Summary The proposed Cloud and AI Development Act (CADA) establishes a sector-specific procurement framework grounded in the cumulative legal bases of Article 114 (internal market harmonisation) and Article 173(3) (industrial competitiveness) of the TFEU. As proposed, CADA would not replace the 2014 Public Procurement Directives but would overlay them with sovereignty requirements. For Union institutions, Article 37 (not Article 39) is the primary provision anchoring procurement activities to Regulation (EU, Euratom) 2024/2509 (the Financial Regulation), while Article 39 clarifies the legal effect of those activities. Crucially, Article 32 introduces "Union added value" criteria designed to be ancillary and non-decisive, with Recital 67 suggesting a maximum weighting of 15 out of 120 points to ensure compatibility with the WTO Government Procurement Agreement (GPA) under Article III:2(a).

Detail

The legal architecture of CADA's procurement rules is a hybrid model that leverages existing EU competences to address a specific market failure: the fragmentation of cloud procurement and the strategic dependency on third-country providers. The proposal explicitly relies on a dual legal basis, as outlined in the explanatory memorandum and the text of the Regulation itself.

The Dual Legal Basis: Internal Market and Industrial Policy

CADA is founded on the cumulative application of Article 114 TFEU and Article 173(3) TFEU.

  • Article 114 TFEU provides the competence to harmonise national provisions to ensure the functioning of the internal market. This is the basis for the sovereignty framework (Title IV, Chapter I) and the requirement for a uniform Union assurance level, which prevents Member States from creating divergent national standards that would fragment the market.
  • Article 173(3) TFEU empowers the Union to enhance industrial competitiveness and innovation capacity. This basis supports the "Union added value" criteria and the measures to foster the development of a European cloud and AI ecosystem.

This dual foundation allows CADA to function as a targeted intervention. It does not seek to rewrite the general public procurement regime but to introduce specific, sectoral rules for cloud and AI services where the general rules are insufficient to address sovereignty risks.

Interface with the 2014 Public Procurement Directives

CADA operates as a sector-specific overlay to the horizontal acquis, specifically Directive 2014/24/EU. The proposal acknowledges that the existing directives do not contain measures to shape a more competitive offer of European cloud services or to address the specific risks of third-country control.

Article 32 is the core provision for integrating European industrial policy into procurement. It mandates that contracting authorities include "Union added value" as a non-price award criterion when procuring innovative cloud computing services and AI systems. The criteria must evaluate the tenderer's contribution to:

  • Strengthening the digital technology supply chain in the Union (e.g., hardware/software designed or manufactured in the Union).
  • Integrating technologies developed in the Union.
  • Delivering services through critical computing components designed or manufactured in the Union.

Crucially, Article 32(2) sets strict safeguards to ensure these criteria do not violate the principles of non-discrimination:

  1. They must be linked to the subject matter of the contract.
  2. They must not confer unrestricted freedom of choice on the contracting authority.
  3. They must be expressly set out in the procurement documents.
  4. They must be ancillary and not decisive in the award of the contract.

While Article 32 establishes the mandatory nature of these criteria, it does not specify a numerical cap. The specific suggestion of a maximum weighting of 15 out of 120 points appears in Recital 67, which states that contracting authorities "could consider" this limit to ensure the criteria remain proportionate and subordinate to technical and financial requirements. This distinction is vital: the proposal (including recitals) suggests the cap, but the Article only mandates the "ancillary and not decisive" nature.

WTO/GPA Compatibility and Public Order

The design of Article 32 is explicitly intended to safeguard compatibility with international trade obligations, particularly the WTO Government Procurement Agreement (GPA). Recital 64 clarifies the legal justification for these measures. It states that while the Union maintains an open and non-discriminatory framework, it retains the right, in accordance with Article III:2(a) of the WTO GPA, to adopt or maintain measures necessary to protect public morals, order or safety.

By framing the procurement restrictions (such as the requirement for specific Union assurance levels under Article 30) as measures to preserve public order and prevent harm from third-country coercion, CADA aims to fall within the exceptions permitted under the GPA. The "Union added value" criteria are thus positioned not as protectionist quotas, but as risk-mitigation tools to ensure the resilience and security of the supply chain.

Union Entities and the Financial Regulation

For Union institutions, bodies, offices, and agencies, the procurement framework operates under a distinct legal anchor. A common error is to attribute the primary link to the Financial Regulation to Article 39. In fact, Article 37(1) is the operative provision that explicitly states the Commission may carry out procurement activities "in accordance with Regulation (EU, Euratom) 2024/2509 (the Financial Regulation), subject to the exceptions set out in this Chapter."

Article 37 expands the Commission's role, permitting it to act as a central purchasing body for Member State contracting authorities and partner organisations. It establishes the mechanism for joint procurement, including the possibility of derogations from the Financial Regulation to facilitate these specific activities (e.g., allowing partner organisations to participate).

Article 39 serves a different, clarifying function. Article 39(1) states that a participating entity shall be deemed to have fulfilled its obligations under applicable Union public procurement law if it acquires services through contracts awarded by the Commission under this Chapter. It defines the legal consequence of the procurement activities established in Article 37, ensuring that Member State authorities participating in the joint framework are not subject to duplicate procurement procedures.

Sovereignty and Public Order Requirements

The procurement rules are inextricably linked to the sovereignty framework. Article 30 mandates that contracting authorities whose activities are identified as contributing to the preservation of public order (via risk assessments under Article 29) must procure only cloud computing services recognised at Union assurance levels 2, 3, or 4. This creates a mandatory link between the risk profile of the activity and the technical/sovereign characteristics of the service provider.

What this means for you

For legal counsel, procurement officers, and cloud providers, the legal basis of CADA dictates a dual-track compliance strategy.

For Public Sector Procurement Teams

  • Update Tender Documents: You must integrate "Union added value" criteria as per Article 32. Ensure these are explicitly defined in the procurement documents and weighted appropriately. While Article 32 does not set a hard cap, adhering to the Recital 67 suggestion of a 15/120 point maximum is the safest route to demonstrate that the criteria are "ancillary and not decisive," thereby mitigating WTO/GPA challenges.
  • Conduct Risk Assessments: Before launching a tender for cloud services, you must perform the risk assessment required by Article 29. This assessment determines whether your activity contributes to public order. If it does, Article 30 strictly limits your supplier pool to those with Union assurance levels 2, 3, or 4.
  • Leverage Joint Procurement: Consider participating in the Commission-led joint procurement framework under Article 37. This allows you to benefit from the Commission's central purchasing power and the streamlined legal effect provided by Article 39, reducing administrative burdens.

For Cloud Service Providers

  • Audit Readiness: To compete for public contracts involving public order, your service must undergo independent third-party audits (for levels 2–4) or self-assessment (for level 1) to achieve Union assurance recognition.
  • Supply Chain Transparency: Prepare detailed documentation on the origin of your hardware and software components. You will need to demonstrate how your supply chain contributes to the European ecosystem to satisfy the Article 32 "Union added value" criteria.
  • Third-Country Derogations: If you are a non-EU provider, investigate whether your home country qualifies as an "associated third country" under Article 18. If the Commission adopts an implementing act for your country, you may be eligible for Union assurance level 3 recognition, provided you meet the specific safeguards against third-country control.

Compliance Deadlines

  • National Competent Authorities: Member States must designate these authorities within one year of the Regulation's entry into force (Article 25).
  • Risk Assessments: Public sector bodies must complete their initial risk assessments within one year of entry into force, with updates every two years (Article 29).
  • National Strategies: Member States must adopt national cloud and AI strategies within one year of entry into force (Article 7).

Common misconceptions

Misconception 1: CADA replaces the 2014 Public Procurement Directives. No. CADA is a sector-specific regulation that operates alongside Directive 2014/24/EU. The general principles of transparency, non-discrimination, and proportionality from the 2014 Directives remain fully applicable. CADA adds specific sovereignty criteria and assurance level requirements that must be integrated into existing procedures.

Misconception 2: The "Union added value" criterion is a protectionist quota. The criterion under Article 32 is not a quota and cannot be decisive. It is an ancillary, non-price factor. The proposal's suggestion of a 15/120 point weighting (found in Recital 67) is a safeguard to ensure these criteria do not overshadow technical and financial performance, thereby maintaining compliance with the WTO GPA.

Misconception 3: Only EU-based providers can win public contracts. While the framework prioritises EU sovereignty, it does not automatically exclude third-country providers. Article 18 provides a mechanism for the Commission to recognise third countries that offer sufficient safeguards. Providers from these "associated third countries" can still compete for public order-relevant contracts if they meet the audit criteria for Union assurance level 3.

Misconception 4: Article 39 is the primary link to the Financial Regulation. This is incorrect. Article 37 is the operative provision that anchors the Commission's procurement activities to Regulation (EU, Euratom) 2024/2509. Article 39 merely clarifies that entities participating in these activities are deemed to have fulfilled their procurement obligations, streamlining the legal process for Member States.

Related

This is general information about a draft EU regulation, not legal advice.