Summary As proposed, the Cloud and AI Development Act (CADA) introduces a powerful "deemed compliance" mechanism for public procurement of cloud services. Under Article 39(1), contracting authorities that acquire cloud services through framework contracts awarded by the European Commission acting as a central purchasing body are deemed to have fulfilled their obligations under applicable Union public procurement law. This effectively bypasses the need for separate national tender procedures for those specific purchases. However, this procedural shortcut does not waive substantive sovereignty requirements: Article 30 mandates that all procured services must still meet the relevant Union assurance levels (Level 1 minimum, or Levels 2–4 for public-order activities). Furthermore, Article 39(2) clarifies that the award of specific contracts under these frameworks follows the procedural rules applicable to Union institutions, not national law. National framework agreements remain valid but must independently satisfy both national procurement rules and CADA's sovereignty criteria.

Detail

The proposed CADA (COM(2026) 502 final) fundamentally reshapes the procurement landscape for cloud computing by establishing a common procurement framework where the European Commission acts as a central purchasing body for Member States and Union entities. This mechanism is designed to aggregate demand, leverage economies of scale, and accelerate the uptake of sovereign cloud services. The legal architecture governing this shift is primarily found in Title IV, Chapter IV (Articles 37–40), with Article 39 serving as the critical bridge between EU centralised procurement and national legal obligations.

The "Deemed Compliance" Mechanism (Article 39(1))

The most significant impact of CADA on framework agreements is the creation of a legal presumption of compliance. Article 39(1) states explicitly:

"A participating entity shall be deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services by means of contracts awarded by the Commission under this Chapter, including through framework contracts concluded by or dynamic purchasing systems operated by the Commission acting as a central purchasing body..."

This provision creates a safe harbour for Member State contracting authorities. Under the current legal order, primarily governed by Directive 2014/24/EU, public authorities must conduct their own tender procedures to ensure transparency, non-discrimination, and competition. CADA would alter this dynamic for those authorities that choose to participate in the Commission's common procurement framework (established under Article 38).

By purchasing through a Commission-awarded framework contract, a national authority is legally considered to have satisfied all procedural requirements of Union public procurement law. This eliminates the administrative burden and legal risk associated with running a parallel national tender for the same service. It is important to note that this "deemed compliance" is conditional: the authority must be a "participating entity" that has acceded to the agreement under Article 38, and the purchase must be made via a contract awarded by the Commission.

Procedural Rules for Specific Contracts (Article 39(2))

While the overarching framework agreement is centralised, the actual award of specific contracts (the "call-offs") under that framework requires its own procedural rules. Article 39(2) addresses this by stipulating:

"The procedural provisions applicable to Union institutions shall apply to the procedures for the award of specific contracts under framework contracts or dynamic purchasing systems."

This creates a hybrid procurement model. The initial framework is established by the Commission, but the subsequent selection of a specific provider for a national authority's immediate needs follows the internal rules of the EU institutions rather than the national laws of the Member State. This ensures a uniform, Union-wide approach to the execution of the framework, preventing fragmentation where different Member States might apply divergent national rules to the same EU-level framework.

Interplay with the 2014 Procurement Directives

CADA does not repeal or replace Directive 2014/24/EU (the Public Procurement Directive). Instead, it operates as a specific derogation and an alternative pathway.

  1. For Participating Entities: If a contracting authority joins the Commission's common procurement framework, Article 39(1) acts as a lex specialis. It overrides the general obligation to run a national tender under Directive 2014/24/EU for those specific purchases. The authority is "deemed" to have complied with the Directive.
  2. For Non-Participating Entities: If a Member State authority chooses not to participate in the Commission's framework, Article 39 does not apply to them. They remain fully subject to the standard obligations of Directive 2014/24/EU and their national transposing legislation. They must run their own tenders.
  3. National Framework Agreements: CADA does not invalidate existing or future national framework agreements. However, any national framework must still comply with Directive 2014/24/EU and the substantive requirements of CADA. Specifically, a national framework cannot award contracts to providers that fail to meet the Union assurance levels required by Article 30.

The Sovereignty Constraint: Article 30 Remains Mandatory

A critical distinction must be made between procedural compliance (how you buy) and substantive compliance (what you buy). Article 39 only addresses the former. It ensures that the process of buying via the Commission is legally sound. It does not exempt the buyer from the substantive sovereignty criteria.

Under Article 30, contracting authorities are obligated to procure cloud services that meet specific Union assurance levels:

  • Article 30(2): For activities not contributing to public order, the minimum requirement is Union assurance level 1.
  • Article 30(3): For activities contributing to public order (e.g., law enforcement, defence, critical infrastructure), authorities must procure only services recognised at Union assurance levels 2, 3, or 4.

Therefore, even if a Member State buys via a Commission framework under Article 39(1), it must ensure that the specific cloud service selected under that framework has been recognised at the appropriate assurance level under Article 17. The Commission's framework is expected to pre-vet providers for these levels, but the legal obligation to verify the assurance level remains with the contracting authority. Article 39(3) reinforces this by stating that a contracting authority acting as a central purchasing body for others must ensure compliance with any contractual requirements by which it is bound, implying that the sovereignty criteria are binding contractual terms.

Downstream Obligations and Central Purchasing Bodies

Article 39(3) further clarifies the responsibilities of authorities that act as central purchasing bodies for other authorities. It states:

"A contracting authority that has acquired data centre services, cloud computing services, software and AI systems from the Commission as a central purchasing body shall ensure, in its agreements with the contracting authorities it serves, compliance with any contractual requirements by which it is itself bound."

This ensures that the "deemed compliance" chain is not broken when services are re-sold or re-allocated. If Authority A buys from the Commission and then provides those services to Authority B, Authority A must ensure that Authority B's use of the service remains compliant with the original contractual terms, including the sovereignty assurance levels.

What this means for you

For legal counsel, procurement officers, and compliance teams in the public sector, CADA as proposed introduces a strategic fork in the road: participate in the EU-wide centralised framework or retain national autonomy.

1. Strategic Decision: Join the Commission Framework If your authority decides to participate in the agreement under Article 38, you gain significant efficiency. You can rely on Article 39(1) to satisfy your procedural obligations under Directive 2014/24/EU. This reduces the risk of legal challenges based on procedural errors in national tendering. However, you must ensure your internal processes align with the procedural rules for specific contracts under Article 39(2) (i.e., Union institutional rules).

2. The Sovereignty Check is Non-Negotiable Regardless of whether you use the Commission framework or a national tender, Article 30 is absolute. You must verify that the cloud service you procure meets the Union assurance level required by your national risk assessment under Article 29.

  • Action: Before signing any contract (even under a Commission framework), confirm the provider's recognition status in the central repository (Article 22) and ensure it matches the level required for your specific activity (Level 1 vs. Levels 2–4).

3. Update Procurement Guidelines Your internal procurement manuals must be updated to reflect the new "deemed compliance" pathway.

  • Clarification: Explicitly state that purchasing via the Commission's framework satisfies national procurement law obligations.
  • Constraint: Simultaneously clarify that this does not waive the obligation to verify Union assurance levels. The "deemed compliance" applies to the procedure, not the product criteria.

4. Manage Downstream Relationships If your authority acts as a central purchasing body for smaller entities, Article 39(3) places a duty on you to ensure those entities comply with the contractual terms of the Commission framework. You cannot simply pass through the service; you must ensure the downstream user respects the sovereignty and assurance level constraints.

Common misconceptions

"CADA replaces the 2014 Public Procurement Directive." No. CADA creates a specific, optional pathway. If you do not participate in the Commission's common procurement framework, you must still follow Directive 2014/24/EU and national law in full. Article 39(1) only grants "deemed compliance" for those who actively use the Commission's central purchasing mechanism.

"Using the Commission framework waives the need to check sovereignty levels." Incorrect. Article 39 solves the procedural hurdle (how to buy legally). It does not solve the substantive hurdle (what to buy). Article 30 remains fully in force. A Commission framework contract is only valid if the services procured meet the required Union assurance levels.

"National framework agreements are now illegal or obsolete." National framework agreements remain valid and legal. However, they must be constructed to comply with both national procurement law and CADA's sovereignty requirements. The Commission framework is an additional tool designed to reduce fragmentation and increase leverage, not a mandatory replacement for all national frameworks.

"The Commission decides the assurance level for me." While the Commission manages the framework, the requirement to procure at a specific level is determined by your national risk assessment under Article 29. You must ensure the framework you join offers services at the level your risk assessment dictates.

Related

This is general information about a draft EU regulation, not legal advice.