What must public-sector bodies in Estonia do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Estonian public-sector bodies must align their digital transformation with a national strategy that enshrines the 'AI first' principle. Compliance requires a two-step process: first, conducting a risk assessment to determine if an activity contributes to the preservation of public order; second, procuring cloud services at the corresponding Union assurance level (minimum Level 1 for general use, Levels 2–4 for critical public order functions). Authorities must also integrate Union added value criteria into tenders and actively engage with Experience and Acceleration Centres for AI to support adoption and upskilling.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a fundamental shift in how EU public authorities procure and deploy cloud and AI technologies. For Estonia, a nation already deeply integrated into the digital single market, the Act introduces a structured framework to reduce dependencies on third-country providers and safeguard operational autonomy. Compliance is not a passive administrative task but an active strategic process involving national alignment, rigorous risk classification, and specific procurement behaviors.

The Strategic Driver: National Cloud and AI Strategies (Article 7)

The foundation of CADA compliance for Estonian public bodies lies in Article 7, which mandates that Member States establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies are not merely policy documents; they are the binding frameworks that dictate the direction of public-sector digitalization.

For Estonia, the national strategy must explicitly include the 'AI first' principle. As defined in the proposal, this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." This means that Estonian public authorities cannot treat AI as an optional add-on. When designing new digital services or optimizing existing workflows, the default assumption must be whether AI can enhance efficiency, decision-making, or service delivery.

The strategy must also outline measures to:

• Accelerate the deployment of AI in strategic sectors such as healthcare, energy, and mobility.
• Support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
• Invest in high-intensity computing infrastructure, including AI factories and quantum computers.

Estonian public bodies must align their individual digital roadmaps with these national objectives. This alignment ensures that local procurement decisions contribute to the broader EU goal of reducing external dependencies and fostering a competitive, sovereign European cloud ecosystem.

Procurement Obligations: The Risk-Based Assurance Framework (Article 30)

The most immediate operational impact on Estonian contracting authorities comes from Article 30, which establishes a tiered procurement regime based on the sovereignty and risk profile of the public sector activity. This regime is triggered by the risk assessment required under Article 29.

1. The Baseline: Union Assurance Level 1

For all public-sector activities that have not been identified as contributing to the preservation of public order, Article 30(2) mandates the use of cloud computing services recognized as having Union assurance level 1.

• Requirements: The provider must be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise.
• Implication: Even for non-critical services, Estonian authorities cannot procure from providers that do not meet this baseline. This effectively excludes providers that cannot guarantee EU establishment and data residency.

2. Critical Public Order Activities: Levels 2, 3, or 4

If a risk assessment determines that an activity contributes to the preservation of public order—specifically in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, internal security, external border management, defense, justice, or law enforcement—Article 30(3) imposes a stricter obligation.

• Mandatory Higher Levels: Contracting authorities must only procure services recognized as offering Union assurance levels 2, 3, or 4.
• Level 2: Adds requirements for personnel screening (conditional on public body request), cybersecurity certification (at least "substantial" assurance), and software supply chain transparency.
• Level 3: Mandates that personnel involved in the service are Union citizens (mandatory, not conditional) and that the provider is not subject to third-country control (with limited derogations under Article 18).
• Level 4: Imposes the strictest controls, including "high" cybersecurity certification, mandatory Union citizenship for all personnel, and strict separation from third-country subsidiaries.

This tiered approach ensures that the level of protection matches the sensitivity of the data. Estonian authorities must map their services to these risk categories before initiating any procurement procedure.

Union Added Value and Innovation (Articles 32 and 33)

Beyond the mandatory assurance levels, CADA introduces specific criteria to foster the European digital ecosystem.

Article 32 requires contracting authorities to include Union added value as part of the quality evaluation of tenders for innovative cloud computing services and AI systems. This criterion is non-price and ancillary, meaning it cannot be the decisive factor for awarding the contract but must be considered alongside technical and financial criteria.

• Evaluation Factors: Authorities should assess the tenderer's contribution to strengthening the digital supply chain in the Union, the integration of technologies developed in the Union, and the use of hardware components designed or manufactured in the Union.
• Weighting: While the proposal allows for a maximum weighting of 15 out of 120 points, the key is that this value must be expressly set out in the procurement documents.

Article 33 focuses on innovation and SME participation. Member States are encouraged to aspire to award at least 25% of their procurement for cloud computing services and AI systems to innovative SMEs. This creates an obligation for Estonian procurement officers to design tenders that are accessible to small and medium-sized enterprises, potentially by dividing contracts into lots and using simplified procedures.

Leveraging Experience and Acceleration Centres for AI (Article 5)

To support this transition, Article 5 mandates the establishment of Experience and Acceleration Centres for AI (Centres for AI) in each Member State. These centers build on the existing network of European Digital Innovation Hubs (EDIHs). For Estonian public-sector bodies, these Centres for AI serve as critical entry points for:

• Supporting Integration: Helping organizations accelerate their digital transformation through access to AI technologies and connecting them with European providers.
• Upskilling: Ensuring or providing access to relevant upskilling and reskilling schemes, in close collaboration with the AI Skills Academy.
• Testing and Validation: Providing infrastructure to accelerate the development and fine-tuning of AI models.
• Scaling Up: Supporting the scaling-up of spin-offs and start-ups emerging from universities and incubators.

Public-sector bodies are expected to utilize these centers to navigate the complexities of AI adoption, ensuring that their procurement decisions are informed by technical expertise and aligned with the 'AI first' principle.

What this means for you

For Estonian public-sector bodies, procurement officers, and digital transformation leads, CADA introduces a shift from purely cost-driven procurement to risk-based, sovereignty-aware sourcing. Here is your actionable roadmap:

1. Conduct Mandatory Risk Assessments: Before procuring any cloud or AI service, you must determine if your activity contributes to the preservation of public order. If it does (e.g., law enforcement, border management), you must procure services at Union assurance levels 2, 3, or 4. If it does not, you must still ensure the provider meets Union assurance level 1.
2. Align with the National Strategy: Review Estonia's national cloud and AI strategy. Ensure your department's digital roadmap explicitly incorporates the 'AI first' principle, actively considering AI solutions for process optimization and service delivery.
3. Engage with Centres for AI: Proactively engage with the Estonian Experience and Acceleration Centre for AI. Use their resources for technical assessments, staff training, and to identify suitable European providers. This is particularly vital for smaller municipalities or departments lacking in-house AI expertise.
4. Revise Tender Criteria: Update your procurement templates to include Union added value criteria. Evaluate bids not just on price and technical specs, but on how much they contribute to the EU digital supply chain. Additionally, structure tenders to facilitate SME participation, aiming for the 25% innovation procurement target.
5. Verify Assurance Levels: When evaluating bids, ensure that providers have the necessary recognition for the required Union assurance level. For levels 2–4, this will involve checking for independent audit reports and positive audit opinions issued by recognized auditing organizations.

Common misconceptions

• "CADA bans all non-EU cloud providers." This is incorrect. CADA does not ban non-EU providers entirely. It creates a sovereignty framework where providers can be recognized at different assurance levels. Under Article 18, the Commission may recognize third countries as providing sufficient assurances for Union assurance level 3 if they meet specific criteria (e.g., adequacy decisions, no extraterritorial data access laws). However, for critical public order activities, the restrictions are much tighter, effectively limiting options to providers that can prove deep EU sovereignty.
• "Union assurance level 1 is optional for general services." No. Article 30(2) makes it clear that for public-sector bodies whose activities are not identified as critical to public order, using a service with Union assurance level 1 is the minimum requirement. You cannot procure a service that does not meet this baseline.
• "Union added value is a decisive criterion." Article 32(2) states that non-price award criteria, including Union added value, must be ancillary and not decisive in the award of the contract. They should complement, not override, technical and financial criteria.
• "Only large ministries need to comply." CADA applies to all "contracting authorities" and "Union entities." This includes regional and local public bodies, provided they are procuring cloud computing services or AI systems. The obligations scale with the risk and criticality of the activity, but the framework applies broadly.
• "Personnel must be Union citizens for all levels." This is a common error. Union citizenship for personnel is mandatory only for Levels 3 and 4. For Level 2, it is conditional: the public sector body must explicitly require it. For Level 1, there is no citizenship requirement.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.