What must public-sector bodies in Austria do to comply with CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require Austrian public-sector bodies to align their cloud and AI plans with a national strategy built around the "AI first" principle (Article 7) and to buy cloud services according to a risk-based sovereignty framework. After a risk assessment (Article 29), activities not contributing to public order would have to use services recognised at Union assurance level 1; activities that do contribute to public order would have to use level 2, 3 or 4 (Article 30). Buyers would also apply "Union added value" award criteria (Article 32), monitor procurement of innovation (Article 33), and could use the Experience and Acceleration Centres for AI (Article 5) as entry points.

Detail

CADA, COM(2026) 502 final, is a proposed Regulation. As proposed it would be directly applicable in Austria — there is no national transposition — so Austrian public bodies would apply the rules as written once it enters into force. Compliance rests on three pillars: alignment with the national strategy, risk-based procurement by assurance level, and use of the support structures.

National strategy and the "AI first" principle

As proposed in Article 7, Austria would establish a national cloud and AI strategy within one year of entry into force. Under Article 7(2)(a) the strategy's objectives must be in line with the "AI first" principle — which, per the proposal's recitals, is the principle defined in the Apply AI Strategy, urging organisations to reflect on their business processes by considering the needs and opportunities offered by AI while taking potential risks into account. For Austrian public bodies this means digital-transformation plans should not sit apart from the national strategy: Article 7(2)(b) requires measures to accelerate adoption among public bodies, SMEs and SMCs, and Article 7(2)(c) requires measures for AI in strategic sectors such as healthcare, energy and mobility. Under Article 7(4) the strategy must contribute to the Digital Decade targets in Decision (EU) 2022/2481.

Procurement obligations and Union assurance levels

The demand-side core of CADA is the procurement regime in Articles 29–30, anchored in the four Union assurance levels.

1. Risk assessments (Article 29). Member States and Union entities must, within one year of entry into force and thereafter every two years (or when needed), carry out risk assessments identifying public-sector activities that contribute to the preservation of public order in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement — and determine which Union assurance level (2, 3 or 4) is appropriate.
2. Baseline — level 1 (Article 30(2)). Union entities and public sector bodies whose activities have not been identified as contributing to public order must use services recognised at Union assurance level 1.
3. Higher levels for public order (Article 30(3)). Contracting authorities whose activities have been identified as contributing to public order must only procure services recognised at level 2, 3 or 4.
4. Derogations (Article 30(4)). On an exceptional, duly justified basis, a contracting authority may decide not to procure a recognised service where, for example, no adequate recognised alternative exists in the central repository, a similar procurement in the previous year drew no suitable tenders, or compliance would impose disproportionate cost.

The detailed criteria behind each assurance level sit in Annex II; this article does not restate them, and the precise level-by-level requirements should be read there rather than assumed.

Several further features of Article 29 shape how Austrian buyers would operate. Where a Union entity and Austria share responsibility for an activity, they may carry out the assessment jointly (Article 29(1)). The Commission specifies the methodology, templates and elements by implementing act, including how the highest assurance level is used for the most critical activities such as defence (Article 29(3)); within three months of completing an assessment, Austria provides the Commission with the results, flagging any departure from that methodology (Article 29(4)); and if the Commission finds the identified level inappropriate, it may specify the needed level by implementing act (Article 29(5)). Article 29(9) directs Austria to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of its procurement.

Migration where the assessment requires it (Article 29(6)). If a risk assessment requires migrating to another cloud service, the migration must take place within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability. For an Austrian body already running an activity on a service the assessment finds inadequate, this is a firm outer limit — so exit and data-portability terms are worth securing in contracts before migration becomes necessary.

Union added value and procurement of innovation

Under Article 32, in procurement procedures for innovative cloud services and AI systems, contracting authorities must include non-price award criteria allowing them to evaluate the tenderer's contribution to a European cloud and AI ecosystem. Article 32(2) requires those criteria to be linked to the subject matter, not to confer unrestricted freedom of choice, to be set out in the procurement documents, and to be ancillary and not decisive. Article 32(3) lists what they may assess — for example, contribution to the Union digital-technology supply chain (including Union-designed or -manufactured software or hardware), integration of Union-developed technologies, and delivery through critical hardware components designed and/or manufactured in the Union to the greatest extent feasible.

Article 33 requires Member States to monitor and report on their procurement of innovation in cloud and AI, to pursue the objective that at least 25% of such procurement be awarded to innovative SMEs (Article 33(4)), and to include in their national strategy plans for achieving that objective.

Finding recognised services

A recognition decision under Article 17 is Union-wide: once an evaluating authority recognises a service and no other Member State's authority objects within the review period, the service is recognised throughout the Union at the relevant assurance level. The proposal also envisages a central repository of recognised services (referenced in the derogation in Article 30(4)). For an Austrian buyer this means you would not be confined to providers recognised in Austria — you could rely on any service recognised at the required level anywhere in the Union. The threshold question in any tender therefore becomes: is this service recognised, and at what level?

Experience and Acceleration Centres for AI

Article 5 requires each Member State, including Austria, to establish Experience and Acceleration Centres for AI ("Centres for AI"), building on the European Digital Innovation Hubs. Under Article 5(3) they help organisations accelerate digital transformation — including by connecting them with European cloud and AI providers — and provide access to upskilling and reskilling in collaboration with the AI Skills Academy. Austrian public bodies can use them for expertise, testing and skills support.

What this means for you

For procurement officers and digital leaders in Austrian public bodies, CADA would mean a structured, risk-based purchasing model:

1. Conduct and follow the risk assessment. Work with the competent Austrian authority to learn how your activities are classified under Article 29 — this decides whether you need level 1 or levels 2–4.
2. Update tender criteria. Require the appropriate Union assurance level (Article 30) and integrate the Union added value criteria (Article 32), keeping them ancillary and linked to the subject matter.
3. Align with the national strategy. Reflect the "AI first" principle in service design.
4. Use the Centres for AI. Use them (Article 5) for advice, skills and access to European providers. The proposal also promotes open standards and open-source components (Article 41), to be weighed against functionality, security, total cost and other objective criteria.
5. Track SME participation. Aim for the 25% innovative-SME objective (Article 33) and use matchmaking and simplified procedures.

Common misconceptions

• "CADA replaces the GDPR or the AI Act." No. CADA is presented as complementary; it does not displace the GDPR's data-protection rules or the AI Act's requirements for AI systems. It addresses cloud sovereignty, operational autonomy and procurement.
• "All public cloud procurement requires the highest level." No. Article 30 is tiered: most activities need only level 1; only public-order activities identified under Article 29 require levels 2–4.
• "Union added value criteria can override technical merit." No. Article 32(2) requires them to be ancillary and not decisive.
• "Open source is mandatory for all public AI." No. Article 41 promotes open standards and open-source components but ties the choice to functionality (including security), total cost and other objective criteria; it is not a blanket mandate.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.