What must public-sector bodies in Lithuania do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Lithuanian public-sector bodies would be required to align their cloud and AI procurement with a national strategy that prioritizes the 'AI first' principle and mandates risk assessments for public order relevance. Public authorities would generally need to procure cloud services recognized as meeting at least Union assurance level 1, while those handling critical public order functions would be restricted to higher assurance levels (2, 3, or 4). Additionally, public bodies would be encouraged to leverage Experience and Acceleration Centres for AI to facilitate digital transformation and consider European added value criteria in procurement decisions.

Detail

The Cloud and AI Development Act (CADA) is a proposal for an EU regulation designed to strengthen Europe's cloud and AI ecosystem by reducing dependencies on non-European providers and ensuring technological sovereignty. For public-sector bodies in Lithuania, compliance would not be a standalone task but rather an integration into a broader national and EU-wide framework. The obligations fall into three main categories: strategic alignment, procurement safeguards, and operational support mechanisms.

1. Strategic Alignment: The National Cloud and AI Strategy

The foundation of CADA compliance for Lithuanian public bodies lies in the national strategy. Under Article 7(1), Member States, including Lithuania, would be required to establish a national cloud and AI strategy within one year of the regulation's entry into force. This strategy is not merely a document; it is the operational blueprint for public-sector adoption.

According to Article 7(2)(a), these national strategies must include key objectives and priorities for cloud and AI adoption, explicitly in line with the 'AI first' principle. As defined in the Apply AI Strategy and referenced in Recital 32, this principle urges organizations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration potential risks. For Lithuanian public bodies, this means that digital transformation projects would need to demonstrate how AI and cloud technologies are integrated into core administrative functions, rather than being treated as peripheral IT upgrades.

The national strategy would also need to include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps (Article 7(2)(b)). It would mandate measures to support the broad deployment of AI in strategic industrial and public sectors, including healthcare, energy, and mobility (Article 7(2)(c)). Furthermore, the strategy would outline plans for supporting the deployment of data centre capacity and investing in high-intensity computing infrastructure (Article 7(2)(d) and (e)).

Lithuanian public bodies would be expected to align their internal digital roadmaps with this national strategy. Article 7(5) requires Member States to assess their national strategies at least every three years and update them if necessary. Public bodies would need to monitor these updates to ensure their procurement and deployment activities remain consistent with the evolving national priorities.

2. Procurement Obligations and Sovereignty Assurance Levels

The core of CADA's impact on public procurement is found in Articles 29 and 30, which establish a risk-based approach to buying cloud computing services. The regulation introduces a Union cloud computing sovereignty framework with four assurance levels (Union assurance levels 1 to 4), the criteria for which are set out in Annex II and established under Article 16.

Risk Assessments Before procuring cloud services, Lithuanian public bodies would need to participate in or rely on risk assessments carried out by the State. Article 29(1) requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (2, 3, or 4) is appropriate for specific activities. The risk assessment would consider the sensitivity, criticality, and magnitude of data processed, including personal data, and the risk of unlawful access by third countries (Article 29(2)).

Procurement Rules Based on these risk assessments, Article 30 sets out strict procurement rules:

• General Public Sector: Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services that have been recognized as having at least Union assurance level 1 (Article 30(2)). This establishes a baseline of trust and sovereignty for all public cloud usage in Lithuania.
• Critical Public Order: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement) must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4 (Article 30(3)). These higher levels impose stricter requirements, such as data remaining exclusively within the Union, personnel being Union citizens, and no control by third-country entities.

Exceptions There are limited exceptions under Article 30(4). A contracting authority may decide not to procure recognized services if no adequate alternative exists in the central repository, if a similar recent procurement yielded no suitable tenders, or if applying the requirements would result in disproportionate costs. However, these exceptions must be duly justified.

3. European Added Value and Innovation

CADA also aims to stimulate the European cloud and AI ecosystem through procurement preferences. Article 32 introduces Union added value criteria for public procurement of innovative cloud computing services and AI systems.

Lithuanian contracting authorities would be required to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. This includes evaluating:

• The contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union (Article 32(3)(a)).
• The integration of technologies developed in the Union, including results from Union-funded research (Article 32(3)(b)).
• The extent to which the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union (Article 32(3)(d)).

These criteria must be ancillary and not decisive in the award of the contract, preserving the primacy of technical and financial criteria (Article 32(2)(d)). However, they provide a formal mechanism to favor European providers and reduce dependency on non-EU hyperscalers.

Furthermore, Article 33 encourages the monitoring of procurement of innovation. Member States would need to monitor their use of procurement for innovation in cloud and AI, with an objective that at least 25% of such procurement be awarded to innovative SMEs (Article 33(4)). Lithuanian public bodies would need to report on SME participation trends and measures taken to improve SME access to procurement markets.

4. Operational Support: Experience and Acceleration Centres for AI

To support public bodies in meeting these obligations, CADA establishes a network of Experience and Acceleration Centres for AI ('Centres for AI'). Article 5 requires each Member State, including Lithuania, to establish these Centres, building on existing European Digital Innovation Hubs.

For Lithuanian public-sector bodies, these Centres would serve as critical entry points for digital transformation. Article 5(3)(a) tasks the Centres with helping organizations accelerate their digital transformation through access to and use of AI technologies, including by connecting organizations with European providers of cloud and AI technologies. They would also provide access to upskilling and reskilling schemes (Article 5(3)(b)) and facilitate the transfer of expertise across regions.

Public bodies would be encouraged to engage with these Centres to navigate the technical and regulatory complexities of adopting sovereign cloud services and AI systems. The Centres would help ensure that public bodies can effectively implement the 'AI first' principle and comply with the assurance level requirements without facing significant skill or knowledge gaps.

What this means for you

For procurement officers and IT directors in Lithuanian public bodies, CADA would introduce a structured, risk-based approach to cloud and AI procurement. Here is how you should prepare:

1. Align with the National Strategy: Monitor the development of Lithuania's national cloud and AI strategy. Ensure your department's digital transformation plans explicitly reference the 'AI first' principle and align with the strategy's objectives. Be prepared to demonstrate how your cloud and AI projects contribute to these national goals.
2. Conduct and Document Risk Assessments: Engage with your national competent authority to understand the risk assessment process. Determine whether your specific public sector activities are classified as contributing to the preservation of public order. This classification will dictate the minimum Union assurance level you must procure. Keep detailed records of these assessments and their outcomes.
3. Update Procurement Specifications: Revise your procurement templates to include requirements for Union assurance levels. For general services, specify that providers must hold recognition for at least Union assurance level 1. For critical functions, specify levels 2, 3, or 4 as appropriate. Ensure your technical specifications allow for the evaluation of European added value criteria, such as the use of EU-designed hardware or software.
4. Engage with Centres for AI: Identify the Lithuanian Experience and Acceleration Centre for AI relevant to your sector. Use their services for technical advice, training, and connecting with European cloud providers. This can help mitigate the skills gap and ensure you are procuring compliant, sovereign solutions.
5. Prioritize SMEs and Innovation: When procuring innovative cloud and AI solutions, actively consider SMEs and start-ups. Aim to meet the target of awarding at least 25% of innovation procurement to SMEs. Use the monitoring and reporting frameworks to track your progress and identify barriers to SME participation.
6. Monitor the Central Repository: Familiarize yourself with the central repository of recognized cloud computing services, which the Commission would establish under Article 22. This repository would be your primary source for identifying compliant providers. Check it regularly to see which Lithuanian and European providers have achieved the necessary assurance levels.

Common misconceptions

• Misconception: CADA bans all non-EU cloud providers.
  • Reality: CADA does not ban non-EU providers outright. Instead, it establishes a tiered sovereignty framework. Non-EU providers can still compete, but they must meet strict assurance level criteria. For example, a non-EU provider might achieve Union assurance level 1 if it meets specific data localization and transparency requirements. However, for critical public order functions (levels 2-4), the requirements are much stricter, effectively limiting participation to providers with strong EU ties and no third-country control.
• Misconception: Public bodies can choose any cloud provider as long as it is GDPR-compliant.
  • Reality: GDPR compliance is necessary but not sufficient under CADA. CADA introduces additional sovereignty requirements, such as data remaining exclusively within the Union, personnel being Union citizens, and no third-country control. A provider can be GDPR-compliant but fail to meet Union assurance level 1 criteria if, for example, it allows data transfer outside the EU or is controlled by a third-country entity.
• Misconception: The 'AI first' principle means AI must be used in every project.
  • Reality: The 'AI first' principle is about considering AI as a tool to improve business processes, not mandating its use in every case. It encourages public bodies to reflect on how AI can add value, while also considering risks. It is a strategic approach to digital transformation, not a blanket requirement for AI adoption.
• Misconception: European added value criteria will dominate procurement decisions.
  • Reality: Under Article 32(2)(d), European added value criteria must be ancillary and not decisive. They are part of the quality evaluation but cannot override technical and financial criteria. Their purpose is to provide a tie-breaker or a slight preference for European solutions, not to exclude non-European providers outright if they offer better value.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.