CADA Article 39

Summary Under the proposed Cloud and AI Development Act (CADA), a contracting authority that acts as a central purchasing body and acquires cloud, data centre, software, or AI services from the Commission must ensure that its downstream agreements with other contracting authorities strictly comply with the contractual requirements binding it. Article 39(3) explicitly mandates this flow-down of obligations, preventing the dilution of terms regarding security, sovereignty, and service levels when services are redistributed. This mechanism is critical for maintaining legal consistency, preserving the Union assurance levels negotiated at the EU level, and safeguarding the legal exemption from standard procurement procedures for downstream buyers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a novel procurement architecture where the European Commission acts as a central purchasing body for cloud computing services, data centre services, software, and AI systems. This framework, detailed in Title IV, Chapter IV, allows Member States and Union entities to leverage collective purchasing power to reduce costs and accelerate the adoption of sovereign cloud solutions. However, this centralisation creates a multi-layered contractual chain: the Commission procures from a provider, a national authority acquires from the Commission, and that national authority may subsequently provide access to other public sector bodies.

To prevent fragmentation and ensure that the strategic objectives of CADA—particularly data sovereignty and operational autonomy—are not eroded at the national or local level, the proposal imposes a strict "flow-down" obligation. This ensures that the integrity of the procurement process is maintained from the Commission down to the ultimate end-user public sector body.

The Legal Basis: Article 39(3)

The core obligation is codified in Article 39(3) of the CADA proposal. The text states:

"A contracting authority that has acquired data centre services, cloud computing services, software and AI systems from the Commission as a central purchasing body shall ensure, in its agreements with the contracting authorities it serves, compliance with any contractual requirements by which it is itself bound."

This provision creates a mandatory chain of compliance. When a national contracting authority (the "intermediary") procures services from the Commission, it enters into an agreement with specific terms, conditions, and obligations. If that national authority then resells or provides access to these services to other public sector bodies (the "downstream buyers"), it cannot strip away, alter, or ignore the fundamental contractual requirements it owes to the Commission. It must replicate those requirements in its own agreements with the downstream entities.

The scope of this obligation is broad, covering "any contractual requirements." This includes, but is not limited to:

• Service Level Agreements (SLAs): Performance metrics and uptime guarantees.
• Security and Sovereignty Standards: Requirements related to Union assurance levels (Articles 16–23), data localisation, and cybersecurity certifications.
• Data Protection and Privacy: Obligations under the GDPR and specific data handling clauses.
• Intellectual Property: Rights regarding software reuse and open-source licensing.
• Reporting and Audit Rights: Obligations to report on usage or submit to audits.

Mechanism of Flow-Down and Sovereignty Preservation

The "flow-down" mechanism serves several critical legal and operational functions within the CADA framework:

1. Preservation of Liability and Standards: The Commission, as the central buyer, negotiates terms regarding service levels, security standards, data sovereignty, and intellectual property based on the specific needs of the Union. If a national authority were to modify these terms when dealing with local municipalities or agencies, it could create gaps in compliance or expose the EU budget to unmanaged risks. Article 39(3) prevents this fragmentation by legally binding the intermediary to enforce the original terms.
2. Consistency in Sovereignty Requirements: CADA places heavy emphasis on Union assurance levels (sovereignty criteria) for cloud services, as defined in Annex II. If the Commission's agreement with a national authority includes specific requirements regarding data localisation, personnel screening, or security audits (aligned with Article 16 and Annex II criteria), those requirements must be passed down. This ensures that the sovereignty protections negotiated at the EU level are not diluted at the national or local level. For instance, if the Commission procures a Level 3 service requiring Union citizenship for personnel, the national authority cannot provide that service to a downstream buyer without ensuring the same personnel requirements are met.
3. Clarification of Roles: The article clarifies the role of the contracting authority acting as a central purchasing body. It is not merely a passive conduit but an active enforcer of the Commission's contractual framework. This distinction is vital for determining liability in case of service failures or compliance breaches by the end-user. The intermediary remains responsible for ensuring its downstream partners adhere to the master agreement.

Interaction with the Accession Agreement (Article 38)

This flow-down obligation operates within the broader context of the agreement between the Commission and the Member States, as outlined in Article 38. Article 38 establishes the practical arrangements for the Commission's procurement activities, including the governance structure (the Steering Committee) and the conditions for participation. The contracting authorities that participate in these activities do so under an agreement that binds them to the Commission's rules.

When a contracting authority accesses these services, it does so as a "participating entity." The agreement under Article 38 likely contains detailed provisions on how these services are to be used, managed, and shared. Article 39(3) ensures that the spirit and letter of this overarching agreement are respected in every subsequent transaction within the public sector network. It prevents a scenario where a national authority benefits from the Commission's bulk purchasing power but fails to adhere to the governance or compliance structures that made that purchasing possible.

Implications for Public Procurement Rules

It is important to note that under Article 39(1), a participating entity is deemed to have fulfilled its obligations under applicable Union public procurement law where it acquires supplies or services through the Commission. This exemption from standard procurement procedures is contingent upon strict adherence to the Commission's framework. The flow-down requirement in Article 39(3) is a safeguard for this exemption.

If a national authority fails to pass down the required contractual terms, it may jeopardise the legal basis for the exemption. This could potentially expose the downstream transaction to challenges regarding the legality of its own procurement practices, as the "deemed compliance" status relies on the integrity of the entire contractual chain. Furthermore, failure to comply could lead to the suspension of access to the central purchasing framework or financial penalties under Article 24 (Penalties and compensation), which applies to infringements by cloud computing service providers but also establishes a framework for compensation for damage caused by infringements.

What this means for you

For in-house counsel, procurement officers, and compliance managers within public sector bodies, Article 39(3) imposes a rigorous contract management duty. You must treat the agreement with the Commission not as a final endpoint, but as a template for all downstream engagements.

• Contract Drafting: When drafting agreements with local agencies, municipalities, or other public bodies that will use the cloud or AI services you have procured via the Commission, you must explicitly incorporate the relevant clauses from your agreement with the Commission. This includes security protocols, data handling procedures, reporting obligations, and specific sovereignty requirements (e.g., Union assurance levels). Do not assume that local administrative practices can override these terms.
• Audit Trails: Maintain clear records demonstrating that downstream contracts mirror the upstream requirements. In the event of a compliance audit by the Commission or national competent authorities, you must be able to prove that the flow-down was executed correctly. This includes keeping copies of the master agreement and the downstream agreements side-by-side for comparison.
• Risk Management: Failure to pass down requirements could lead to a breach of contract with the Commission. This might result in the suspension of access to the central purchasing framework, financial penalties, or liability for damages suffered by the Commission or the end-user. Ensure your legal teams review all downstream contracts against the master agreement with the Commission before signing.
• Coordination with IT and Security: Work closely with your cybersecurity and data protection teams to ensure that the technical requirements (such as Union assurance levels) are technically enforceable in downstream environments. Legal compliance is insufficient if the technical infrastructure does not support the mandated security standards. The flow-down obligation covers both legal and technical contractual requirements.

Common misconceptions

• "We can modify terms for local needs." A common mistake is assuming that national or local authorities can adapt the Commission's contract terms to better suit local administrative practices. Article 39(3) prohibits this regarding the contractual requirements by which the intermediary is bound. While some operational flexibility may exist for non-essential administrative details, the core legal and compliance obligations (especially those related to sovereignty and security) must remain intact. Any deviation must be carefully assessed to ensure it does not breach the upstream agreement.
• "The Commission handles all compliance." Some believe that because the Commission acts as the central buyer, it assumes all compliance responsibilities. This is incorrect. The Commission manages the procurement process and the initial contract with the provider, but the contracting authorities serving downstream buyers remain responsible for ensuring that those buyers comply with the agreed terms. The liability for enforcement flows down with the service.
• "This only applies to large contracts." The obligation applies regardless of the size of the downstream transaction. Whether a small municipality accesses a small portion of the central cloud capacity, the requirement to comply with the contractual terms binding the national authority remains in force. The text of Article 39(3) does not distinguish based on the volume or value of the downstream agreement.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Article 39: The Commission as Central Purchasing Body
• CADA Article 39: How the Commission's Central Purchasing Framework Works
• When must public buyers procure level 2, 3 or 4 cloud under CADA?
• CADA Article 32: What non-price criteria must be used in EU cloud tenders?
• CADA Article 33: What must Member States report on innovation procurement?

This is general information about a draft EU regulation, not legal advice.