Summary Under the proposed Cloud and AI Development Act (CADA), Italian public-sector bodies must align their cloud and AI procurement with a national strategy embedding the 'AI first' principle, mandating the use of recognized sovereign cloud services for activities critical to public order. Compliance requires conducting risk assessments to determine the appropriate Union assurance level, applying European added value criteria in tender evaluations, and leveraging Experience and Acceleration Centres for AI as entry points for digital transformation. As a proposal, CADA is not yet law; if adopted, it would require Italy to establish its national strategy within one year of entry into force.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem, directly impacting how public-sector bodies in Italy procure and deploy digital services. While currently a proposal, CADA would impose specific obligations on Member States and their public authorities. For Italian public-sector entities, compliance hinges on three interconnected pillars: national strategic alignment under Article 7, risk-based procurement of sovereign services under Articles 29 and 30, and the utilization of support structures like Experience and Acceleration Centres for AI under Article 5.

The National Strategy and the 'AI First' Principle

The foundation of public-sector compliance under CADA is the national cloud and AI strategy. Article 7(1) mandates that Member States, including Italy, establish these strategies within one year of the Regulation's entry into force. These strategies are not merely advisory; they set the operational roadmap for public-sector digital transformation.

Crucially, Article 7(2)(a) requires that national strategies include key objectives for cloud and AI adoption in line with the 'AI first' principle. This principle, referenced in Recital 32, urges organizations to reflect on their business processes by considering the needs and opportunities offered by AI, while taking into account potential risks. For Italian public bodies, this means integrating AI considerations into the design of administrative procedures from the outset, rather than treating AI as an afterthought.

The national strategy must also outline measures to accelerate AI adoption at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps (Article 7(2)(b)). It must include specific measures to support the broad deployment of AI in strategic sectors such as healthcare, energy, and mobility (Article 7(2)(c)). Consequently, Italian procurement officers cannot view cloud and AI purchases in isolation; they must execute them in a manner consistent with the broader goals set out in Italy's national strategy, which must be notified to the Commission and reviewed at least every three years (Article 7(5)).

Procurement Obligations: Risk Assessments and Union Assurance Levels

The core of CADA's demand-side measures lies in its cloud computing sovereignty framework, detailed in Title IV. Public-sector bodies in Italy must procure cloud computing services that meet specific Union assurance levels based on the sensitivity of the data and the criticality of the service.

Mandatory Risk Assessments

Article 29(1) obliges Member States and Union entities to carry out risk assessments within one year of the Regulation's entry into force, and thereafter every two years or whenever necessary. These assessments must identify public-sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement.

The risk assessment determines which Union assurance level (2, 3, or 4) is appropriate for these activities. Article 29(2) specifies that these assessments must consider:

  • The sensitivity, criticality, and magnitude of the data processed.
  • The risk of unlawful access by a third country or legal entity.
  • The risk of service disruption.

Based on these assessments, the Commission may issue implementing acts to specify the methodology and templates for risk assessments (Article 29(3)), ensuring a harmonized approach across the EU, including in Italy.

Procurement Requirements by Assurance Level

Article 30 sets out strict procurement rules based on the outcomes of the risk assessments:

  1. Union Assurance Level 1 (Baseline): Article 30(2) states that Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1. This is the minimum baseline for all public-sector cloud procurement in Italy. Level 1 requires providers to be established in the Union, with infrastructure and assets located in the Union, and customer data remaining exclusively within the Union unless explicitly required otherwise by the public sector body (Annex II, Section 1).

  2. Union Assurance Levels 2, 3, or 4 (Critical Services): Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., defense, justice, critical infrastructure) must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4. These higher levels impose stricter criteria, such as requiring Union citizenship for personnel (Levels 3 and 4), prohibiting third-country control over the provider (Level 4), and mandating European cybersecurity certification (Levels 2, 3, and 4).

Derogations

Article 30(4) provides limited derogations from these requirements on an exceptional basis. A contracting authority may decide not to procure a recognized service if:

  • The subject matter cannot be supplied by recognized services in the central repository, and no adequate alternative exists.
  • A similar procurement process launched within the previous year received no suitable tenders.
  • Applying the requirements would result in disproportionate costs.

European Added Value and Innovation Procurement

Beyond sovereignty levels, CADA introduces mechanisms to boost the European cloud and AI ecosystem through procurement criteria.

Union Added Value Criteria

Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. Specifically, Article 32(3) allows authorities to assess:

  • The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including research results from Union-funded programs.
  • The use of critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Recital 67 suggests that contracting authorities could consider a maximum weighting of 15 out of 120 points for European added value, ensuring it remains ancillary and not decisive compared to technical and financial criteria.

Innovation Procurement and SME Support

Article 33 focuses on monitoring and promoting innovation procurement. Member States must monitor their use of innovation procurement for cloud and AI and report annually to the Commission. A key objective is that at least 25% of procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)). Italian public bodies must include plans in their national strategies on how they intend to achieve this objective.

Leveraging Experience and Acceleration Centres for AI

To support compliance and adoption, CADA establishes a network of Experience and Acceleration Centres for AI ('Centres for AI') under Article 5. Each Member State, including Italy, must establish these centres, building on existing European Digital Innovation Hubs (EDIHs).

For public-sector bodies, these Centres for AI serve as critical entry points. Article 5(2) outlines their objectives, which include supporting the integration and scaling-up of AI use cases in public sectors and accelerating the broad adoption of cloud and AI technologies at regional and local levels. Article 5(3) tasks these centres with helping organizations accelerate digital transformation by connecting them with European providers of cloud and AI technologies and ensuring access to upskilling schemes.

Italian procurement officers and public administrators are expected to engage with these centres to gain expertise, access testing facilities, and receive guidance on implementing AI solutions that comply with both CADA and national strategies.

What this means for you

For Italian public-sector procurement officers, CADA introduces a structured, risk-based approach to cloud and AI buying. Here is a practical checklist for compliance:

  1. Align with National Strategy: Ensure your procurement plans align with Italy's national cloud and AI strategy, particularly the 'AI first' principle. Verify that your organization's digital transformation roadmap supports the objectives set out in this strategy.
  2. Conduct Risk Assessments: Participate in or conduct the risk assessments mandated by Article 29. Determine if your specific activities contribute to the preservation of public order. This classification will dictate your minimum assurance level requirement.
  3. Check the Central Repository: Before issuing a tender, check the central repository of recognized cloud computing services (Article 22). Only procure services that hold the appropriate Union assurance level (Level 1 for general services; Levels 2-4 for critical/public order services).
  4. Apply Added Value Criteria: Incorporate non-price award criteria into your tenders that evaluate the European added value of bids, such as the use of EU-designed hardware or software (Article 32).
  5. Support SMEs: Aim to award at least 25% of your innovation procurement contracts to SMEs (Article 33). Use the Centres for AI to identify innovative SME providers and facilitate their participation in procurement processes.
  6. Engage with Centres for AI: Utilize the local Experience and Acceleration Centres for AI for technical support, training, and guidance on compliant AI deployment.

Common misconceptions

"CADA bans all non-European cloud providers." No. CADA does not ban non-European providers outright. It establishes a sovereignty framework with four assurance levels. Providers from third countries may qualify for Union assurance level 3 if the Commission determines the third country provides sufficient safeguards (Article 18). However, for critical public-order activities, the requirements are so stringent that only providers with strong EU ties will likely qualify.

"The 'AI first' principle means AI must be used in every public service." No. The 'AI first' principle encourages organizations to consider the opportunities and needs offered by AI in their business processes, but it also requires taking into account potential risks. It is about strategic consideration and integration where appropriate, not mandatory AI deployment in all contexts.

"European added value is the most important criterion in procurement." No. Article 32(2)(d) explicitly states that non-price award criteria related to European added value must be ancillary and not decisive in the award of the contract. Technical and financial criteria remain primary.

"CADA replaces the AI Act." No. The AI Act regulates AI systems (safety, fundamental rights), while CADA regulates the cloud infrastructure and sovereignty beneath them. An Italian public body deploying a high-risk AI system would need to comply with both: the AI Act for the system itself, and CADA for the cloud infrastructure hosting it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.