What must public-sector bodies in Cyprus do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Cyprus must align their cloud and AI procurement with a new EU-wide sovereignty framework. This requires conducting risk assessments to determine the necessary "Union assurance level" for services and mandating at least Union assurance level 1 for all public cloud contracts. Additionally, Cyprus must implement a national cloud and AI strategy that promotes the "AI first" principle, while procurement officers must integrate EU added value criteria and leverage Experience and Acceleration Centres for AI to support adoption among public bodies and SMEs.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For public-sector bodies in Cyprus, the regulation introduces binding obligations that shift procurement from a purely cost-driven model to one prioritizing technological sovereignty, security, and the strategic development of European AI capabilities. Compliance involves three primary pillars: strategic alignment under Article 7, sovereign procurement under Article 30, and the utilization of support infrastructure via Article 5.

The Role of the National Cloud and AI Strategy (Article 7)

Compliance begins at the strategic level. Under Article 7, Cyprus, like all Member States, is required to establish a national cloud and AI strategy within one year of the regulation's entry into force. This strategy serves as a binding roadmap dictating how public bodies adopt digital technologies.

The national strategy must explicitly include the "AI first" principle. As defined in the proposal, this principle urges organizations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Cypriot public-sector bodies, this means digital transformation initiatives must proactively evaluate AI integration rather than treating it as an afterthought. The strategy must also outline measures to accelerate cloud and AI adoption at national, regional, and local levels, with a specific focus on supporting public sector bodies, SMEs, and small mid-caps.

Furthermore, Article 7(2)(b) mandates that the national strategy support the "Experience and Acceleration Centres for AI" (Centres for AI) as entry points to the European AI innovation ecosystem. These centres, which build on existing European Digital Innovation Hubs, are tasked with helping organizations accelerate their digital transformation. For public bodies in Cyprus, this implies a shift in how they seek technical advice and implementation support; rather than relying solely on external commercial vendors, they are expected to engage with these designated centres to access expertise, testing facilities, and upskilling schemes. The Centres for AI are specifically tasked with "helping organisations accelerate their digital transformation through access to and use of AI technologies, including by connecting organisations with European providers of cloud and AI technologies."

Procurement Obligations and the Sovereignty Framework (Article 30)

The most direct operational impact on Cypriot public procurement officers comes from Article 30, which establishes mandatory procurement rules based on the Union cloud computing sovereignty framework. This framework categorizes cloud services into four "Union assurance levels" based on their trustworthiness and sovereignty guarantees.

Article 30(2) sets a baseline requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1. This creates a mandatory floor for all standard public cloud contracts in Cyprus. Public bodies cannot procure cloud services that do not meet this minimum assurance standard, which requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union (unless explicitly required otherwise by the public body).

For more sensitive operations, Article 30(3) imposes stricter requirements. Contracting authorities whose activities are identified as contributing to the preservation of public order—such as those in national security, internal security, external border management, defence, justice, or law enforcement—must only procure services recognized as offering Union assurance levels 2, 3, or 4. These higher levels involve stricter criteria, including requirements for Union citizenship for personnel, higher cybersecurity certification standards, and stricter controls on third-country influence.

To determine which level applies, public bodies must rely on risk assessments. Article 29 requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to public order and to determine the appropriate Union assurance level. These assessments must consider the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third countries. Cypriot authorities must therefore integrate these risk assessments into their procurement planning process before issuing tenders.

Union Added Value and Innovation Procurement (Articles 32–33)

Beyond sovereignty levels, Article 32 introduces "Union added value" as a non-price award criterion in public procurement procedures for innovative cloud computing services and AI systems. Cypriot contracting authorities must include criteria that evaluate a tenderer's contribution to the development of a European cloud and AI ecosystem. This includes assessing the extent to which the tenderer strengthens the digital supply chain in the Union, integrates technologies developed in the Union, and delivers services using hardware components designed or manufactured in the Union.

While these criteria must be ancillary and not decisive in the award of the contract, they signal a clear policy direction: public money should foster European technological sovereignty. Procurement officers in Cyprus will need to adjust their tender documentation to include these qualitative, non-price elements, ensuring they are linked to the subject matter of the contract and expressly set out in the procurement documents.

Additionally, Article 33 sets an objective for Member States to ensure that at least 25% of their procurement for cloud computing services and AI systems is awarded to innovative SMEs. To achieve this, Cyprus must monitor and report on its use of procurement of innovation, identifying barriers to SME participation and promoting simplified, proportionate procurement strategies. This aligns with the broader goal of supporting smaller European providers and reducing dependence on large, non-EU hyperscalers.

What this means for you

For public-sector and procurement officers in Cyprus, CADA introduces a structured, compliance-heavy approach to cloud and AI adoption. Here is how you should prepare:

1. Review National Strategy Alignment: Ensure your department's digital roadmap aligns with Cyprus's national cloud and AI strategy. Specifically, adopt the "AI first" principle by evaluating how AI can optimize your core public services. Engage with the designated Experience and Acceleration Centres for AI in Cyprus for technical guidance, rather than proceeding directly to procurement without expert consultation.
2. Conduct Mandatory Risk Assessments: Before procuring any cloud service, conduct a risk assessment as outlined in Article 29. Determine if your activities relate to public order (e.g., justice, border control, critical infrastructure). If they do, you must procure services with Union assurance levels 2, 3, or 4. If not, you must still ensure the provider meets Union assurance level 1.
3. Update Tender Documentation: Revise your procurement templates to include Union added value criteria (Article 32). Clearly define how you will evaluate a bidder's contribution to the European digital supply chain. Ensure these criteria are non-price, linked to the contract subject, and ancillary to technical and financial criteria.
4. Prioritize SMEs: Implement measures to facilitate SME participation in your AI and cloud procurements. Aim for the 25% target for innovative SMEs (Article 33) by dividing contracts into lots, simplifying administrative requirements, and promoting matchmaking between public buyers and European SMEs.
5. Verify Assurance Levels: When evaluating bids, verify that the proposed cloud provider is registered in the central repository of recognized services and holds the appropriate Union assurance level. Do not accept services that lack this formal recognition, as they would be non-compliant with Article 30.

Common misconceptions

• "CADA bans non-EU cloud providers entirely." This is incorrect. CADA does not ban non-EU providers outright. Instead, it creates a tiered sovereignty framework. Non-EU providers can still compete if they meet the strict criteria for Union assurance levels, particularly if the third country has an adequacy decision and specific safeguards are in place (Article 18). However, for public order-critical services, the barriers are significantly higher, effectively limiting options to providers with strong EU sovereignty guarantees.
• "The 'AI first' principle means every process must use AI." The "AI first" principle, as referenced in Article 7, is about reflection and consideration, not mandatory deployment. It urges organizations to consider the opportunities and risks of AI in their business processes. It does not require forcing AI into contexts where it adds no value or poses disproportionate risk.
• "Union added value criteria will override price in procurement." No. Article 32(2)(d) explicitly states that Union added value criteria must be "ancillary and not decisive in the award of the contract." They are part of the quality evaluation but cannot override the core technical and financial criteria that determine the best overall tender.
• "SMEs are exempt from sovereignty requirements." While CADA provides some streamlined processes for SMEs (e.g., automatic recognition of Union assurance level 1 statements for SMEs under Article 17(3)), they are not exempt from the underlying sovereignty criteria. SMEs must still meet the technical and legal requirements for the assurance level they are seeking recognition for.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.