What must public-sector bodies in Belgium do to comply with CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require Belgian public-sector bodies to align cloud and AI plans with a national strategy built around the "AI first" principle (Article 7) and to procure cloud services on a risk-based sovereignty model. After a risk assessment (Article 29), activities not contributing to public order would have to use services recognised at Union assurance level 1; activities that do would have to use level 2, 3 or 4 (Article 30). Buyers would also apply "Union added value" award criteria (Article 32), pursue the procurement-of-innovation objective (Article 33), and could use the Experience and Acceleration Centres for AI (Article 5).

Detail

CADA, COM(2026) 502 final, is a proposed Regulation. As proposed it would be directly applicable in Belgium — no national transposition — so public bodies would apply the rules as written once it enters into force. Compliance rests on three pillars: alignment with the national strategy, risk-based procurement by assurance level, and use of the support structures.

National strategy and the "AI first" principle

As proposed in Article 7, Belgium would establish a national cloud and AI strategy within one year of entry into force. Under Article 7(2)(a) its objectives must be in line with the "AI first" principle — which, per the proposal's recitals, is the principle defined in the Apply AI Strategy, urging organisations to reflect on their business processes by considering the opportunities of AI while taking potential risks into account. Article 7(2)(b) requires measures to accelerate adoption among public bodies, SMEs and SMCs, and Article 7(2)(c) requires measures for AI in strategic sectors such as healthcare, energy and mobility. Belgian contracting authorities would be expected to align their own plans with these national priorities; under Article 7(4) the strategy must contribute to the Digital Decade targets in Decision (EU) 2022/2481.

Procurement obligations and Union assurance levels

Article 30 establishes mandatory procurement requirements tied to the four Union assurance levels.

Baseline — level 1 (Article 30(2)). Union entities and public sector bodies whose activities have not been identified as contributing to public order under the Article 29 risk assessment must use services recognised at Union assurance level 1.

Higher levels for public order (Article 30(3)). Contracting authorities whose activities have been identified as contributing to public order — in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement — must only procure services recognised at level 2, 3 or 4.

Risk assessments (Article 29). The level turns on the risk assessment Member States and Union entities must carry out within one year of entry into force, and thereafter every two years or whenever necessary (Article 29(1)). It identifies public-order activities and determines the appropriate level (2, 3 or 4), considering aspects in Article 29(2) such as the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption. Several features of Article 29 matter in practice for Belgian buyers. Where responsibilities are shared between a Union entity and a Member State, they may carry out the assessment jointly (Article 29(1)). The Commission specifies the methodology, templates and elements by implementing act, including how the highest assurance level is used for the most critical activities, such as defence (Article 29(3)); and if the Commission concludes that the level a Member State identified is not appropriate, it may specify the needed level by implementing act (Article 29(5)). Finally, Article 29(9) directs Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement.

Migration where the assessment requires it (Article 29(6)). If a risk assessment requires migrating to another cloud service, the migration must take place within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability. For Belgian bodies already on a service that the assessment finds inadequate, this is a hard outer limit, so exit and portability terms should be addressed in contracts now rather than at migration time.

Union added value and procurement of innovation

Under Article 32, in procurement for innovative cloud services and AI systems, contracting authorities must include non-price award criteria evaluating the tenderer's contribution to a European cloud and AI ecosystem. Article 32(3) lists what these may assess — contribution to the Union digital-technology supply chain (including Union-designed or -manufactured software or hardware), integration of Union-developed technologies, and delivery through critical hardware components designed and/or manufactured in the Union to the greatest extent feasible. Under Article 32(2) the criteria must be linked to the subject matter, must not confer unrestricted freedom of choice, must be set out in the procurement documents, and must be ancillary and not decisive.

Article 33 requires Member States to monitor and report on procurement of innovation in cloud and AI, to pursue the objective that at least 25% of such procurement be awarded to innovative SMEs (Article 33(4)), and to include in the national strategy plans for achieving it. Article 33(3) obliges Member States to report annually to the Commission on the size of participating economic operators, SME participation trends (including the number and value share of contracts awarded to SMEs and, where available, cross-border SME participation), and measures taken to improve SME access. Article 33(5) asks Union entities and contracting authorities to promote preliminary market consultations, matchmaking between public buyers and European SMEs and start-ups, and SME-favourable contract clauses. For a Belgian contracting authority, these are not abstract aspirations: the data you record on each tender feeds the national reporting, so capturing supplier size and SME outcomes should be built into the procurement workflow from the start.

Experience and Acceleration Centres for AI

Under Article 5, each Member State, including Belgium, establishes Experience and Acceleration Centres for AI ("Centres for AI"), building on the European Digital Innovation Hubs. Article 5(3) tasks them with helping organisations accelerate digital transformation — including by connecting them with European cloud and AI providers — and with providing access to upskilling and reskilling. Belgian public bodies can use them for expertise, testing and skills support.

Finding recognised services

A recognition decision under Article 17 is Union-wide: once an evaluating authority recognises a service and no other Member State's authority objects within the review period, the service is recognised throughout the Union at the relevant assurance level. The proposal also envisages a central repository of recognised services (referenced in the derogation in Article 30(4)). For a Belgian buyer, the practical consequence is that you would not be limited to providers recognised in Belgium: you could rely on any service recognised at the required level anywhere in the Union, which widens the field of compliant offers — and makes "is this service recognised, and at what level?" the threshold question in any tender.

What this means for you

For procurement officers and digital leaders in Belgian public bodies, CADA would mean a sovereignty-aware purchasing model:

1. Conduct risk assessments. Classify your activities under Article 29 — this decides whether you need level 1 or levels 2–4.
2. Verify assurance levels. Require bidders to demonstrate recognition at the required level. For level 1 this rests on an EU statement of conformity; for levels 2–4 it rests on an independent audit report and a positive audit opinion (Article 17).
3. Align with the national strategy. Reflect the "AI first" principle in service design.
4. Use the added value criteria. Apply Article 32 criteria, keeping them ancillary and non-decisive.
5. Engage the Centres for AI. Use them (Article 5) for guidance, upskilling and access to European providers.
6. Plan exits before you need them. Where a future risk assessment forces a migration, Article 29(6) caps the transition at 12 months. Build data-portability and exit terms into contracts now so that a forced migration is an engineering exercise rather than a contractual dispute.
7. Record the data the reporting needs. Because Article 33(3) requires annual reporting on supplier size and SME outcomes, capture that information per tender as a matter of routine rather than reconstructing it later.

A word on sequencing: the obligations do not all bite at once. The risk-assessment, strategy and authority-designation duties are tied to dates measured from entry into force, while the procurement obligations operate whenever you next run a relevant tender. Mapping your pipeline of upcoming cloud and AI procurements against those dates is the most reliable way to avoid being caught mid-tender by a newly applicable requirement.

Common misconceptions

• "CADA replaces the AI Act." No. They are presented as complementary: the AI Act addresses the AI systems themselves, while CADA addresses the cloud infrastructure, sovereignty and procurement that enable their deployment. A public body would comply with both.
• "All public-sector cloud must be level 4." No. Article 30(2) sets level 1 as the baseline; higher levels apply only to activities identified under Article 29 as contributing to public order.
• "Union added value criteria can override price." No. Article 32(2) requires them to be ancillary and not decisive.
• "SMEs are exempt from sovereignty requirements." No — all providers must meet the assurance-level criteria to be procured — but Article 17(3) provides that an EU statement of conformity issued by an SME for level 1 is directly and automatically recognised in all Member States without prior recognition by the evaluating national competent authority.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.