What must public-sector bodies in Czechia do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Czechia must align their digital procurement with a new EU-wide sovereignty framework. As proposed, Czechia must adopt a national cloud and AI strategy within one year of entry into force, embedding the 'AI first' principle to drive adoption. Public bodies will face tiered procurement obligations: a baseline of Union Assurance Level 1 for general use, and Levels 2, 3, or 4 for activities preserving public order (e.g., justice, defence). Compliance requires conducting risk assessments, applying Union added value criteria in tenders to support the European supply chain, and leveraging Experience and Acceleration Centres for AI as entry points for technical support and SME engagement.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a structural shift in how the EU approaches cloud infrastructure and AI adoption. Unlike previous regulations that focused primarily on data protection or market competition, CADA targets technological sovereignty and strategic autonomy. For public-sector bodies in Czechia, this translates into a rigorous set of obligations regarding national strategy, procurement standards, and the use of support ecosystems.

The National Strategy and the 'AI First' Principle (Article 7)

The foundation of CADA's implementation in any Member State is the national strategy. Article 7 imposes a strict timeline: Czechia must establish a national cloud and AI strategy within one year of the regulation's entry into force. This is not a voluntary policy statement but a binding operational roadmap.

The strategy must explicitly include the 'AI first' principle, as defined in the Apply AI Strategy and referenced in Article 7(2). This principle urges organisations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account the potential risks." For Czech public bodies, this means that AI adoption cannot be an afterthought; it must be a primary consideration in digital transformation projects.

The national strategy must also detail measures to:

• Accelerate cloud and AI adoption at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps.
• Support the deployment of data centre capacity and high-intensity computing infrastructure (e.g., AI factories, quantum computers).
• Invest in cloud computing stack technologies built upon open hardware and software to strengthen sovereignty.

Crucially, Article 7(6) mandates that the European Artificial Intelligence Board (AI Board) will advise and assist Czech authorities in coordinating these strategies. This ensures that Czechia's national approach remains consistent with Union-wide objectives and facilitates the exchange of best practices across Member States.

Procurement Obligations: The Sovereignty Framework (Articles 29 & 30)

CADA introduces a mandatory, tiered procurement framework based on the Union cloud computing sovereignty framework. The level of assurance required depends entirely on the nature of the public sector activity.

1. The Baseline: Union Assurance Level 1 Under Article 30(2), all Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure cloud computing services recognised as having at least Union Assurance Level 1.

• What this means: Providers must be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union.
• Czech Context: General administrative services, non-sensitive public registries, and standard digital services would likely fall under this baseline, provided a risk assessment confirms they do not impact public order.

2. The Enhanced Requirement: Levels 2, 3, or 4 For activities identified as contributing to the preservation of public order, Article 30(3) imposes a stricter mandate. Contracting authorities must only procure services recognised as having Union Assurance Level 2, 3, or 4.

• Scope: This applies to sectors falling under Annex I or II of the NIS2 Directive, and specifically to areas of national security, internal security, external border management, defence, justice, or law enforcement.
• Risk Assessment: The determination of which activities require higher assurance levels is not arbitrary. Under Article 29, Czechia and its Union entities must conduct risk assessments to identify these activities. These assessments must consider the sensitivity of data, the risk of unlawful third-country access, and the risk of service disruption.
• Migration: If a risk assessment dictates a higher assurance level than the current provider offers, Article 29(6) requires migration within a reasonable transition period not exceeding 12 months.

Union Added Value and Innovation (Articles 32 & 33)

Beyond sovereignty, CADA seeks to reshape the European market by incentivising the use of European technology. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud and AI services.

Union Added Value Criteria: Under Article 32(3), Czech public bodies must evaluate the extent to which a tenderer:

• Contributes to strengthening the digital technology supply chain in the Union (e.g., using hardware/software designed or manufactured in the EU).
• Integrates technologies developed in the Union, including results from Union-funded R&D.
• Delivers services using critical computing, storage, and networking hardware components designed or manufactured in the Union.

Crucial Constraint: Article 32(2) explicitly states that these criteria must be "ancillary and not decisive." They cannot override technical and financial criteria directly connected to performance. They serve to break ties or add value, not to disqualify a technically superior non-EU solution unless the technical criteria are met.

Innovation and SMEs (Article 33): Czechia must also monitor its procurement of innovation. Article 33(4) sets a specific objective: Member States should pursue the goal that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. To achieve this, public bodies are encouraged to use preliminary market consultations and divide contracts into lots to make them accessible to smaller European providers.

Support Infrastructure: Experience and Acceleration Centres for AI (Article 5)

Recognising that compliance requires technical expertise, CADA mandates the establishment of Experience and Acceleration Centres for AI ('Centres for AI') in every Member State under Article 5.

• Role: These Centres, built on existing European Digital Innovation Hubs (EDIHs), act as regional and local accelerators.
• Function for Public Bodies: They provide support for digital transformation, access to AI technologies, and connections with European cloud and AI providers.
• SME Focus: They are specifically tasked with helping SMEs and public sector bodies navigate the adoption of AI and cloud technologies.
• Entry Points: For Czech public bodies, these Centres are the primary entry points to the European AI innovation ecosystem. They can assist in interpreting the 'AI first' principle, identifying suitable sovereign providers, and facilitating the upskilling of staff required to manage new AI-driven workflows.

What this means for you

For procurement officers, IT directors, and policy leaders in Czech public administration, CADA as proposed requires immediate strategic preparation.

1. Align with the National Strategy: Monitor the development of Czechia's national cloud and AI strategy. Ensure your department's digital roadmap aligns with the 'AI first' principle and the specific measures outlined in the national strategy once adopted.
2. Participate in Risk Assessments: Engage with the national authorities conducting the Article 29 risk assessments. Determine whether your specific activities (e.g., tax collection, social services, law enforcement) are classified as contributing to the preservation of public order. This classification dictates your procurement baseline (Level 1 vs. Levels 2-4).
3. Revise Tender Specifications: Update procurement documents to include Union added value criteria as required by Article 32. While these cannot be the sole deciding factor, they must be explicitly evaluated. Ask bidders to demonstrate their contribution to the European supply chain, such as the use of EU-manufactured hardware or integration of EU-developed software.
4. Target SMEs: Review your procurement pipeline to ensure you are meeting the 25% SME target for innovative cloud and AI projects. Consider splitting large contracts into smaller lots and engaging in preliminary market consultations to attract European SMEs.
5. Engage with Centres for AI: Proactively contact the Czech Experience and Acceleration Centres for AI. Use them as a resource for technical guidance, provider matchmaking, and staff training. They are designed to be the operational bridge between regulatory requirements and practical implementation.
6. Plan for Migration: If your current cloud provider does not meet the required Union Assurance Level, initiate a migration plan immediately. While CADA allows a 12-month transition period, the complexity of moving sovereign data and ensuring continuity requires early action.

Common misconceptions

"CADA bans all non-EU cloud providers." No. CADA does not impose a blanket ban. It establishes a tiered assurance system. While Union Assurance Level 1 requires EU establishment, Union Assurance Level 3 allows for providers subject to third-country control if the Commission adopts an implementing act under Article 18 (often mis-cited as Article 19 in drafts, but the text specifies Article 18 for third-country derogations) confirming the third country provides sufficient safeguards (e.g., adequacy decisions and no extraterritorial access risks). However, for most public order activities, the preference is for EU-established providers.

"The 'AI first' principle forces us to use AI everywhere." No. The 'AI first' principle, referenced in Article 7, is a strategic mindset. It requires organisations to consider AI opportunities in their business processes. It does not mandate the use of AI where it is inappropriate, inefficient, or poses unacceptable risks. It is about prioritising AI in the planning phase, not a blanket deployment order.

"Union added value criteria can override technical quality." No. Article 32(2) is explicit: non-price criteria must be "ancillary and not decisive." Technical and financial criteria directly connected to the performance of the service remain the primary basis for award. Union added value is a supplementary factor to strengthen the European ecosystem, not a tool to exclude technically superior solutions.

"Only security agencies need to worry about higher assurance levels." No. While security sectors (defence, justice, law enforcement) are explicitly named for Levels 2-4, the baseline Union Assurance Level 1 applies to all public sector bodies. This ensures that even non-sensitive public data remains within the Union and under EU jurisdiction, preventing vendor lock-in and ensuring a baseline of sovereignty across the entire public sector.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.