What must public-sector bodies in Luxembourg do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Luxembourg must align their digital strategies with a national plan embedding the 'AI first' principle and conduct mandatory risk assessments to determine cloud sovereignty requirements. Contracting authorities are required to procure cloud services recognised under the Union assurance framework: Union assurance level 1 for general activities, and levels 2, 3, or 4 for activities contributing to the preservation of public order. Additionally, Luxembourgish authorities must leverage Experience and Acceleration Centres for AI as entry points for digital transformation and apply Union added value criteria in tenders, aiming to award at least 25% of cloud and AI innovation procurement to innovative SMEs.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a framework to strengthen the EU's cloud and AI ecosystem. For public-sector bodies in Luxembourg, compliance is not a single administrative task but a multi-layered obligation involving strategic planning, risk-based procurement, and active engagement with EU support infrastructure.

1. National Strategy and the 'AI First' Principle

Compliance begins with the strategic alignment of national policy. Under Article 7 of CADA, Member States, including Luxembourg, are required to establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies are binding blueprints for public-sector adoption, not merely advisory documents.

The 'AI First' Principle The national strategy must explicitly include the 'AI first' principle. As defined in Recital 32 and mandated by Article 7(2)(a), this principle urges organisations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account the potential risks." For Luxembourgish public bodies, this means digital transformation roadmaps must proactively integrate AI capabilities rather than treating them as an afterthought. The strategy must outline measures to accelerate AI adoption at national, regional, and local levels, ensuring that public services are designed with AI capabilities in mind from the outset.

Role of Experience and Acceleration Centres for AI A critical component of the national strategy is the support of Experience and Acceleration Centres for AI ('Centres for AI'), established under Article 5. These Centres, built on the existing network of European Digital Innovation Hubs, serve as the primary entry points for public bodies and SMEs to access the European AI innovation ecosystem.

• Function: Under Article 5(3), these Centres are tasked with helping organisations accelerate their digital transformation by connecting them with European providers of cloud and AI technologies.
• Support: They provide access to upskilling schemes, facilitate the transfer of expertise across regions, and support the scaling-up of AI use cases in strategic sectors.
• Obligation: Luxembourgish public bodies are expected to utilise these Centres to identify compliant solutions, test AI models, and access the necessary skills to implement the 'AI first' principle effectively.

2. Procurement Obligations and Union Assurance Levels

The core compliance burden for public-sector bodies lies in procurement. Article 30 establishes strict rules for contracting authorities procuring cloud computing services for their exclusive use. These rules are directly driven by risk assessments conducted by Member States under Article 29.

Step 1: Risk Assessments (Article 29) Before procuring cloud services, Luxembourg must carry out risk assessments to identify which public-sector activities contribute to the preservation of public order. These assessments must determine the appropriate Union assurance level for specific activities. The assessment must consider:

• The sensitivity, criticality, and magnitude of the data processed.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption.

Activities falling under sectors listed in Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement, are explicitly identified as contributing to public order.

Step 2: Minimum Procurement Requirements (Article 30) Based on the outcome of these risk assessments, Article 30 imposes the following mandatory procurement obligations:

• General Public Sector Activities: Contracting authorities whose activities have not been identified as contributing to the preservation of public order must use cloud computing services that have been recognised as having Union assurance level 1.
• Public Order Activities: Contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised as having Union assurance level 2, 3, or 4.

Understanding the Assurance Levels

• Level 1: Requires the provider to be established in the Union, with infrastructure and data located in the Union (unless explicitly required otherwise by the public body). It requires a self-assessment of compliance with state-of-the-art cybersecurity standards.
• Level 2: Requires independent third-party audits. It mandates that infrastructure, assets, and personnel are located in the Union. Crucially, it requires a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national standards until a Union scheme is established). Personnel requirements are conditional: if the public sector body determines that additional screening or Union citizenship requirements are necessary, the provider must ensure such personnel are available.
• Level 3: Requires independent audits and a 'substantial' cybersecurity certificate. It mandates that personnel (including subcontractors) are Union citizens and, where appropriate, hold necessary national security clearance for classified information. It also requires that technical support is performed exclusively within the Union by Union residents.
  • Third-Country Control Derogation: Under Annex II, Section 3.1(g), a provider subject to the control of a third country may still qualify for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. The proposal text correctly references Article 18 for this derogation.
• Level 4: The highest level, requiring a 'high' cybersecurity certificate, Union citizen personnel with security clearance, and strict controls ensuring no third-country control over the provider or its software supply chain.

Step 3: Derogations Derogations from these assurance level requirements are permitted only on an exceptional basis and where duly justified. Article 30(4) allows authorities to decide not to procure recognised services if:

• The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
• A similar procurement process launched within the previous year received no suitable tenders.
• Applying the requirements would result in disproportionate cost.

3. Union Added Value and Innovation Procurement

Beyond sovereignty levels, CADA introduces specific criteria to foster a European cloud and AI ecosystem. Article 32 requires contracting authorities to include Union added value as part of the quality evaluation of tenders for innovative cloud computing services and AI systems.

Union Added Value Criteria When applying non-price award criteria, authorities must ensure they are:

• Linked to the subject matter of the contract.
• Ancillary and not decisive in the award of the contract.
• Expressly set out in procurement documents.

Authorities should evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union.
• The service is delivered through critical computing, storage, and networking hardware components designed and/or manufactured in the Union, where feasible.

SME Participation Target Article 33 mandates that Member States monitor their use of procurement of innovation in cloud and AI. Luxembourg must pursue the objective that at least 25% of its procurement for cloud computing services and AI systems be awarded to innovative small and medium-sized enterprises (SMEs). Authorities are required to report annually on SME participation trends and measures taken to improve SME access to public procurement.

What this means for you

For procurement officers, IT directors, and public-sector leaders in Luxembourg, CADA introduces a structured, compliance-heavy approach to digital procurement. Here is how you should prepare:

1. Align with the National Strategy Ensure your department's digital transformation roadmap is consistent with Luxembourg's national cloud and AI strategy. Adopt the 'AI first' mindset by proactively identifying processes where AI can improve efficiency or service delivery, while conducting thorough risk assessments. Engage with the national Experience and Acceleration Centres for AI to access expertise, testing environments, and connections to European providers. These Centres are designated as key support structures for public bodies and SMEs.

2. Conduct Rigorous Risk Assessments Before launching any cloud procurement, collaborate with your national competent authority to determine if your activity contributes to public order. This classification is critical:

• If no, you must procure services with Union assurance level 1.
• If yes, you must procure services with Union assurance level 2, 3, or 4. Failure to conduct this assessment or procure at the wrong assurance level constitutes a breach of CADA. Keep detailed records of your risk assessments, as they must be reported to the Commission.

3. Update Procurement Documents Revise your tender templates to include:

• Mandatory requirements for the cloud service to be recognised in the central repository under the appropriate Union assurance level.
• Non-price award criteria for Union added value, evaluating the tenderer's contribution to the European supply chain and use of Union-developed technologies.
• Clauses promoting innovation and SME participation, aiming for the 25% target for innovative SMEs in cloud and AI procurement.

4. Leverage Support Infrastructure Do not navigate this landscape alone. Use the Experience and Acceleration Centres for AI in Luxembourg to test solutions, upskill staff, and identify compliant European providers. These Centres are specifically tasked with supporting the scaling-up of AI use cases and connecting organisations with European providers.

Common misconceptions

Misconception 1: CADA replaces national cybersecurity or data protection laws. CADA complements existing laws like the GDPR, NIS2, and the AI Act. It does not replace them. For example, while CADA mandates sovereignty assurance levels, it does not dictate the specific technical cybersecurity controls (which may fall under EUCS or national schemes) or data protection impact assessments (GDPR). You must comply with all applicable regulations simultaneously.

Misconception 2: Union added value is a decisive factor in awarding contracts. Under Article 32, Union added value criteria must be ancillary and not decisive in the award of the contract. They are part of the quality evaluation but cannot override core technical and financial criteria directly connected to performance requirements.

Misconception 3: Only large public bodies need to worry about sovereignty levels. CADA applies to all contracting authorities. Whether a small municipality or a national ministry, if you procure cloud computing services, you must adhere to the assurance levels determined by the risk assessment. The scale of the procurement does not exempt you from these sovereignty requirements.

Misconception 4: The 'AI first' principle means you must use AI in every process. 'AI first' is a strategic principle urging organisations to consider the opportunities and needs offered by AI. It does not mandate the use of AI in every scenario, especially where it is not appropriate, proportional, or where risks outweigh benefits. It is about informed decision-making, not forced adoption.

Misconception 5: Level 3 automatically requires all staff to be Union citizens. While Annex II, Section 3.1(d) requires personnel to be Union citizens for Level 3, it includes the qualifier "where appropriate" regarding national security clearance for classified information. Furthermore, for Level 2, Union citizenship is only required if the public sector body explicitly determines such additional screening is necessary.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.