracting authorities to actively facilitate SME participation. This includes:

  • Promoting preliminary market consultations.
  • Facilitating matchmaking between public buyers and innovative solutions provided by European SMEs and start-ups.
  • Developing public contract clauses that are favorable to innovative SMEs.
  • Improving access to procurement markets by identifying barriers and supporting simplified, proportionate strategies (e.g., dividing contracts into lots).

Core Differences at a Glance

Feature Article 31 (Private Impact) Article 33 (Public Innovation)
Primary Actor Private entities (NIS2 Annex I sectors) Member States / Public Authorities
Legal Nature Voluntary ("may carry out"); potentially mandatory via delegated act Mandatory monitoring, reporting, and strategic planning
Primary Purpose Risk management; assessing sovereignty dependencies Market stimulation; boosting SME innovation uptake
Key Metric Alignment with Union assurance levels (Levels 2-4) 25% of innovation procurement awarded to SMEs
Reporting No mandatory reporting to Commission (unless mandated later) Annual reporting to the Commission on SME trends
Strategic Link Links to Article 29 (Public Risk Assessment) Links to Article 7 (National Strategies)

What this means for you

For Private Sector Compliance Officers (NIS2 Entities)

If your organization operates in a critical sector (e.g., energy, finance, health) but is not a public body, Article 31 is a strategic opportunity rather than an immediate compliance burden.

  1. Voluntary Best Practice: Although the text says "may," conducting an Article 31-style impact assessment is a prudent step. It allows you to benchmark your cloud providers against the Union assurance levels (Levels 2-4) used by the public sector.
  2. Prepare for Delegated Acts: Monitor the Commission's guidance and potential delegated acts. If the Commission determines that a specific sector faces "high criticality" risks, the voluntary assessment could become a mandatory requirement overnight.
  3. Supply Chain Strategy: Understanding your own sovereignty risks now will prepare you for a future where public-sector clients (who are mandated by Article 30 to buy sovereign cloud) may demand proof of your own resilience or require you to use specific assurance levels.

For Public Procurement Officers and National Authorities

If you work for a Member State or a public contracting authority, Article 33 introduces a new layer of accountability regarding innovation and SMEs.

  1. Data Collection is Mandatory: You must establish systems to track the "size of economic operators" and specifically identify "innovative SMEs" in your cloud and AI tenders. This data must be aggregated and reported to the Commission yearly.
  2. The 25% Target: You are legally required to pursue a target where 25% of your innovation procurement in cloud and AI goes to SMEs. This is not a suggestion; it must be reflected in your national strategies (Article 7).
  3. Active Facilitation: You cannot simply wait for SMEs to apply. You must actively promote preliminary market consultations and matchmaking. Your procurement documents should include clauses that lower barriers for SMEs, such as dividing large contracts into lots.
  4. Distinction from Routine Procurement: Note that the 25% target applies specifically to procurement of innovation. Routine renewals of existing cloud services may not fall under this specific metric, but the monitoring framework requires you to distinguish between the two.

Common misconceptions

Misconception 1: Article 31 makes impact assessments mandatory for all private companies.

  • Correction: Article 31 currently uses the word "may," making it voluntary for private entities in NIS2 Annex I sectors. It only becomes mandatory if the Commission adopts a specific delegated act under paragraph 3 for sectors of high criticality. It is not a blanket mandate for all private companies.

Misconception 2: Article 33 applies to private vendors.

  • Correction: Article 33 imposes obligations on Member States to monitor and report. It does not directly regulate private vendors. However, it indirectly shapes the market by forcing public buyers to prioritize innovative SMEs, which changes the competitive landscape for vendors.

Misconception 3: The 25% target in Article 33 applies to all cloud spending.

  • Correction: The target applies specifically to "procurement of innovation" in cloud computing services and AI systems. It does not apply to standard, non-innovative renewals of existing infrastructure, though Member States must monitor all procurement to distinguish between the two.

Misconception 4: Article 31 assessments are identical to Article 29 risk assessments.

  • Correction: While Article 31 assessments are "similar" to Article 29 assessments, they differ in legal force. Article 29 assessments are mandatory for public bodies and directly trigger procurement obligations under Article 30 (requiring specific assurance levels). Article 31 assessments are voluntary for private entities and do not currently trigger a mandatory procurement requirement for those private entities, though they may inform future delegated acts.

Related

This is general information about a draft EU regulation, not legal advice.