What must public-sector bodies in Finland do to comply with CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require Finland to adopt a national cloud and AI strategy within one year of the regulation's entry into force, embedding an 'AI first' principle to drive public-sector adoption. Finnish public-sector bodies would be legally obligated to procure only cloud computing services formally recognised under the EU's sovereignty framework—starting with a minimum of Union assurance level 1, and rising to levels 2, 3, or 4 for activities deemed critical to public order. Compliance also mandates the use of Experience and Acceleration Centres for AI as entry points for support and the inclusion of Union added value criteria in innovative procurement to strengthen the European digital supply chain.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For Finland, as a Member State, compliance involves a multi-layered approach: strategic planning at the national level, rigorous procurement protocols for public bodies, and active engagement with EU-wide support networks. The regulation aims to reduce dependency on third-country providers while fostering a competitive, sovereign European market.

1. The National Strategy and the 'AI First' Principle (Article 7)

Under Article 7, Finland is required to establish a national cloud and AI strategy no later than one year after CADA enters into force. This strategy is not merely advisory; it serves as the foundational roadmap for how Finnish public bodies integrate cloud and AI technologies.

A core requirement of this national strategy is the inclusion of the 'AI first' principle. As defined in the proposal, this principle urges organisations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Finnish public-sector bodies, this means that when designing new administrative procedures or digital services, AI capabilities must be evaluated as a standard component rather than an afterthought.

The national strategy must explicitly outline:

• Key objectives and priorities for cloud and AI adoption.
• A governance and monitoring framework to achieve these objectives.
• Measures to accelerate development and adoption at national, regional, and local levels, particularly among public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).
• Specific measures to support the broad deployment of AI in strategic sectors such as healthcare, energy, and mobility.
• Plans to support the development of cloud and AI capabilities through public procurement, including the use of innovation procurement measures set out in Article 33.

Finland must notify the European Commission of this strategy within three months of its adoption and assess its progress at least every three years. The European Artificial Intelligence Board (AI Board), established under the AI Act, will assist in coordinating these national strategies across the Union to ensure consistency.

2. Procurement Obligations and Sovereignty Assurance (Article 30)

The most direct operational impact on Finnish public-sector bodies lies in Article 30, which dictates how cloud computing services must be procured. The regulation establishes a minimum baseline of trust and sovereignty that all public bodies must adhere to, contingent on a risk assessment of their activities.

Risk Assessment as the Trigger Before procurement obligations apply, Article 29 requires Member States and Union entities to carry out risk assessments to identify which public sector activities "contribute to the preservation of public order." This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement.

Minimum Requirement: Union Assurance Level 1 For public-sector bodies whose activities have not been identified as contributing to the preservation of public order, Article 30(2) mandates that they must use cloud computing services that have been recognised as offering Union assurance level 1.

• Level 1 Criteria: The provider must be established in the Union, and infrastructure, assets, and customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. The provider must also demonstrate compliance with state-of-the-art cybersecurity standards.

Higher Assurance for Public Order Activities For contracting authorities whose activities have been identified as contributing to the preservation of public order, Article 30(3) imposes stricter requirements. These bodies may only procure cloud computing services recognised as offering Union assurance level 2, 3, or 4.

These higher assurance levels introduce cumulative criteria:

• Level 2: Requires independent third-party audits, a European cybersecurity certificate of at least 'substantial' assurance (or equivalent national schemes), and ensures that data generated by the service is not used to train AI systems operated by third countries.
• Level 3: Adds requirements for personnel to be Union citizens (where the public body requires it) and prohibits providers from being subject to the control of a third country, unless a specific derogation under Article 18 applies.
• Level 4: The highest level, requiring a 'high' assurance level cybersecurity certificate and ensuring that third countries do not hold effective control over software components.

Derogations Article 30(4) allows for exceptional derogations where procuring a recognised service is impossible due to the lack of adequate alternatives in the central repository, if previous similar procurements failed to yield suitable tenders, or if applying the requirements would result in disproportionate costs. However, these exceptions are narrow and must be duly justified.

3. Union Added Value and Innovation Procurement (Articles 32–33)

Beyond sovereignty, CADA encourages the strengthening of the European digital supply chain through Article 32. In public procurement procedures for innovative cloud computing services and AI systems, Finnish contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria might assess:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union (e.g., using hardware or software designed/manufactured in the EU).
• The integration of technologies developed in the Union, including results from EU-funded research.
• The use of critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, these Union added value criteria must be ancillary and not decisive in the award of the contract. They should not confer unrestricted freedom of choice to the contracting authority and must be expressly set out in procurement documents.

Furthermore, Article 33 sets an ambitious target for innovation. Member States, including Finland, should pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. Finland must monitor this uptake, report annually to the Commission on SME participation trends, and include plans to achieve this 25% target in its national strategy.

4. Leveraging Experience and Acceleration Centres for AI (Article 5)

To facilitate this transition, Article 5 requires Finland to establish Experience and Acceleration Centres for AI (Centres for AI). These centres build on the existing network of European Digital Innovation Hubs (EDIHs) and act as regional and local accelerators for AI uptake.

For Finnish public-sector bodies, these centres serve as critical entry points for:

• Support and Scaling: Helping organisations accelerate digital transformation by connecting them with European providers of cloud and AI technologies.
• Skills Development: Ensuring access to upskilling and reskilling schemes, often in collaboration with the AI Skills Academy.
• Testing and Validation: Providing infrastructure to accelerate the development and fine-tuning of AI models and systems.
• SME Collaboration: Facilitating access to clients and organisations seeking specialised AI services, thereby helping Finnish public bodies meet the 25% SME procurement target.

Public-sector bodies are encouraged to utilise these centres to navigate the complexities of AI integration, ensuring that adoption is both effective and compliant with the 'AI first' principle.

What this means for you

For procurement officers and digital leaders in Finnish public-sector bodies, CADA introduces a paradigm shift from open-market procurement to sovereignty-driven procurement.

1. Audit Your Current Providers: You must verify whether your current cloud providers are recognised under the Union assurance levels. If they are not, you must plan a migration. For non-critical services, Level 1 is the minimum; for critical public order functions, you must move to Level 2, 3, or 4.
2. Integrate Sovereignty into Procurement Documents: Future tender documents must explicitly require Union assurance recognition. You cannot simply buy the cheapest or most feature-rich cloud service if it does not meet the sovereignty criteria.
3. Prioritise European Innovation: When procuring innovative AI systems, you are required to include non-price criteria that favour European supply chains. This is not a preference but a regulatory obligation under Article 32.
4. Engage with Local Centres for AI: Do not navigate AI adoption in isolation. Use the Finnish Experience and Acceleration Centres for AI to identify compliant European SMEs, access training, and validate AI use cases. This engagement directly supports the national strategy's goals and helps meet the 25% SME procurement target.
5. Conduct Risk Assessments: Public bodies must participate in the national risk assessment process to determine which of their activities contribute to public order. This classification dictates the minimum assurance level required for their cloud services.

Common misconceptions

• "Sovereignty means all data must stay in Finland." Incorrect. The Union assurance levels require data to remain within the European Union, not necessarily within the specific Member State. Data can flow across EU borders unless a specific national restriction applies, but it cannot leave the Union without explicit public sector body approval.
• "We can ignore CADA if we already comply with GDPR." Incorrect. While GDPR protects personal data, it does not address operational autonomy, supply chain resilience, or third-country control over infrastructure. CADA's sovereignty framework addresses these gaps, requiring audits and certifications that GDPR does not mandate.
• "Union added value criteria are optional." Incorrect. For innovative cloud and AI procurement, Article 32 requires contracting authorities to include these criteria. They are not decisive in the award, but they must be present in the evaluation methodology.
• "The 'AI first' principle means we must use AI for everything." Incorrect. 'AI first' is a principle of consideration. It requires public bodies to reflect on how AI can improve processes and address needs, while also assessing risks. It does not mandate AI deployment where it is inappropriate, unsafe, or ineffective.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.