What must public-sector bodies in Ireland do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Irish public-sector bodies must align their digital strategies with a national plan prioritising the 'AI first' principle, as mandated by Article 7. Procurement officers would be required to purchase cloud services meeting specific Union assurance levels, with critical public-order activities necessitating higher sovereignty tiers under Article 30. Additionally, public bodies would be expected to utilise Experience and Acceleration Centres for AI as primary entry points for adoption and support, while integrating Union added value criteria into tender evaluations under Articles 32 and 33.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For public-sector bodies in Ireland, the regulation introduces binding obligations regarding national strategy alignment, procurement standards, and the utilisation of support infrastructure. As CADA is currently a proposal, these measures would apply only if adopted in its current form.

National Strategy and the 'AI First' Principle

The cornerstone of public-sector compliance under CADA is the requirement for Member States to adopt a national cloud and AI strategy. Article 7(1) stipulates that Member States must establish these strategies within one year of the Regulation's entry into force. For Ireland, this means the national strategy must explicitly include key objectives and priorities for cloud and AI adoption, strictly adhering to the 'AI first' principle.

The 'AI first' principle, referenced in the Apply AI Strategy and embedded in Article 7(2)(a), urges organisations to reflect on their business processes by considering the needs and opportunities offered by AI, while simultaneously taking into account potential risks. The national strategy must include a governance and monitoring framework to achieve these objectives.

Furthermore, Article 7(2)(b) mandates measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This specifically includes supporting the Centres for AI (established under Article 5) as entry points to the European AI innovation ecosystem. Irish public bodies must therefore ensure their internal digital transformation plans are consistent with the national strategy's measures to support broad deployment in strategic sectors, including healthcare, energy, and mobility, as outlined in Article 7(2)(c).

Procurement Obligations and Union Assurance Levels

The most direct operational impact on Irish procurement officers stems from Title IV of CADA, which establishes a Union cloud computing sovereignty framework. Article 30 sets out strict procurement obligations for contracting authorities, including Irish public bodies.

Baseline Requirement: Union Assurance Level 1 Article 30(2) establishes a minimum baseline for all public procurement of cloud computing services. Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessment in Article 29 must use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1. This means that for standard administrative or non-critical functions, Irish public bodies cannot procure cloud services that fail to meet the basic sovereignty criteria, such as data remaining within the Union and the provider being established in the Union.

Higher Assurance for Critical Activities For activities identified as contributing to the preservation of public order, the requirements are significantly stricter. Article 30(3) mandates that contracting authorities whose activities fall under sectors listed in Annex I or II of the NIS2 Directive, or areas such as national security, defence, justice, or law enforcement, must only procure cloud computing services recognised as having a Union assurance level 2, 3, or 4.

To determine which assurance level is appropriate, Irish authorities must conduct risk assessments as required by Article 29. These assessments must identify public sector activities that contribute to public order and determine the necessary Union assurance level (2, 3, or 4) based on the sensitivity of data and the criticality of the function. Article 29(1) requires these assessments to be carried out by the date of entry into force plus one year, and thereafter every two years.

Exceptions Article 30(4) provides limited derogations. A contracting authority may decide not to procure a recognised service if:

1. The subject matter cannot be supplied by recognised services in the central repository, and no adequate alternative exists.
2. A similar procurement process was launched within the previous year but yielded no suitable tenders.
3. Applying the requirements would result in disproportionate cost.

Union Added Value and Innovation Procurement

Beyond sovereignty levels, CADA introduces specific criteria for evaluating tenders. Article 32 requires contracting authorities to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. This "Union added value" must be part of the quality evaluation of the tender.

Article 32(3) specifies that these criteria should assess:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including research results from Union-funded programmes.
• The contribution of the innovation to strengthening security of supply.
• The delivery of the service through critical computing hardware components designed and/or manufactured in the Union.

Crucially, Article 32(2)(d) states that these Union added value criteria must be ancillary and not decisive in the award of the contract. They must be linked to the subject matter and expressly set out in the procurement documents.

Additionally, Article 33 focuses on innovation procurement. Member States must monitor their use of procurement for innovation in cloud and AI. Article 33(4) sets an objective that at least 25% of procurement for cloud computing services and AI systems be awarded to innovative SMEs. Irish public bodies must include plans in their national strategies (per Article 7) on how they intend to achieve this objective.

Role of Experience and Acceleration Centres for AI

To support compliance and adoption, CADA establishes a network of Experience and Acceleration Centres for AI (Centres for AI). Article 5(1) requires each Member State to establish these centres, building on existing European Digital Innovation Hubs.

For Irish public bodies, these Centres for AI serve as critical support structures. Article 5(2) outlines their objectives, including supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors, and accelerating the broad adoption of cloud and AI technologies at regional and local levels.

Article 5(3) tasks these centres with:

• Helping organisations accelerate digital transformation by connecting them with European providers of cloud and AI technologies.
• Ensuring access to upskilling and reskilling schemes.
• Facilitating the transfer of expertise across regions.

Procurement officers and public sector leaders should view these centres as mandatory entry points for guidance, particularly for SMEs and smaller public bodies that may lack in-house expertise to navigate the new sovereignty requirements or to identify compliant vendors.

What this means for you

For public-sector procurement officers and digital leaders in Ireland, CADA transforms cloud and AI purchasing from a purely technical or cost-driven exercise into a strategic compliance obligation.

1. Align with the National Strategy: You must ensure your department's digital plans are consistent with Ireland's national cloud and AI strategy. This strategy must explicitly adopt the 'AI first' principle, meaning you must proactively assess how AI can improve your processes, not just react to technological changes.
2. Conduct Risk Assessments: Before procuring cloud services, you must determine if your activity contributes to public order (e.g., justice, health, critical infrastructure). If it does, you cannot use standard Level 1 services; you must procure Level 2, 3, or 4 services based on a formal risk assessment under Article 29.
3. Verify Assurance Levels: You must only purchase from providers recognised in the central repository (Article 22) as meeting the required Union assurance level. For non-critical functions, Level 1 is the minimum. For critical functions, higher levels are mandatory.
4. Update Tender Documents: Your procurement documents must include non-price award criteria for "Union added value" (Article 32). You must evaluate bids on their contribution to the European supply chain, though this cannot be the sole deciding factor.
5. Leverage Support Networks: Engage with the Irish Centres for AI (Article 5) for technical assistance, training, and vendor identification. They are designated as key entry points for public sector digital transformation.
6. Support SMEs: Aim to award at least 25% of your cloud and AI innovation procurement to innovative SMEs, as per Article 33.

Common misconceptions

• "CADA replaces the AI Act." No. CADA focuses on cloud infrastructure, sovereignty, and procurement. The AI Act regulates the safety and fundamental rights aspects of AI systems themselves. They are complementary; a public body must comply with both.
• "Union added value means we must buy only Irish/EU hardware." No. Article 32(2)(d) explicitly states that Union added value criteria must be ancillary and not decisive. You can still award contracts to non-EU providers if they offer the best overall technical and financial value, provided the EU supply chain criteria are considered as part of the quality evaluation.
• "Level 1 assurance is enough for all public services." No. Article 30(3) mandates higher assurance levels (2, 3, or 4) for activities contributing to public order, such as those in NIS2 sectors, defence, or justice. A risk assessment is required to determine the appropriate level.
• "We can ignore this until the law is passed." While CADA is a proposal, the shift toward sovereign cloud procurement is already evident in national strategies. Preparing your risk assessment methodologies and engaging with Centres for AI now will facilitate smoother compliance once the Regulation enters into force.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.