What must public-sector bodies in Greece do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Greece must align their cloud and AI procurement with a national strategy that mandates an 'AI first' approach. Contracting authorities are required to procure only cloud services that hold a recognized Union assurance level, with higher assurance levels (2, 3, or 4) mandatory for activities deemed critical to public order following a formal risk assessment. Additionally, Greece must establish Experience and Acceleration Centres for AI to support the digital transformation of public bodies and SMEs.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem. For public-sector bodies in Greece, compliance is not merely a technical upgrade but a strategic obligation driven by three interconnected pillars: national strategy alignment, sovereign procurement, and support infrastructure.

The National Strategy and the 'AI First' Principle

The foundation of CADA compliance for Greece lies in Article 7, which requires Member States to establish national cloud and AI strategies. Greece must adopt a strategy within one year of the Regulation's entry into force. This strategy is not optional guidance; it is the blueprint for how Greek public bodies will adopt cloud and AI technologies.

A central requirement of this national strategy is the inclusion of the 'AI first' principle. As defined in the proposal's recitals and operationalized in Article 7(2), this principle urges organizations to reflect on their business processes by considering the needs and opportunities offered by AI, while simultaneously accounting for potential risks. For Greek public-sector bodies, this means proactively identifying where AI can simplify administrative procedures, improve decision-making, and reduce burdens, particularly in critical domains like healthcare and public administration.

The national strategy must also include measures to support the broad deployment of AI in strategic industrial and public sectors, including healthcare, energy, and mobility. Furthermore, it must outline plans for achieving the objective that at least 25% of public procurement for cloud computing services and AI systems be awarded to innovative small and medium-sized enterprises (SMEs), as detailed in Article 33(4). This creates a direct link between national strategic planning and specific procurement outcomes, ensuring that Greek public bodies actively foster the domestic AI market.

Procurement Obligations and Union Assurance Levels

The core operational obligation for Greek contracting authorities is found in Article 30, which dictates how cloud computing services must be procured. CADA introduces a "Union cloud computing sovereignty framework" comprising four assurance levels. Public-sector bodies cannot simply choose the cheapest or most familiar cloud provider; they must select services that have been formally recognized as meeting specific Union assurance criteria.

The procurement requirement is tiered based on a risk assessment:

1. Baseline Requirement (Level 1): For public-sector activities that have not been identified as contributing to the preservation of public order, contracting authorities must use cloud computing services recognized as having at least Union assurance level 1. As set out in Annex II, this level requires that the provider is established in the Union, and that infrastructure, assets, and customer data remain exclusively within the Union unless explicitly required otherwise by the public body.
2. Enhanced Requirement (Levels 2, 3, or 4): For activities identified as contributing to the preservation of public order—such as those in sectors falling under Annex I or II of the NIS2 Directive, or areas involving national security, defense, justice, or law enforcement—contracting authorities must only procure services recognized as offering Union assurance levels 2, 3, or 4. These higher levels impose stricter criteria, including requirements for Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4), higher cybersecurity certifications (at least 'substantial' for Levels 2 and 3, 'high' for Level 4), and guarantees against third-country control.

The Role of Risk Assessments

To determine which assurance level is appropriate, Greek public-sector bodies and Union entities must conduct risk assessments under Article 29. These assessments must be carried out within one year of the Regulation's entry into force and repeated every two years, or whenever necessary.

The risk assessment must identify public-sector activities that contribute to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4) for those activities. The assessment considers the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption. If a risk assessment determines that a migration to a different cloud service is necessary to meet the required assurance level, the public body must migrate within a reasonable transition period, not exceeding 12 months.

Union Added Value and Innovation Procurement

Beyond sovereignty, CADA introduces specific award criteria to strengthen the European cloud and AI ecosystem. Under Article 32, Greek contracting authorities must include non-price award criteria in their public procurement procedures for innovative cloud computing services and AI systems. These criteria allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, authorities must evaluate:

• The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union.
• The extent to which the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These "Union added value" criteria are ancillary and not decisive in the award of the contract, but they must be expressly set out in procurement documents. This ensures that while competition remains open, there is a clear incentive for providers to invest in European technological sovereignty.

Furthermore, Article 33 obliges Member States to monitor their use of procurement of innovation in cloud and AI. Greece must report annually to the Commission on SME participation trends and the measures taken to improve SME access to public procurement. This includes promoting preliminary market consultations and matchmaking between public buyers and innovative European SMEs.

Experience and Acceleration Centres for AI

To facilitate this transition, Article 5 requires Greece to establish Experience and Acceleration Centres for AI (Centres for AI). These centres, built on existing European Digital Innovation Hubs, serve as critical entry points for public-sector bodies and SMEs.

For public bodies, these centres provide:

• Support in integrating and scaling up AI use cases in strategic sectors.
• Access to upskilling and reskilling schemes.
• Assistance in connecting with European providers of cloud and AI technologies.
• Facilitation of the transfer of expertise across regions.

The Centres for AI are tasked with helping organizations accelerate their digital transformation, ensuring that Greek public bodies have the technical and strategic support needed to comply with CADA's rigorous requirements.

What this means for you

For procurement officers and digital transformation leaders in the Greek public sector, CADA compliance requires immediate action on three fronts:

1. Strategic Alignment: Ensure your department's cloud and AI roadmaps are aligned with the national cloud and AI strategy being developed under Article 7. Adopt the 'AI first' mindset by actively reviewing processes for AI opportunities and risks.
2. Procurement Process Overhaul: Update procurement templates specifically for innovative cloud and AI systems to include Union added value criteria (Article 32) and ensure all cloud contracts require proof of Union assurance level recognition (Article 30). Begin conducting risk assessments to determine if your activities fall under public order preservation, which would necessitate higher assurance levels.
3. Leverage Support Infrastructure: Engage with the national Experience and Acceleration Centres for AI. Use these resources to identify compliant European providers, access training for staff, and navigate the technical requirements of sovereign cloud adoption.

Failure to comply with these provisions may result in penalties. Under Article 24, Member States are required to lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. While Article 24 explicitly mandates penalties for providers, the obligations for public bodies are binding, and Member States must ensure their national legal frameworks provide for appropriate enforcement mechanisms for all infringements of the Regulation.

Common misconceptions

• "CADA bans all non-European cloud providers." This is incorrect. CADA does not ban non-EU providers outright. Instead, it establishes a tiered assurance system. Non-EU providers can still offer services at Level 1 if they meet strict criteria (e.g., data remains in the EU, provider is established in the EU). For higher assurance levels (2-4), the criteria become more restrictive, particularly regarding third-country control and personnel citizenship, but access is not automatically prohibited if the criteria are met. Notably, Article 18 allows for a derogation where the Commission may recognize a third country as providing sufficient assurances, allowing providers controlled from that country to qualify for Level 3.

• "Only large ministries need to worry about risk assessments." Article 29 applies to all Member States and Union entities. Any public-sector body using cloud computing services must participate in the risk assessment process to determine the appropriate assurance level for its specific activities. Even local authorities or smaller agencies may handle data critical to public order.

• "Union added value criteria will make procurement too expensive." Article 32 explicitly states that Union added value criteria are ancillary and not decisive in the award of the contract. They are part of the quality evaluation but do not override the primary technical and financial criteria. The goal is to incentivize European supply chains, not to artificially inflate costs.

• "The 'AI first' principle means using AI in every process." The 'AI first' principle is about considering AI's potential opportunities and risks in business processes, not mandating its use everywhere. It encourages a strategic evaluation of where AI can add value, particularly in simplifying administration and improving decision-making, while maintaining a focus on risk mitigation.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.