Summary Under the proposed Cloud and AI Development Act (CADA), Article 32(3)(c) introduces a mandatory non-price award criterion requiring contracting authorities to evaluate whether a tenderer's innovation contributes to "strengthening the security of supply and the development of a European cloud and AI ecosystem." This provision shifts public procurement from a purely price-driven model to one that values supply chain resilience and strategic autonomy. For bidders, demonstrating this value requires concrete evidence that their innovative solutions reduce dependency on critical third-country technologies, ensure operational continuity, and integrate Union-developed components. As a proposal, CADA would make this a standard part of quality evaluation for innovative cloud and AI contracts, though these criteria remain "ancillary and not decisive" compared to technical and financial factors.

Detail

Article 32 of the proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a framework for "Union added value" in public procurement procedures for innovative cloud computing services and AI systems. The provision is designed to leverage the purchasing power of the public sector to reinforce the EU's digital supply chain and reduce strategic dependencies on non-European providers.

While Article 32(3)(a) focuses on the use of Union-designed or manufactured hardware and software, and Article 32(3)(b) targets the integration of Union technologies and R&D results, Article 32(3)(c) specifically targets the outcome of innovation regarding supply resilience. It mandates that contracting authorities evaluate the extent to which:

"the innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem." (Article 32(3)(c))

Why Security of Supply is a Procurement Value

The inclusion of security of supply as a distinct evaluation criterion reflects a fundamental shift in EU digital policy driven by the geopolitical landscape. The CADA explanatory memorandum notes that the Union's current dependence on a limited pool of third-country providers exposes it to risks such as "operational discontinuity," "unilateral decisions by third-country actors," and "extraterritorial data access mandates."

By embedding security of supply into the award criteria, CADA treats supply chain resilience not merely as a risk mitigation measure, but as a positive quality attribute of the service. The logic is that innovations which make the European cloud ecosystem more robust, autonomous, and less prone to external shocks create tangible public value. This aligns with the broader CADA objective of fostering a competitive EU cloud market that can serve as a credible alternative to non-European incumbents. The criterion effectively asks: "Does this innovation make the EU less vulnerable to supply shocks?"

How Bidders Must Demonstrate Compliance

Contracting authorities are required to apply these criteria in a manner that preserves the primacy of price and technical performance. Article 32(2) mandates that these non-price criteria must be:

  • Linked to the subject matter of the contract.
  • Not conferring unrestricted freedom of choice on the contracting authority.
  • Expressly set out in the procurement documents or contract notice.
  • Ancillary and not decisive in the award of the contract.

To demonstrate how their innovation contributes to security of supply under Article 32(3)(c), bidders should provide evidence in their tenders that addresses the following areas:

  1. Resilience and Continuity: Show how the innovative aspects of the service mitigate risks of service interruption. This could include demonstrating redundant architecture, disaster recovery capabilities, or innovative fail-safe mechanisms that ensure operational continuity even during geopolitical or technical disruptions. The evidence must link the innovation directly to the prevention of "operational discontinuity."
  2. Reduced Dependency: Highlight how the solution reduces reliance on critical third-country components. If the innovation involves replacing proprietary, third-country-controlled software or hardware with open-source or Union-designed alternatives, this directly strengthens security of supply. Bidders should explicitly map how their innovation removes a specific point of failure or control by a non-EU entity.
  3. Ecosystem Contribution: Explain how the innovation supports the broader European cloud and AI ecosystem. This might involve contributing to open standards, participating in European digital infrastructure consortia (EDICs), or developing middleware that enhances interoperability between EU-based services. The goal is to show that the innovation strengthens the collective European capacity, not just the individual provider's offering.
  4. Supply Chain Transparency: Provide documentation showing that the innovative components of the service are sourced from suppliers who also adhere to high standards of supply chain security. This links back to Article 32(3)(a) and (d), creating a cohesive narrative of a secure, European-centric supply chain.

Bidders must tailor their evidence to the specific requirements of the tender. Vague claims of "security" without concrete evidence of how the innovation specifically enhances supply resilience will likely be insufficient. The evaluation must be based on the "innovation required to deliver the service," meaning the innovation must be integral to the contract's execution.

What this means for you

As a cloud service provider, data centre operator, or AI developer, you must adapt your tendering strategies to explicitly address Article 32(3)(c). This is not merely a compliance checkbox but a competitive differentiator in the growing market for sovereign cloud services.

Actionable Steps:

  • Audit Your Innovations: Review your R&D pipeline and current offerings. Identify features that specifically enhance supply chain resilience, such as modular architecture, open-source contributions, or Union-manufactured hardware integration.
  • Prepare Evidence Packages: Develop standardized documentation that maps your innovations to security of supply benefits. Include case studies, technical whitepapers, and supply chain audits that demonstrate reduced dependency on third-country critical technologies.
  • Engage Early: Use preliminary market consultations (promoted under Article 33) to understand how specific contracting authorities interpret "security of supply." Align your innovation narrative with their specific risk assessments.
  • Highlight Ecosystem Integration: If your service integrates with or supports European cloud stacks, open-source foundations, or Union-funded research outcomes, make this prominent in your tender. This demonstrates a commitment to the "European cloud and AI ecosystem" mentioned in the criterion.

Common misconceptions

Misconception 1: Security of supply is only about cybersecurity.

  • Reality: While cybersecurity is related, Article 32(3)(c) focuses on supply chain security. This means resilience against geopolitical risks, vendor lock-in, and service disruption, not just technical hacking threats. It is about ensuring the service remains available and controllable by EU entities, distinct from the technical cybersecurity standards covered by the Cybersecurity Act.

Misconception 2: This criterion is decisive for winning the contract.

  • Reality: Article 32(2)(d) explicitly states that these criteria are "ancillary and not decisive in the award of the contract." They are part of the quality evaluation but must remain subordinate to core technical and financial criteria. A bidder cannot win solely on "security of supply" if their technical solution is inadequate or their price is prohibitive.

Misconception 3: Only EU-based providers can score points.

  • Reality: While the goal is to strengthen the EU ecosystem, the criterion evaluates the contribution of the innovation. A non-EU provider could theoretically score if their innovation demonstrably reduces dependency on third-country risks (e.g., by using fully open, neutral technologies), though this is practically challenging. The focus is on the outcome (security of supply) rather than just the origin of the bidder.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.