What must public-sector bodies in Bulgaria do to comply with CADA?

Summary Public-sector bodies in Bulgaria must align their digital transformation with the proposed Cloud and AI Development Act (CADA) by adhering to national strategies that prioritize the "AI first" principle, utilizing designated Experience and Acceleration Centres for AI, and strictly following sovereignty-based procurement rules. As proposed, the regulation requires Bulgarian authorities to conduct risk assessments to determine the necessary Union assurance levels for cloud services, mandate the use of recognized sovereign services for activities affecting public order, and apply European added value criteria when procuring innovative cloud and AI solutions. Compliance is a continuous cycle of strategic alignment, risk management, and rigorous procurement evaluation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive framework designed to strengthen the European Union's cloud and AI ecosystem. For public-sector bodies in Bulgaria, the regulation shifts the focus from mere digital adoption to strategic autonomy, requiring entities to integrate sovereignty and security into their core procurement and operational practices. Compliance is not a single administrative task but a continuous process involving strategic alignment with national roadmaps, risk management, and rigorous procurement evaluation.

National Strategy and the "AI First" Principle

The foundation of public-sector compliance under CADA lies in the alignment with national cloud and AI strategies. Under Article 7, Member States are obligated to establish national cloud and AI strategies within one year of the regulation's entry into force. These strategies must include key objectives for cloud and AI adoption, explicitly incorporating the "AI first" principle. As defined in the proposal, this principle "urges organisations to reflect on their business processes, considering the needs of an opportunities offered by AI, while taking into consideration the potential risks."

For Bulgarian public bodies, this means that digital transformation plans cannot exist in a vacuum. They must be consistent with the national strategy notified to the European Commission. The national strategy serves as the roadmap for achieving the EU's digital targets, such as the adoption of cloud computing services by at least 75% of enterprises. Public-sector bodies in Bulgaria are expected to leverage these strategies to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This includes supporting the deployment of data centre capacity and investing in high-intensity computing infrastructure, such as AI factories, which are identified as strategic national assets. The strategy must also include measures to support the deployment of data centre capacity, adhering to high environmental and energy-efficiency standards, and measures to invest in high-intensity computing infrastructure.

Procurement Obligations and Sovereignty Levels

The most direct operational impact of CADA on Bulgarian procurement officers is found in Article 30, which sets out strict rules for the public procurement of cloud computing services. The regulation establishes a tiered system of "Union assurance levels" (1 through 4) based on the sovereignty and security guarantees of the cloud service.

Article 30 mandates that contracting authorities, including Bulgarian public bodies, must procure cloud computing services that have been recognized as offering at least Union assurance level 1 as a minimum baseline. This level requires that the service provider is established in the Union, infrastructure is located in the Union, and data remains exclusively within the Union unless explicitly required otherwise by the public sector body.

However, the requirements tighten significantly for activities deemed to contribute to the preservation of public order. Member States, including Bulgaria, are required to carry out risk assessments under Article 29 to identify which public-sector activities fall into critical sectors such as national security, internal security, external border management, defence, justice, or law enforcement. For these identified activities, Article 30 stipulates that contracting authorities must only procure cloud computing services that have been recognized as having a Union assurance level 2, 3, or 4.

These higher levels impose stricter criteria. For instance, Annex II specifies that for Union assurance level 3, personnel involved in the provision of the service must be Union citizens, and the service must obtain a European cybersecurity certificate of at least assurance level 'substantial'. For Union assurance level 4, the cybersecurity certificate must be of at least assurance level 'high'. Crucially, for levels 3 and 4, the provider and its subcontractors must not be subject to the control of a third country, unless the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This mechanism allows for a derogation where a third country has implemented specific safeguards ensuring no risk of unauthorized access or service disruption.

Union Added Value and Innovation Procurement

Beyond sovereignty, CADA encourages the strengthening of the European digital supply chain through Article 32. When procuring innovative cloud computing services and AI systems, Bulgarian contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. These "Union added value" criteria may assess:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the EU.
• The integration of technologies developed in the Union, including results from EU-funded research.
• The contribution of the innovation to strengthening the security of supply.

These criteria must be "ancillary and not decisive in the award of the contract," ensuring that technical and financial performance remain primary. However, they provide a legal mechanism for Bulgarian authorities to favor European providers and reduce dependency on non-EU incumbents.

Furthermore, Article 33 imposes monitoring obligations. Member States must monitor and report on their use of procurement of innovation in cloud and AI. They are urged to take measures to improve SME access to procurement markets, with a specific objective to award at least 25% of procurement for cloud computing services and AI systems to innovative SMEs. This requires Bulgarian authorities to actively report on SME participation trends and implement strategies to lower barriers for smaller European innovators.

Role of Experience and Acceleration Centres for AI

To support this transition, Article 5 establishes a network of Experience and Acceleration Centres for AI (Centres for AI). Built upon the existing network of European Digital Innovation Hubs, these centres are tasked with accelerating the broad adoption of cloud and AI technologies at regional and local levels. For Bulgarian public-sector bodies and SMEs, these centres serve as critical entry points. They provide expertise, testing environments, and access to upskilling schemes. Public bodies are encouraged to connect with these centres to accelerate their digital transformation, access European providers of cloud and AI technologies, and facilitate the transfer of expertise across regions. The Centres for AI are specifically tasked with helping organisations accelerate their digital transformation through access to and use of AI technologies, including by connecting organisations with European providers of cloud and AI technologies.

What this means for you

For procurement officers and digital leaders in Bulgarian public-sector bodies, the proposed CADA requires a fundamental shift in how cloud and AI services are evaluated and purchased.

1. Conduct Risk Assessments: You must participate in or align with the national risk assessments mandated by Article 29 to determine which of your department's activities are linked to public order. If your activities involve justice, law enforcement, or critical infrastructure, you cannot simply buy the cheapest cloud service; you must procure from providers recognized at Union assurance levels 2, 3, or 4.
2. Update Procurement Criteria: Your tender documents for innovative cloud and AI services must now include "Union added value" criteria as per Article 32. You need to develop evaluation metrics that assess the European origin of hardware, software, and development efforts. This does not replace technical evaluation but adds a layer of strategic assessment.
3. Leverage Local Support Structures: Utilize the Experience and Acceleration Centres for AI in Bulgaria. These centres, supported by Article 5, can help you navigate the technical complexities of sovereign cloud adoption, provide access to testing environments for AI models, and connect you with European SMEs who can offer innovative, compliant solutions.
4. Monitor and Report: Be prepared to monitor your procurement activities for innovation and SME participation, as required by Article 33. You will need to report on the share of contracts awarded to SMEs and the measures taken to facilitate their participation, aiming for the 25% target for innovative SMEs.
5. Align with National Strategy: Ensure your department's digital roadmap is consistent with Bulgaria's national cloud and AI strategy. This alignment is not optional; it is a prerequisite for accessing funding and ensuring that your adoption of AI follows the "AI first" principle while managing associated risks.

Common misconceptions

Misconception 1: CADA bans the use of non-EU cloud providers entirely. This is incorrect. CADA does not impose a blanket ban on non-EU providers. Instead, it establishes a risk-based framework. Non-EU providers may still supply services for low-risk activities if they meet the criteria for Union assurance level 1 (which requires establishment and data localization in the EU). For higher-risk activities, the barriers are significantly higher, effectively limiting access to providers that can demonstrate strict sovereignty and autonomy from third-country control. A derogation for third-country control at Level 3 is possible only if the Commission adopts an implementing act under Article 18.

Misconception 2: "Union added value" is a decisive factor in awarding contracts. Under Article 32, the Union added value criteria are explicitly "ancillary and not decisive." They are part of the quality evaluation but cannot override the core technical and financial criteria. The goal is to nudge the market toward European supply chains, not to block competition based solely on origin if the technical performance is inferior.

Misconception 3: Only large central government bodies need to comply. CADA applies to all "contracting authorities" and "public sector bodies" as defined in the regulation. This includes regional and local authorities, as well as bodies governed by public law. The requirement to use Union assurance level 1 as a minimum applies across the board, ensuring a consistent baseline of security and sovereignty throughout the Bulgarian public sector.

Misconception 4: Compliance is a one-time check. Compliance is ongoing. Article 29 requires risk assessments to be carried out every two years, or whenever necessary. Additionally, Article 33 requires annual monitoring and reporting of procurement innovation and SME participation. Public bodies must continuously update their strategies and procurement practices in line with the evolving national strategy and EU guidance.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.