What must public-sector bodies in Germany do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), German public-sector bodies must align their digital procurement with a new national strategy and a tiered sovereignty framework. As proposed, Germany would be required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force, embedding the "AI first" principle to drive adoption across public administration. Procurement obligations would be strictly tiered: general services would require a baseline Union assurance level 1, while activities contributing to public order (e.g., law enforcement, defence) would mandate services recognised at levels 2, 3, or 4. Additionally, contracting authorities would be required to apply "Union added value" criteria to favour European supply chains and ensure at least 25% of innovative cloud and AI contracts are awarded to SMEs. To facilitate this transition, German bodies would be expected to leverage the newly established Experience and Acceleration Centres for AI as primary entry points for expertise, testing, and SME engagement.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive regulatory framework designed to strengthen the EU's cloud and AI ecosystem. For Germany, as a Member State, compliance involves a multi-layered approach integrating national strategic planning, rigorous risk-based procurement, and active engagement with EU-wide support mechanisms. The Act would not merely regulate technology but would fundamentally reshape how public authorities acquire and deploy cloud and AI services to ensure technological sovereignty and resilience.

National Strategy and the 'AI First' Principle

The foundation of CADA compliance for Germany lies in Article 7, which mandates that Member States establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies are not optional; they are a statutory requirement to ensure coherence between national digital policies and Union objectives.

Under Article 7(2), Germany's national strategy must explicitly include key objectives and priorities for cloud and AI adoption, aligning with the "AI first" principle defined in the Apply AI Strategy. The Commission's explanatory memorandum clarifies that this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account the potential risks." For German public bodies, this means that AI adoption cannot be an afterthought; it must be a primary consideration in the design of administrative procedures and public services.

The strategy must further outline specific measures to:

• Accelerate the development and adoption of cloud and AI at national, regional, and local levels, with a particular focus on public-sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).
• Support the broad deployment of AI in strategic sectors such as healthcare, energy, and mobility.
• Invest in high-intensity computing infrastructure, including AI factories and quantum computers, as strategic national assets.
• Promote the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

German public-sector bodies would be expected to implement these strategic measures, ensuring their procurement and usage of cloud and AI services directly contribute to the national goals of technological sovereignty and innovation. The strategy would also require Germany to ensure consistency with the digital targets established under the Digital Decade Policy Programme 2030, particularly regarding the adoption of cloud services by enterprises and the deployment of edge nodes.

Procurement Obligations and Risk Assessments

The core of CADA's public-sector compliance lies in its procurement rules, detailed in Articles 29 and 30. These articles establish a risk-based framework that dictates which cloud services public bodies may procure based on the sensitivity of their activities.

Article 29 mandates that Member States and Union entities carry out risk assessments by one year after the Regulation's entry into force, and thereafter every two years or whenever necessary. These assessments must identify public-sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities. The assessment must consider:

• The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
• The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

Based on these risk assessments, Article 30 sets out strict procurement obligations that would apply to German contracting authorities:

1. Union Assurance Level 1 (Baseline): Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1. This level requires the provider to be established in the Union, with infrastructure and data located in the Union, and compliance with state-of-the-art cybersecurity standards.
2. Union Assurance Levels 2, 3, or 4 (Public Order): Contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised as having Union assurance level 2, 3, or 4. These higher levels impose stricter requirements, including mandatory Union citizenship for personnel (conditional at L2, mandatory at L3/L4), independent third-party audits, and guarantees against third-country control.

Exceptions exist under Article 30(4) where a contracting authority may decide not to procure recognised services on an exceptional basis and where duly justified. This applies if:

• The subject matter of the tender cannot be supplied by recognised services available in the central repository, and no adequate or reasonable alternative exists.
• The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders.
• Applying the requirements would require the contracting authority to procure services at disproportionate cost.

Union Added Value and Innovation Procurement

Beyond assurance levels, Article 32 introduces "Union added value" as a mandatory non-price award criterion in public procurement for innovative cloud computing services and AI systems. German contracting authorities would be required to include criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded research and development programmes.
• The innovation required to deliver the service contributes to strengthening the security of supply and the development of a European cloud and AI ecosystem.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2) stipulates that these non-price award criteria must be ancillary and not decisive in the award of the contract. They must be linked to the subject matter of the contract and expressly set out in the procurement documents. This ensures that while European sovereignty is a factor, it does not override technical and financial criteria directly connected to performance.

Article 33 further requires Member States to monitor and report on their use of procurement of innovation in cloud and AI. Germany would be required to ensure that at least 25% of its procurement for cloud computing services and AI systems is awarded to innovative SMEs. Public-sector bodies would need to promote preliminary market consultations and matchmaking between public buyers and innovative European SMEs and start-ups to meet this target.

Support via Experience and Acceleration Centres for AI

To facilitate the transition to compliant and innovative cloud and AI services, Article 5 of CADA requires Member States to establish Experience and Acceleration Centres for AI (Centres for AI). In Germany, these Centres would build on the existing network of European Digital Innovation Hubs and serve as critical entry points to the European AI innovation ecosystem.

The objectives of these Centres, as defined in Article 5(2), include:

• Supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors.
• Accelerating the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs, SMCs, and public-sector bodies.
• Helping organisations accelerate their digital transformation through access to and use of AI technologies, including connecting them with European providers of cloud and AI technologies.

German public-sector bodies would be expected to engage with these Centres to access expertise, testing facilities, and skills support. The Centres would also be tasked with ensuring or providing access to relevant upskilling and reskilling schemes, in close collaboration with the AI Skills Academy. This infrastructure would be vital for public bodies navigating the complex requirements of CADA, particularly in identifying suitable sovereign providers and understanding the nuances of the Union assurance levels.

What this means for you

For German public-sector procurement officers, digital transformation leaders, and IT strategists, the proposed CADA introduces a structured and mandatory compliance pathway. The transition would require proactive planning and a shift in procurement culture.

1. Align with the National Strategy: Once Germany adopts its national cloud and AI strategy (within one year of CADA's entry into force), public bodies must review it to understand the specific "AI first" objectives and measures applicable to their operations. Procurement plans must be designed to contribute to these national goals, ensuring that cloud and AI adoption is not just a technical upgrade but a strategic imperative.
2. Conduct Risk Assessments Immediately: Public bodies must initiate or update risk assessments for their current and planned cloud and AI usage. The critical step is identifying which activities contribute to the preservation of public order (e.g., law enforcement, critical infrastructure, justice). This assessment will dictate the minimum Union assurance level required in future tenders. Failure to correctly classify an activity could lead to procurement of non-compliant services.
3. Update Procurement Documents: Tender specifications must be revised to include mandatory requirements for Union assurance levels. General services would require Level 1, while public-order-relevant activities would require Levels 2, 3, or 4. Furthermore, "Union added value" criteria must be incorporated as non-price award factors to favour European solutions, ensuring that the supply chain is strengthened.
4. Prioritise SMEs and Innovation: Procurement strategies must aim to award at least 25% of innovative cloud and AI contracts to SMEs. Public bodies should actively use the Centres for AI to identify and connect with innovative European SMEs and start-ups, fostering a competitive and sovereign market.
5. Monitor and Report: Implementation of monitoring mechanisms is essential to track procurement of innovation and SME participation, as required by Article 33. Public bodies must prepare to submit annual reports to the Commission, demonstrating compliance with the 25% SME target and the use of Union added value criteria.
6. Leverage Centres for AI: Rather than navigating CADA compliance in isolation, German public bodies should engage with the national Centres for AI. These hubs would provide the necessary expertise, testing environments, and connections to European providers to ensure that procurement decisions are both compliant and innovative.

Common misconceptions

"CADA replaces the AI Act." No. CADA and the AI Act are complementary instruments regulating different layers of the technology stack. The AI Act (Regulation (EU) 2024/1689) governs the safety, fundamental rights, and transparency of AI systems. CADA, as proposed, governs the infrastructure (cloud, data centres) and the sovereignty of the supply chain. A German public body deploying a high-risk AI system for law enforcement would need to comply with the AI Act for the system itself and with CADA for the cloud infrastructure hosting it.

"All public-sector cloud services must be Level 4." No. The requirement for higher assurance levels is strictly risk-based. Only activities identified as contributing to the preservation of public order in high-risk sectors (e.g., defence, law enforcement, national security) would require services recognised at levels 2, 3, or 4, based on the outcome of the risk assessment under Article 29. General public services, such as administrative portals or non-sensitive data processing, would typically require only Union assurance level 1.

"Union added value is a decisive criterion." No. Article 32(2) explicitly states that non-price award criteria related to Union added value must be "ancillary and not decisive in the award of the contract." They cannot override technical and financial criteria directly connected to the performance requirements of the contract. Their purpose is to encourage European supply chains without compromising the quality or cost-effectiveness of the procurement.

"Experience and Acceleration Centres are only for industry." While the Centres support industry, Article 5 explicitly tasks them with accelerating the adoption of cloud and AI technologies for public-sector bodies, SMEs, and SMCs. They are designed to be entry points for public digital transformation, providing the expertise and testing facilities necessary for public bodies to navigate the new regulatory landscape.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.