Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Malta would be required to align their digital strategies with a national "AI first" mandate, conduct risk assessments to determine mandatory cloud sovereignty levels, and procure only services meeting specific Union assurance levels. Compliance hinges on three pillars: adopting a national strategy within one year of entry into force; applying a baseline of Union Assurance Level 1 (or higher for public-order activities) in all tenders; and utilizing Malta's Experience and Acceleration Centres for AI as entry points for technical guidance and SME engagement.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonised framework to strengthen the EU's cloud and AI ecosystem. For public-sector bodies in Malta, the regulation introduces binding obligations that transform how cloud and AI services are strategised, procured, and adopted. The following sections detail the specific requirements under Articles 5, 7, 30, 32, and 33.

National Strategy and the "AI First" Principle (Article 7)

CADA imposes a strict timeline on Member States to formalise their digital roadmap. Article 7(1) requires Malta to establish a national cloud and AI strategy within one year of the regulation's entry into force. This is not a voluntary guideline but a statutory requirement that forms the bedrock of public-sector adoption.

The core of this strategy must be the "AI first" principle, as defined in the Apply AI Strategy and referenced in Recital 32. This principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Maltese public bodies, this means that strategic planning cannot remain static; it must actively evaluate how AI can optimise administrative procedures, improve decision-making, and simplify burdens, particularly in critical domains such as healthcare and public administration (Article 4(7)).

The national strategy must explicitly include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, with a specific focus on public sector bodies (Article 7(2)(b)). It must also outline governance and monitoring frameworks to achieve these objectives. Maltese authorities would be required to notify the Commission of their national strategy within three months of its adoption and assess it at least every three years based on key performance indicators (Article 7(5)). This ensures that Malta's digital transformation remains dynamic and aligned with Union-wide objectives.

Procurement Obligations and Union Assurance Levels (Article 30)

The most direct operational impact on Maltese public-sector bodies lies in procurement. CADA introduces a Union cloud computing sovereignty framework with four assurance levels. Article 30 sets out the minimum procurement requirements based on risk assessments conducted under Article 29.

Baseline Requirement: Union Assurance Level 1 For public-sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1), the use of cloud computing services recognised under Article 17 as having a Union assurance level 1 is mandatory (Article 30(2)). This creates a consistent baseline of safeguards across the EU, reducing vulnerabilities to third-country access and service disruption. Level 1 requires the provider to be established in the Union, with infrastructure and data remaining within the Union, unless explicitly required otherwise by the public body.

Higher Assurance for Public Order Relevance If a risk assessment determines that a public-sector body's activities contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), or in areas such as national security, internal security, external border management, defence, justice, or law enforcement, the body must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4 (Article 30(3)). These higher levels impose stricter criteria, including requirements for Union citizenship of personnel (conditional at Level 2, mandatory at Levels 3 and 4) and independent third-party audits.

Risk Assessments (Article 29) To determine the required assurance level, Malta and its Union entities must carry out risk assessments by the date of entry into force plus one year, and thereafter every two years (Article 29(1)). These assessments must identify public sector activities that use cloud services and determine which Union assurance level (2, 3, or 4) is appropriate. The assessment must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries (Article 29(2)). If a risk assessment requires migration to another cloud service, the transition must occur within a reasonable period not exceeding 12 months (Article 29(6)).

Derogations Article 30(4) provides limited derogations from these requirements. Contracting authorities may decide not to procure recognised services if:

  • The subject matter cannot be supplied by recognised services in the central repository, and no adequate alternative exists.
  • A similar procurement process was launched within the previous year but received no suitable tenders.
  • Applying the requirements would result in disproportionate costs.

Union Added Value and Innovation (Articles 32–33)

Beyond assurance levels, CADA mandates the inclusion of "Union added value" criteria in public procurement for innovative cloud computing services and AI systems (Article 32). Maltese contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must be:

  • Linked to the subject matter of the contract.
  • Not conferring unrestricted freedom of choice.
  • Expressly set out in procurement documents.
  • Ancillary and not decisive in the award of the contract (Article 32(2)).

Specifically, authorities should evaluate the extent to which the tenderer:

  • Contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • Has integrated technologies developed in the Union, including research results from EU-funded programs.
  • Delivers services through critical computing, storage, and networking hardware components designed and/or manufactured in the Union (Article 32(3)).

Furthermore, Article 33 requires Member States to monitor their use of procurement of innovation in cloud and AI. Malta would be expected to pursue the objective that at least 25% of its procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)). This includes promoting preliminary market consultations and matchmaking between public buyers and innovative European SMEs (Article 33(5)).

Leveraging Experience and Acceleration Centres for AI (Article 5)

To support compliance and adoption, CADA mandates the establishment of Experience and Acceleration Centres for AI (Centres for AI) in each Member State (Article 5(1)). These centres build on the existing network of European Digital Innovation Hubs (EDIHs).

For Maltese public bodies, these Centres for AI serve as critical entry points for digital transformation. Their objectives include:

  • Supporting the integration and scaling-up of AI use cases in strategic public sectors.
  • Accelerating the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs and public sector bodies (Article 5(2)).
  • Helping organizations accelerate digital transformation through access to AI technologies, including connecting them with European providers (Article 5(3)(a)).
  • Ensuring access to upskilling and reskilling schemes in collaboration with the AI Skills Academy (Article 5(3)(b)).

Public-sector bodies in Malta would be encouraged to engage with these centres to identify suitable sovereign cloud providers, navigate the assurance level requirements, and access training for staff. The Centres are tasked with providing expertise, testing, and innovation support, effectively acting as a bridge between policy requirements and practical implementation.

What this means for you

For procurement officers, IT leaders, and policy makers in Maltese public-sector bodies, CADA would introduce a structured, compliance-driven approach to cloud and AI adoption.

  1. Align with National Strategy: Ensure your department's digital transformation plans align with Malta's national cloud and AI strategy, specifically integrating the "AI first" principle to identify opportunities for AI-driven efficiency. Monitor the strategy's adoption and updates, as it will dictate the governance framework for your operations.
  2. Conduct Risk Assessments: Participate in or initiate the risk assessments required under Article 29 to determine if your body's activities are deemed to preserve public order. This determines whether you must procure at Union Assurance Level 1 (baseline) or Levels 2–4 (higher sovereignty). If migration is required, plan for the 12-month transition window.
  3. Update Procurement Criteria: Revise tender documents to include mandatory Union Assurance Level 1 (or higher) requirements. Incorporate "Union added value" criteria to evaluate suppliers based on their contribution to the European digital supply chain, such as the use of EU-designed hardware or software. Ensure these criteria are ancillary, not decisive.
  4. Engage Support Infrastructure: Utilize Malta's Experience and Acceleration Centres for AI for technical assistance, training, and guidance on selecting compliant providers. These centres can help navigate the complexities of the sovereignty framework and connect your body with trusted European vendors and SMEs.
  5. Support SME Innovation: Actively seek opportunities to award at least 25% of innovative cloud and AI procurement to SMEs, fostering a local and European ecosystem. Use the Centres for AI to facilitate matchmaking and preliminary market consultations.

Common misconceptions

  • "CADA bans non-EU cloud providers entirely." This is incorrect. CADA does not ban non-EU providers. Instead, it establishes a tiered assurance framework. Non-EU providers can qualify for Union Assurance Level 3 if their home country meets specific safeguards criteria (Article 18). However, for public-order-critical activities, the requirements are stricter, and Level 1 is a mandatory minimum for all public procurement.
  • "Union added value criteria are decisive in winning contracts." No. Article 32(2)(d) explicitly states that these criteria must be "ancillary and not decisive in the award of the contract." They are quality evaluation factors, not the primary basis for award, which remains technical and financial performance.
  • "All public bodies must use Level 4 assurance." No. Level 4 is reserved for the most critical activities. Most public bodies will operate at Level 1 (self-assessed conformity) or Level 2–4 if their risk assessment identifies public order relevance. The framework is proportionate to risk.
  • "The 'AI first' principle means AI must be used in every process." The "AI first" principle is a strategic mindset, not a mandate for universal AI deployment. It requires organizations to consider AI opportunities and risks when evaluating processes, not to force AI into every workflow regardless of suitability or risk.
  • "The Experience and Acceleration Centres are optional." While the Centres are established by Member States, their role as entry points for public bodies and SMEs is a core part of the CADA framework. Public bodies are expected to leverage them for adoption, upskilling, and connecting with European providers, as outlined in Article 5.

Related

This is general information about a draft EU regulation, not legal advice.