What must public-sector bodies in Hungary do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Hungarian public-sector bodies must align their digital transformation with a mandatory national cloud and AI strategy that enshrines the 'AI first' principle. As proposed, authorities must conduct risk assessments to determine if their activities preserve public order; if so, they would be required to procure cloud services at Union assurance levels 2, 3, or 4, rather than the baseline level 1. Furthermore, procurement procedures must include "Union added value" criteria to strengthen the European supply chain, and bodies are expected to leverage Experience and Acceleration Centres for AI as primary entry points for adoption, skills development, and vendor access.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For Hungary, as for all Member States, the proposal would impose specific, binding obligations on public-sector bodies regarding strategic planning, procurement, and the adoption of sovereign technologies. Compliance would not be limited to purchasing decisions but would require a fundamental shift in how public authorities plan their digital infrastructure and engage with the market.

The National Strategy and the 'AI First' Principle

The cornerstone of public-sector compliance under CADA is the requirement for Member States to adopt a national cloud and AI strategy. Article 7 mandates that Hungary, like all Member States, must establish such a strategy within one year of the Regulation's entry into force. This is not a voluntary policy document; it is a statutory instrument that must include specific key objectives and priorities for cloud and AI adoption.

Crucially, Article 7(2)(a) requires that these national strategies include the 'AI first' principle, as defined in the Apply AI Strategy. The proposal states that this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Hungarian public bodies, this means the national strategy would likely mandate a proactive, rather than reactive, stance on AI integration. Authorities would be expected to systematically evaluate their operations to identify where AI can drive efficiency, innovation, and better public service delivery, while simultaneously managing associated risks.

The national strategy must also include measures to:

• Accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
• Support the broad deployment and uptake of AI in strategic industrial and public sectors, including healthcare, energy, and mobility.
• Support the development of cloud and AI capabilities through public procurement measures.

Hungarian public-sector officers must monitor the development of Hungary's national strategy closely. As proposed, this document will dictate the specific targets, timelines, and governance frameworks for AI adoption within their organizations. It serves as the roadmap for transitioning from legacy IT systems to sovereign, AI-enhanced cloud environments, ensuring that national priorities are reflected in local and regional digital transformation plans.

Procurement Obligations and Assurance Levels

The core of CADA's demand-side measures lies in its procurement rules, detailed in Article 30. As proposed, this Article applies to contracting authorities that procure cloud computing services for their exclusive use, including Union entities and public sector bodies in Hungary. The proposal establishes a tiered system of procurement requirements based on the risk profile of the public sector activity, determined by a prior risk assessment.

1. Baseline Requirement (Union Assurance Level 1) For public sector activities that have not been identified as contributing to the preservation of public order under the risk assessment (see below), contracting authorities must use cloud computing services that have been recognized as having a Union assurance level 1. This is the minimum standard for all public cloud procurement in Hungary. Under Article 19, providers seeking this level must carry out a conformity self-assessment and issue an EU statement of conformity.

2. Enhanced Requirement (Union Assurance Levels 2, 3, or 4) For activities identified as contributing to the preservation of public order, the requirements are significantly stricter. Article 30(3) stipulates that contracting authorities whose activities have been identified as contributing to the preservation of public order "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

The proposal explicitly identifies these public-order-relevant sectors as those falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), and in the areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. For Hungarian ministries and agencies operating in these domains, reliance on standard commercial cloud services would no longer be sufficient; they would be legally required to procure only from providers recognized at the higher assurance levels.

The Role of Risk Assessments

Determining which assurance level applies depends on a mandatory risk assessment process outlined in Article 29. Hungarian public-sector bodies must carry out these risk assessments within one year of the Regulation's entry into force, and thereafter every two years or whenever necessary.

The risk assessment must:

• Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.
• Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.

In carrying out these assessments, bodies must consider at least the sensitivity, criticality, and magnitude of the non-personal data processed, the risk of unlawful access by a third country, and the risk of service disruption. The proposal also requires authorities to consider whether a multi-vendor or multi-cloud strategy is appropriate to limit dependency on a single provider.

If a risk assessment determines that a migration to a different cloud service is required to meet the appropriate assurance level, Article 29(6) mandates that the Member State or Union entity must migrate within a reasonable transition period that "shall not exceed 12 months," taking into account technical feasibility and continuity of service.

Union Added Value and Innovation Procurement

Beyond assurance levels, Article 32 introduces "Union added value" criteria for public procurement procedures involving innovative cloud computing services and AI systems. Hungarian contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must be:

• Linked to the subject matter of the contract.
• Ancillary and not decisive in the award of the contract.
• Expressly set out in procurement documents.

Authorities can evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results from Union-funded programmes.
• The innovation required to deliver the service contributes to strengthening the security of supply.
• The service is delivered through critical computing hardware designed and/or manufactured in the Union.

Furthermore, Article 33 mandates that Member States monitor their use of procurement of innovation in cloud and AI. Hungary must report yearly on SME participation trends and take measures to ensure that at least 25% of their procurement for cloud computing services and AI systems is awarded to innovative SMEs. This creates a specific obligation for Hungarian authorities to actively design tenders that are accessible to smaller, innovative European providers.

Experience and Acceleration Centres for AI

To support this transition, Article 5 requires each Member State to establish Experience and Acceleration Centres for AI (Centres for AI). These centres build on existing European Digital Innovation Hubs and serve as critical entry points for Hungarian public bodies and SMEs.

Their objectives include:

• Supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors.
• Accelerating the broad adoption of cloud and AI technologies at regional and local levels.
• Helping organizations accelerate digital transformation by connecting them with European providers of cloud and AI technologies.

Hungarian public-sector bodies are encouraged to leverage these centres for upskilling, access to testing environments, and guidance on selecting sovereign cloud providers. Article 5(3) specifically tasks the Centres with helping organizations accelerate their digital transformation through access to and use of AI technologies, including by connecting organizations with European providers. For Hungarian authorities, these Centres would be the primary resource for overcoming skills gaps, validating AI tools, and navigating the complex landscape of sovereign cloud providers.

What this means for you

For procurement officers, IT directors, and policy makers in the Hungarian public sector, CADA introduces a structured, compliance-heavy framework for cloud and AI adoption. Here is how to prepare:

1. Align with the National Strategy: Monitor the development of Hungary's national cloud and AI strategy under Article 7. Ensure your department's digital transformation plans are consistent with the 'AI first' principle and the strategic priorities outlined in the national document. The strategy will likely set specific targets for AI adoption that your agency must meet.
2. Conduct Risk Assessments: Begin mapping your organization's cloud-dependent activities immediately. Identify which services contribute to public order, national security, or critical infrastructure. Prepare to conduct the mandatory risk assessments under Article 29 to determine if you need Union assurance levels 2, 3, or 4, rather than just level 1. This assessment is the gateway to your procurement obligations.
3. Update Procurement Templates: Revise your tender documents to include the Union added value criteria specified in Article 32. Ensure these non-price criteria are ancillary and clearly defined, focusing on supply chain resilience and European technology integration. Also, integrate requirements for open-source solutions as encouraged by Article 41, and design tenders to meet the 25% SME innovation target under Article 33.
4. Engage with Centres for AI: Utilize the Experience and Acceleration Centres for AI established under Article 5. These centres will provide the technical expertise, testing facilities, and vendor connections needed to navigate the new sovereign cloud landscape. They are your primary resource for overcoming skills gaps, validating AI tools, and finding European providers that meet the new assurance levels.
5. Plan for Migration: If your current cloud providers do not meet the proposed Union assurance levels, start planning migration strategies early. The proposal allows up to 12 months for migration following a risk assessment, but technical preparation, data portability checks, and vendor selection should begin immediately to avoid service disruption.

Common misconceptions

• Misconception: CADA bans all non-EU cloud providers.
  • Reality: CADA does not ban non-EU providers outright. Instead, it establishes a sovereignty framework with four assurance levels. Non-EU providers can potentially qualify for Union assurance level 3 if the Commission adopts an implementing act under Article 18 identifying their country as providing sufficient assurances (e.g., adequacy decisions, no extraterritorial data access laws). However, for most public sector use cases, especially those involving public order, the stringent criteria for levels 2, 3, and 4 will effectively favor EU-based or sovereign-aligned providers.
• Misconception: The 'AI first' principle means AI must be used in every public service.
  • Reality: The 'AI first' principle, referenced in Article 7, urges organizations to consider the opportunities offered by AI in their business processes. It is a strategic mindset for innovation and efficiency, not a mandate to force AI into inappropriate or low-value use cases. Risk assessments and proportionality remain key; the principle is about reflection and opportunity, not blind adoption.
• Misconception: Union added value criteria are the deciding factor in procurement.
  • Reality: Article 32 explicitly states that Union added value criteria must be "ancillary and not decisive" in the award of the contract. They are part of the quality evaluation but do not override core technical and financial criteria directly connected to performance requirements. They are designed to nudge the market toward European solutions, not to disqualify the best technical offer solely on origin.
• Misconception: The risk assessment is a one-time event.
  • Reality: Article 29 requires risk assessments to be carried out within one year of entry into force, and "thereafter every two years, or whenever necessary." This is a recurring obligation, ensuring that the assurance levels required for public order activities remain appropriate as threats and technologies evolve.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.