CADA in Croatia

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Croatia must align their digital transformation with a national strategy driven by the 'AI first' principle, mandated within one year of the Regulation's entry into force. Procurement obligations are strictly risk-based: general activities require Union assurance level 1 services, while activities preserving public order (e.g., law enforcement, justice) must procure only level 2, 3, or 4 services. Additionally, Croatian contracting authorities must apply Union added value criteria to support the European ecosystem and aim to award at least 25% of cloud and AI innovation contracts to SMEs. To navigate these requirements, public bodies should leverage the newly established Experience and Acceleration Centres for AI as primary entry points for expertise, testing, and provider connections.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a unified framework to strengthen Europe's cloud and AI ecosystem, directly imposing new obligations on Member States and their public-sector bodies. For Croatia, compliance involves a three-pronged approach: strategic alignment through a national plan, risk-based procurement of sovereign cloud services, and active engagement with support structures designed to accelerate AI adoption. As a draft Regulation, these measures "would" apply once adopted, requiring Croatian authorities to prepare for a shift from purely cost-driven procurement to sovereignty-driven digital governance.

The National Strategy and the 'AI First' Principle

The cornerstone of CADA compliance for Croatia is the development of a national cloud and AI strategy. Article 7(1) of the proposal mandates that Member States establish such strategies within one year of the Regulation's entry into force. For Croatia, this means the government must produce a strategic document that outlines key objectives, priorities, and a governance framework specifically for cloud and AI adoption.

Crucially, Article 7(2)(a) requires that these national strategies explicitly include the 'AI first' principle. As defined in the proposal, this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Croatian public bodies, this shifts the paradigm from reactive digitization to proactive AI integration. It implies that before deploying any new digital solution, the public sector must first assess whether AI can optimize the process, provided risks are managed.

The strategy must also include concrete measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, with a specific focus on public sector bodies, SMEs, and small mid-caps (Article 7(2)(b)). Furthermore, the strategy must be consistent with CADA's objectives and contribute to the digital targets set under the Digital Decade Policy Programme (Article 7(4)). Croatia is required to notify the Commission of its strategy within three months of adoption and assess it at least every three years (Article 7(5)). This ensures that Croatian initiatives are not isolated but part of a coordinated Union-wide push for technological sovereignty and competitiveness.

Procurement Obligations: Risk Assessments and Assurance Levels

The most immediate operational impact on Croatian public-sector bodies lies in procurement. CADA introduces a rigorous, risk-based approach to determining which cloud computing services can be procured. This mechanism is designed to safeguard the Union's public order and reduce dependencies on third-country providers.

Article 29 requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which Union assurance level (2, 3, or 4) is appropriate for specific activities. The scope includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).

Based on these risk assessments, Article 30 imposes strict procurement rules that Croatian contracting authorities must follow:

1. General Public Sector Activities: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1 (Article 30(2)). This serves as the mandatory baseline for all public cloud usage in Croatia.
2. Public Order-Relevant Activities: Contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4 (Article 30(3)).

This creates a mandatory sovereignty floor. Croatian public bodies cannot simply choose the cheapest or most convenient provider; they must select providers formally recognized under the CADA framework. Exceptions are permitted only on an exceptional basis where duly justified, such as when no recognized service is available in the central repository, no adequate alternative exists, or applying the requirements would result in disproportionate cost (Article 30(4)).

Union Added Value and Innovation Procurement

Beyond the sovereignty levels, CADA introduces new evaluation criteria to steer the market toward European solutions. Article 32 requires contracting authorities to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. For Croatian procurement officers, this means adding "Union added value" as a mandatory component of the quality evaluation for tenders involving innovative cloud computing services and AI systems.

Specifically, authorities must evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including results from Union-funded research and development programmes.
• The innovation required to deliver the service strengthens the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union (Article 32(3)).

These criteria must be ancillary and not decisive in the award of the contract, ensuring they do not override technical and financial criteria but still effectively steer the market toward European solutions (Article 32(2)).

Furthermore, Article 33 focuses on the procurement of innovation. Member States must monitor and report on their use of such procurement. Croatia is expected to aspire to award at least 25% of its procurement for cloud computing services and AI systems to innovative SMEs (Article 33(4)). This requires Croatian public bodies to design procurement strategies that are accessible to smaller European providers, potentially through dividing contracts into lots and promoting preliminary market consultations (Article 33(5)).

Role of Experience and Acceleration Centres for AI

To support public bodies and SMEs in meeting these complex obligations, CADA establishes Experience and Acceleration Centres for AI ('Centres for AI'). Article 5 requires each Member State, including Croatia, to establish these Centres, building on existing European Digital Innovation Hubs.

For Croatian public-sector bodies, these Centres serve as critical entry points for the European AI innovation ecosystem. Their objectives include supporting the integration and scaling-up of AI use cases in strategic public sectors and accelerating the broad adoption of cloud and AI technologies at regional and local levels (Article 5(2)).

Specifically, Centres for AI are tasked with:

• Helping organizations accelerate their digital transformation by connecting them with European providers of cloud and AI technologies (Article 5(3)(a)).
• Ensuring or providing access to relevant upskilling and reskilling schemes, in close collaboration with the AI Skills Academy (Article 5(3)(b)).
• Supporting the scaling-up of spin-offs and start-ups emerging from universities and incubators (Article 5(3)(d)).

Croatian public bodies should leverage these Centres to gain expertise, testing support, and skills training, thereby reducing the barrier to entry for adopting sovereign and innovative cloud and AI solutions. The Centres act as the operational bridge between the high-level national strategy and the practical implementation of procurement and AI adoption.

What this means for you

For public-sector and procurement officers in Croatia, the proposed CADA introduces a structured, compliance-heavy framework for digital procurement. Here is what you need to prepare for:

1. Align with National Strategy: Ensure your organization's digital transformation plans align with Croatia's national cloud and AI strategy. Adopt the 'AI first' mindset by evaluating how AI can optimize your specific public services while managing risks, as required by Article 7.
2. Conduct Risk Assessments: Work with national authorities to determine if your specific activities contribute to the preservation of public order. This classification will dictate whether you are mandated to procure Union assurance level 1 services or higher levels (2, 3, or 4) under Article 30.
3. Update Procurement Criteria: Revise tender documents to include Union added value criteria as per Article 32. Ensure you are evaluating bidders on their contribution to the European digital supply chain and the use of Union-designed hardware/software. Remember, these criteria must be ancillary, not decisive.
4. Prioritize SME Innovation: Aim to award at least 25% of cloud and AI procurement to innovative SMEs. Use tools like lot division and preliminary market consultations to make your tenders more accessible to smaller European providers, as encouraged by Article 33.
5. Engage with Centres for AI: Utilize the national Experience and Acceleration Centres for AI for technical support, training, and connections to European providers. These Centres are your primary resource for navigating the new sovereignty requirements and AI integration challenges under Article 5.

Common misconceptions

• Misconception: CADA replaces the AI Act or GDPR.
  • Reality: CADA complements existing laws. It focuses on sovereignty, procurement, and infrastructure deployment, while the AI Act regulates the safety and fundamental rights aspects of AI systems, and GDPR protects personal data. You must comply with all three.
• Misconception: Union added value criteria will decide the contract award.
  • Reality: Article 32(2)(d) explicitly states that Union added value criteria must be "ancillary and not decisive in the award of the contract." They are part of the quality evaluation but do not override core technical and financial requirements.
• Misconception: Only large hyperscalers can meet Union assurance levels.
  • Reality: The framework is designed to foster a diverse set of European providers. SMEs and smaller EU-based providers can achieve recognition, especially through the support of Centres for AI and simplified procedures for SMEs in some contexts.
• Misconception: Public bodies can ignore risk assessments if they don't handle classified data.
  • Reality: Article 29 requires risk assessments for all public sector activities using cloud services to determine if they contribute to public order. This includes sectors like healthcare, transport, and justice, not just defense. Even if not classified, the nature of the data and its criticality matters.
• Misconception: The 'AI first' principle means AI must be used in every process.
  • Reality: The principle requires organizations to reflect on their processes and consider AI opportunities while weighing risks. It is a strategic mandate to evaluate potential, not a mandate to force AI where it is unsuitable.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• CADA compliance for Denmark: National strategy, procurement rules & AI Centres
• CADA compliance for Malta: National strategy, procurement and AI centres
• CADA Deadlines for Croatia: Acceleration Zones, National Strategy & Competent Authorities
• CADA in Latvia: National Strategy, Public Procurement & AI First Compliance
• CADA compliance for Italy: National strategy, procurement & AI first

This is general information about a draft EU regulation, not legal advice.