What must public-sector bodies in France do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), French public-sector bodies must align their digital strategies with a new national framework that enshrines the "AI first" principle. Procurement obligations are strict: all cloud services must meet a minimum Union assurance level 1, while activities impacting public order (e.g., defence, justice) must procure services at levels 2, 3, or 4 based on mandatory risk assessments. Additionally, tender evaluations must include "Union added value" criteria to strengthen the European supply chain, and bodies must leverage Experience and Acceleration Centres for AI as entry points for adoption and innovation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a binding framework to strengthen Europe's cloud and AI ecosystem. For France, compliance is not a matter of optional best practice but a structural shift in how public digital services are strategized, procured, and operated. The regulation targets the reduction of third-country dependencies and the enhancement of strategic autonomy, directly impacting French contracting authorities, regional bodies, and public agencies.

The National Strategy and the "AI First" Principle

The foundation of CADA's demand-side measures is the requirement for Member States to adopt comprehensive national strategies. Under Article 7, France is required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy serves as the operational blueprint for how French public bodies will adopt and deploy cloud and AI technologies.

Crucially, Article 7(2)(a) mandates that these national strategies include key objectives and priorities for cloud and AI adoption in line with the "AI first" principle. As described in Recital 32, this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For French public-sector bodies, this means the national strategy will likely mandate a proactive, rather than reactive, approach to AI integration in critical domains such as healthcare, education, and administrative procedures.

The strategy must also outline measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps (SMCs). It must address the deployment of data centre capacity, focusing on high-value facilities that deliver economic and societal benefits while adhering to high environmental and energy-efficiency standards.

French public-sector bodies must ensure their local and regional digital transformation plans are consistent with this national strategy. The European Artificial Intelligence Board (AI Board) will facilitate the exchange of best practices among Member States, ensuring France's approach aligns with broader EU goals. Furthermore, the national strategy will inform the national digital decade strategic roadmaps, linking CADA compliance to the EU's broader Digital Decade targets, such as the adoption of cloud computing services by at least 75% of Union enterprises.

Procurement Obligations and Union Assurance Levels

The most immediate impact of CADA on French public-sector procurement officers lies in the mandatory application of the Union cloud computing sovereignty framework. Article 30 sets out strict rules for contracting authorities that procure cloud computing services for their exclusive use.

Baseline Requirement (Level 1): All public-sector bodies in France whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized under Article 17 as having a Union assurance level 1. This is the mandatory minimum baseline. Under Annex II, Level 1 requires that the provider is established in the Union, and that infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.

Public Order Requirement (Levels 2–4): For public-sector bodies whose activities have been identified as contributing to the preservation of public order, the requirements are significantly stricter. Under Article 30(3), these authorities must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4. The determination of which activities fall under "public order" is made through the risk assessments required by Article 29.

Risk Assessments and Public Order Determination

To determine the appropriate assurance level, French Member States and Union entities must carry out risk assessments. Under Article 29, these assessments must identify public sector activities that use or will make use of cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement.

The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for the identified activities. This assessment must consider:

• The sensitivity, criticality, and magnitude of the data processed.
• The risk of unlawful access by a third country or legal entity established in a third country.
• The risk of service disruption.

The Commission will provide guidance and methodology for these assessments, but the final determination of the appropriate level lies with the Member State. If a risk assessment requires migration to another cloud computing service to meet the required assurance level, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months, as stipulated in Article 29(6). This places a significant operational burden on French public bodies, requiring them to plan for potential cloud migrations if their current providers do not meet the required sovereignty standards.

Union Added Value and Innovation Procurement

Beyond sovereignty levels, CADA introduces specific criteria for evaluating tenders to foster a competitive European market. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, authorities must evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research results from Union-funded programs.
• The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union, or, where not feasible, from a third country that contributes to strengthening the security of supply.

These criteria must be ancillary and not decisive in the award of the contract. Recital 67 suggests that contracting authorities could consider a maximum weighting of 15 out of 120 points to be allocated to European added value, ensuring it remains proportionate to technical and financial criteria.

Article 33 further emphasizes the role of innovation procurement. Member States must monitor and report on their use of procurement of innovation in cloud and AI. They must take measures to improve access for SMEs and start-ups, aiming to award at least 25% of their procurement for cloud computing services and AI systems to innovative SMEs. Article 33(4) explicitly states that Member States shall include, in their national strategies referred to in Article 7, plans on how they intend to achieve this objective.

Role of Experience and Acceleration Centres for AI

To support public-sector bodies in meeting these obligations, CADA establishes a network of Experience and Acceleration Centres for AI. Under Article 5, France must establish these Centres for AI, building on the existing European Digital Innovation Hubs.

These Centres serve as entry points for the European AI innovation ecosystem. Their objectives include supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors, and accelerating the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs, SMCs, and public sector bodies.

For French public-sector officers, these Centres will provide:

• Access to and use of AI technologies, including connections with European providers of cloud and AI technologies.
• Upskilling and reskilling schemes in collaboration with the AI Skills Academy.
• Facilitation of expertise transfer across regions.
• Support for the scaling-up of spin-offs and start-ups.

The Centres for AI will also help public bodies navigate the complexities of the sovereignty framework, providing guidance on risk assessments and the selection of appropriate Union assurance levels. They will act as a bridge between public authorities and the European cloud and AI ecosystem, facilitating the adoption of sovereign and innovative solutions.

What this means for you

As a public-sector procurement officer or digital strategist in France, CADA will fundamentally change how you approach cloud and AI contracts. You can no longer treat cloud services as generic IT commodities. Instead, you must:

1. Align with National Strategy: Ensure your department's digital plans are consistent with France's national cloud and AI strategy, which will mandate the "AI first" principle. This means actively seeking out AI solutions that improve public service delivery, simplify administrative procedures, and enhance decision-making.
2. Conduct Risk Assessments: You must participate in or conduct risk assessments to determine if your activities contribute to public order. If they do, you are legally required to procure cloud services with Union assurance levels 2, 3, or 4. Even if they do not, you must ensure all cloud services meet Union assurance level 1.
3. Verify Assurance Levels: Before awarding any cloud contract, verify that the provider is recognized in the central repository as offering the required Union assurance level. This recognition is obtained through self-assessment (for level 1) or independent third-party audits (for levels 2-4).
4. Include Union Added Value Criteria: In your tender documents for innovative cloud and AI services, include non-price criteria that evaluate the tenderer's contribution to the European digital supply chain. This includes the use of EU-designed hardware and software, and integration of EU-developed technologies.
5. Leverage Support Structures: Engage with France's Experience and Acceleration Centres for AI. These Centres will provide technical expertise, training, and connections to European providers, helping you navigate the new regulatory landscape and identify suitable sovereign solutions.
6. Plan for Migration: If your current cloud provider does not meet the required assurance level, you must plan for migration within a 12-month transition period. Start assessing your current contracts and data residency early to avoid disruptions.

Common misconceptions

• "CADA replaces the AI Act." No, CADA and the AI Act are complementary. The AI Act regulates the safety and fundamental rights aspects of AI systems, while CADA focuses on the sovereignty, resilience, and procurement aspects of the cloud infrastructure that hosts and runs these AI systems. You must comply with both.
• "Union assurance level 1 is optional for non-critical services." No, Article 30 makes Union assurance level 1 the mandatory minimum for all public-sector cloud procurement, regardless of whether the activity is deemed to impact public order.
• "Union added value criteria are the primary award criteria." No, Article 32 states that these criteria must be ancillary and not decisive. Technical and financial criteria directly connected to performance requirements remain primary, but Union added value must be included as part of the quality evaluation.
• "Only large public bodies need to worry about this." No, Article 7 and Article 5 explicitly target regional and local levels, as well as SMEs and SMCs. The Experience and Acceleration Centres for AI are specifically designed to support these smaller entities.
• "Data residency alone ensures sovereignty." No, the Union assurance levels go beyond simple data residency. They include requirements on the establishment of the provider, the location of infrastructure and personnel, the absence of third-country control, and the use of specific cybersecurity certifications. A provider can be EU-established but still not meet level 2-4 if it is subject to third-country control or lacks the required cybersecurity certification.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.