Summary Under the proposed Cloud and AI Development Act (CADA), Article 32 obliges contracting authorities to include non-price award criteria that evaluate a tenderer's contribution to the European cloud and AI ecosystem. This "Union added value" criterion must assess specific factors: strengthening the EU digital supply chain, integrating EU-developed technologies, and using hardware designed or manufactured in the Union. While the proposal's explanatory memorandum suggests a maximum weighting of 15 out of 120 points, this criterion must remain ancillary and not decisive, ensuring it cannot override core technical and financial performance criteria.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a strategic pivot in EU public procurement. While existing directives focus on value for money and non-discrimination, CADA explicitly links purchasing power to the geopolitical objective of technological sovereignty. Article 32 establishes the legal framework for "Union added value," transforming procurement from a purely transactional exercise into a tool for industrial policy.

The Legal Mandate: Article 32 Obligations

Article 32(1) imposes a mandatory obligation on contracting authorities. In public procurement procedures for innovative cloud computing services and AI systems, authorities "shall include, as part of the quality evaluation of the tender, non-price award criteria that allow them to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem."

This is not a discretionary power; it is a statutory requirement for the specific scope of innovative cloud and AI procurement. However, to prevent this from devolving into protectionism that violates the Treaty on the Functioning of the European Union (TFEU), Article 32(2) imposes four strict cumulative conditions on these criteria:

  1. Linkage: They must be linked to the subject matter of the contract.
  2. No Unrestricted Choice: They must not confer unrestricted freedom of choice on the contracting authority.
  3. Transparency: They must be expressly set out in the procurement documents or in the contract notice.
  4. Subordination: Crucially, they must be ancillary and not decisive in the award of the contract.

The "ancillary" requirement is the legal linchpin. It ensures that Union added value cannot become a disguised barrier to entry. A tenderer with superior Union added value cannot win if their technical solution fails to meet the functional requirements or if their price is disproportionately high compared to the value offered.

The Four Pillars of Union Added Value

Article 32(3) defines the specific dimensions of "Union added value." While contracting authorities retain discretion to apply additional criteria, the proposal explicitly enumerates four key areas for evaluation. These elements are drawn directly from the text of Recital 67 of the explanatory memorandum, which clarifies the intent behind the legislative text.

  1. Strengthening the Digital Supply Chain: Authorities must evaluate the extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union. The text explicitly highlights the use of "software or hardware designed or manufactured in the Union." This moves beyond simple establishment (having a registered office in the EU) to assessing the origin of the intellectual property and physical components.

  2. Integration of EU Technologies: The criterion assesses whether the tenderer has integrated technologies developed in the Union. This includes:

    • Research and development results stemming from Union-funded research and development programmes.
    • The use of tools such as standards, specifications, software, models or other technology developed in the Union. This encourages the uptake of EU-funded innovation outputs (e.g., from Horizon Europe or Digital Europe Programme) and the adoption of European technical standards.

  3. Innovation for Security of Supply: The evaluation must consider whether the innovation required to deliver the service contributes to "strengthening the security of supply and the development of a European cloud and AI ecosystem." This links the procurement directly to the resilience objectives of CADA, rewarding solutions that reduce systemic dependencies.

  4. EU-Made Critical Hardware (with Feasibility Caveat): This is the most specific and potentially complex pillar. Authorities must evaluate the extent to which the service is delivered, "to the greatest extent feasible with regard to market availability and technical requirements," through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

    The proposal acknowledges market realities. If EU-made critical hardware is not feasible, the criterion allows for hardware from a third country, provided it "contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem." This ensures that the pursuit of sovereignty does not compromise the technical viability of the service.

Weighting and Subordination: The 15/120 Guideline

A critical aspect of Article 32 is the balance between strategic sovereignty goals and competitive procurement. Recital 67 of the explanatory memorandum provides specific, quantitative guidance on how to weight these criteria to ensure they remain "ancillary."

The recital states: "For this purpose, contracting authorities could consider a maximum weighting of 15 out of 120 points to be allocated to European added value within the overall evaluation methodology, ensuring that it remains proportionate and subordinate to the core contract award criteria."

This 15/120-point ratio (approximately 12.5%) serves two vital functions:

  • Proportionality: It provides a "safe harbor" for contracting authorities. By adhering to this suggested cap, authorities demonstrate that the criterion is meaningful but not dominant.
  • Subordination: It reinforces the legal requirement in Article 32(2)(d) that the criterion must not be decisive. In a typical evaluation where technical and financial criteria make up the bulk of the score (e.g., 105 points), a 15-point cap ensures that a tenderer cannot win solely on the basis of their "European-ness" if their technical solution is inferior or their price is excessive.

It is important to note that while the recital uses the phrase "could consider," the underlying legal principle of "ancillary and not decisive" is binding. Deviating significantly from this guidance (e.g., allocating 50 points to Union added value) would likely render the procurement vulnerable to legal challenge for violating the principle of proportionality and distorting competition.

Interaction with Mandatory Assurance Levels (Article 30)

It is essential to distinguish the Article 32 award criteria from the mandatory sovereignty requirements found in Article 30. These two articles operate at different stages of the procurement lifecycle:

  • Article 30 (The Gatekeeper): This article establishes "Union assurance levels" (Levels 1–4) based on risk assessments of public order relevance (conducted under Article 29). Article 30 acts as a qualification or compliance hurdle. If a risk assessment determines that a public sector activity requires Level 3 assurance, only providers certified at Level 3 or 4 are eligible to bid. This is a binary pass/fail condition.
  • Article 32 (The Differentiator): This article operates as a differentiation mechanism among compliant bids. Once a provider meets the mandatory assurance level required by Article 30, Article 32 allows the contracting authority to prefer one provider over another based on their broader contribution to the EU ecosystem (e.g., using more EU-designed chips, integrating EU-funded R&D, or strengthening the supply chain).

This two-step process ensures that public order is protected first (via Article 30), while simultaneously driving long-term industrial policy goals (via Article 32). A provider with high Union added value but insufficient assurance level cannot bid; conversely, a provider with the correct assurance level but low Union added value can still win if their technical and financial offer is superior.

What this means for you

For in-house counsel, procurement officers, and compliance teams, the implementation of Article 32 requires a fundamental review of procurement templates, evaluation methodologies, and supplier engagement strategies. The obligation is not merely advisory; it is a statutory requirement for procurements of innovative cloud computing services and AI systems.

1. Update Procurement Documents and Evaluation Matrices

You must revise standard procurement templates to include explicit non-price award criteria aligned with Article 32(3). Vague references to "supporting European industry" are insufficient and likely to be challenged as conferring "unrestricted freedom of choice" under Article 32(2)(b).

  • Action: Define measurable indicators. For example: "Percentage of hardware components designed in the EU," "Evidence of integration of technologies from Horizon Europe projects," or "Percentage of software stack developed in the Union."
  • Action: Ensure these criteria are expressly set out in the contract notice to satisfy Article 32(2)(c).

2. Calibrate Weighting with Caution

While the 15/120-point weighting in Recital 67 is guidance rather than a strict statutory cap, it serves as a critical benchmark for legal defensibility.

  • Action: Document the rationale for the weighting chosen. If you choose a weighting significantly higher than 15 points, you must be prepared to justify why this does not render the criterion "decisive" in violation of Article 32(2)(d).
  • Action: Ensure the primary focus of the evaluation remains on technical quality and price. The Union added value criterion should be a tie-breaker or a bonus, not the primary driver of the award.

3. Conduct Feasibility Assessments for Hardware

Article 32(3)(d) introduces a nuanced requirement regarding hardware: EU-made components are preferred "to the greatest extent feasible."

  • Action: Include a mechanism in the tender for suppliers to demonstrate market unavailability or technical incompatibility of EU-made critical hardware.
  • Action: Require tenderers using third-country hardware to demonstrate how this choice still contributes to "security of supply" and the "development of a European cloud and AI ecosystem." This may require detailed supplier declarations and supply chain mapping.

4. Distinguish Eligibility from Award

Ensure your procurement workflows clearly separate the eligibility check (Article 30 assurance levels) from the award evaluation (Article 32 added value).

  • Action: A common error is to treat Union added value as a substitute for the mandatory sovereignty risk assessment. Article 30's risk assessment determines the minimum assurance level required. Article 32 determines the preferred supplier among those who meet that minimum.
  • Action: Failure to conduct the Article 29 risk assessment first could render the entire procurement invalid, regardless of how well the Article 32 criteria are applied.

5. Prepare for Monitoring and Reporting

Article 33 requires Member States to monitor the procurement of innovation in cloud and AI. While this is a state-level obligation, contracting authorities will likely be required to report data on the application of Article 32 criteria.

  • Action: Prepare internal tracking systems to capture data on the share of EU-designed hardware/software in awarded contracts.
  • Action: This data may be used to assess barriers to SME participation and to report on the achievement of the 25% innovation procurement objective for SMEs mentioned in Article 33(4).

Common misconceptions

Misconception 1: Article 32 allows for protectionist "buy EU" mandates. Correction: Article 32 is not a blanket ban on non-EU providers. It is a weighted award criterion. A non-EU provider can still win a contract if their technical and financial offer is superior, provided they meet the mandatory assurance levels. The criterion is "ancillary and not decisive." It favors EU contributions but does not mandate them to the exclusion of competition.

Misconception 2: The 15/120 weighting is a legal maximum. Correction: Recital 67 states authorities "could consider" this weighting. It is guidance, not a hard statutory limit. However, deviating significantly from this guidance increases the risk of a legal challenge on the grounds of disproportionality or distortion of competition. Authorities must ensure the weighting remains subordinate to core performance criteria.

Misconception 3: Union added value replaces cybersecurity or sovereignty certifications. Correction: Article 32 operates in parallel to, not in place of, other requirements. A provider must still meet the cybersecurity standards (e.g., EUCS) and the Union assurance levels (Article 30) determined by the risk assessment. Article 32 evaluates broader industrial and supply chain contributions, such as the origin of hardware design or the use of open-source middleware, which are distinct from operational security certifications.

Misconception 4: Only the final service provider's location matters. Correction: Article 32(3) looks deeper into the value chain. It explicitly mentions hardware designed or manufactured in the Union and technologies developed in the Union. A provider established in the EU but relying entirely on non-EU designed hardware and software may score poorly on Union added value compared to a provider that integrates EU-developed components, even if both are legally established in the EU.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.