Summary Under the proposed Cloud and AI Development Act (CADA), public procurement officers must fundamentally shift from price-centric buying to a sovereignty-first model. As proposed in COM(2026) 502 final, you would be required to: (1) enforce a minimum Union assurance level for every cloud contract based on a prior risk assessment (Article 30); (2) include specific non-price "Union added value" criteria when procuring innovative cloud and AI systems (Article 32); and (3) actively monitor and report on procurement to ensure Member States pursue an objective of awarding at least 25% of innovation contracts to SMEs (Article 33). These measures would transform public procurement into a strategic lever for reducing third-country dependencies and strengthening the EU's digital ecosystem.

Detail

The CADA proposal introduces a rigorous, multi-layered framework for public procurement of cloud computing services and AI systems. For a procurement officer, the role evolves from securing the lowest price to ensuring that purchased services align with the Union's strategic security, autonomy, and innovation goals. The core obligations are anchored in Article 30 (assurance levels), Article 32 (Union added value), and Article 33 (SME monitoring).

1. Mandatory Assurance Levels Based on Risk Assessment (Article 30)

The most significant operational change is the requirement to link every cloud procurement to a specific Union assurance level. You can no longer treat all cloud services as equivalent regarding security and sovereignty. The applicable level is not a choice for the officer but a mandatory outcome of a risk assessment conducted by the Member State or Union entity under Article 29.

The Baseline Requirement (Article 30(2)) For any public sector body whose activities have not been identified as contributing to the preservation of public order, you must procure cloud computing services that have been recognised under Article 17 as having at least Union assurance level 1. This sets a consistent baseline of safeguards across the Union, ensuring basic data residency and operational autonomy.

The Enhanced Requirement for Public Order (Article 30(3)) If a risk assessment determines that your activities contribute to the preservation of public order, the rules are stricter. This applies to sectors listed in Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement. In these cases, you must only procure services recognised as offering Union assurance levels 2, 3, or 4.

Exceptional Derogations (Article 30(4)) Article 30(4) allows for derogations from these assurance level requirements only on an exceptional basis and where duly justified. This applies if:

  • The subject matter of the tender cannot be supplied by recognised services available in the central repository, and no adequate or reasonable alternative exists (provided this absence is not the result of an artificial narrowing of the procurement parameters).
  • The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
  • Applying the requirements would require the contracting authority to procure services at disproportionate cost.

What this means for you: Before drafting a tender, you must consult the results of your national or institutional risk assessment under Article 29. You must explicitly state the required Union assurance level in your tender documents. You cannot award a contract to a provider that does not hold the requisite recognition in the central repository, unless one of the narrow exceptions applies.

2. Union Added Value Criteria for Innovation (Article 32)

When procuring innovative cloud computing services and AI systems, you are required to include specific non-price award criteria. These criteria are designed to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

The Criteria (Article 32(3)) Under Article 32(3), you must evaluate the extent to which the tenderer:

  • Contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Has integrated technologies developed in the Union, including research and development results stemming from Union-funded research and development programmes.
  • Delivers the service using critical computing, storage, and networking hardware components designed and/or manufactured in the Union. If this is not feasible, the tenderer must demonstrate how they use hardware from third countries that still contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.

Constraints on Application (Article 32(2)) These criteria must be ancillary and not decisive in the award of the contract. They must be linked to the subject matter of the contract, not confer unrestricted freedom of choice, and be expressly set out in the procurement documents. While the explanatory memorandum suggests a maximum weighting of 15 out of 120 points, the legal text emphasizes that these criteria must remain subordinate to core technical and financial criteria directly connected to performance requirements.

What this means for you: For innovation-focused tenders, you must draft specific evaluation questions that address the origin of the technology stack and the tenderer's integration of Union-developed tools. You cannot make these criteria the sole deciding factor, but they must be part of the quality evaluation.

3. Monitoring and SME Targets (Article 33)

CADA places a duty on Member States to monitor and report on the use of procurement of innovation in cloud and AI. This is not just a reporting exercise; it includes a concrete objective for supporting smaller players in the market.

The SME Objective (Article 33(4)) Member States shall pursue as an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. Member States must include plans in their national strategies on how this objective will be achieved.

Reporting Obligations (Article 33(3)) Based on monitoring, Member States must inform the Commission annually on:

  • The size of the economic operators participating in such procurement.
  • SME participation trends, including the number of contracts awarded to SMEs, their share of the total contract value, and, where available, the share of cross-border SME participation.
  • Measures taken to improve SMEs' access to public procurement procedures.

What this means for you: Your procurement department must track the status of bidders (SME vs. large enterprise) and the outcome of innovation-focused tenders. You should actively use measures such as dividing contracts into lots, promoting preliminary market consultations, and facilitating matchmaking between public buyers and European SMEs to meet the 25% objective.

What this means for you

For a procurement officer, the CADA proposal requires a fundamental shift in how you structure tenders for cloud and AI services. Here is your practical checklist:

  1. Check the Risk Assessment: Before issuing any cloud tender, identify the Union assurance level required for your specific use case. Is your body involved in public order, defence, or critical infrastructure? If yes, you likely need Level 2, 3, or 4. If not, Level 1 is the minimum.
  2. Verify Provider Recognition: Only accept bids from providers who are listed in the central repository of recognised cloud computing services with the appropriate assurance level. Do not rely on generic cybersecurity certifications alone; the CADA recognition is mandatory.
  3. Draft Innovation Criteria: If the tender is for an innovative solution, add the "Union added value" criteria to your evaluation matrix. Ensure these criteria are clearly defined, measurable, and not decisive (i.e., they do not outweigh the core technical and financial performance metrics).
  4. Track SME Participation: Record whether bidders are SMEs. Aim to structure your tenders (e.g., via lot division) to facilitate SME participation, keeping the 25% objective in mind.
  5. Plan for Migration: If your current contracts do not meet these assurance levels, note that Article 29(6) allows for a reasonable transition period for migration, not exceeding 12 months, when moving to a new provider to meet higher assurance requirements.

Common misconceptions

Misconception 1: "I can still choose the cheapest provider regardless of their sovereignty status." This is incorrect. Under Article 30, price cannot override the mandatory assurance level. If a provider offers the lowest price but does not have the required Union assurance level recognition for your specific risk category, you cannot award them the contract. The assurance level is a qualifying requirement, not just a scoring criterion.

Misconception 2: "Union added value criteria mean I must buy only European hardware." Not necessarily. Article 32(3)(d) allows for the use of third-country hardware if it is not feasible to use Union-manufactured components, provided the tenderer demonstrates that the choice still contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem. The criterion is about evaluating the contribution to the EU ecosystem, not an absolute ban on non-EU components, though the preference is clearly for Union-designed or manufactured technology.

Misconception 3: "The 25% SME target is a strict legal quota that invalidates a tender if missed." The text states that Member States shall "pursue as objective" that at least 25% of procurement be awarded to innovative SMEs (Article 33(4)). While this is a strong policy directive and requires reporting and planning, it is framed as an objective to be pursued through appropriate measures (like lot division) rather than a rigid quota that automatically voids a tender if the exact percentage is not met in a single year. However, consistent failure to meet this objective would likely trigger scrutiny from the Commission.

Misconception 4: "The US CLOUD Act doesn't affect my procurement decisions." While CADA does not explicitly ban US providers, its sovereignty framework (Annex II criteria) is designed to mitigate the risks associated with laws like the US CLOUD Act, which can compel data disclosure. By requiring specific assurance levels (especially Levels 2-4), CADA effectively filters out providers who cannot guarantee that data will not be accessed by third-country authorities in ways that conflict with EU law. Therefore, understanding the extraterritorial reach of third-country laws is essential for evaluating whether a provider can meet the CADA assurance criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.