What must public-sector bodies in the Netherlands do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Dutch public-sector bodies would be required to align their digital procurement with a national cloud and AI strategy that prioritizes the 'AI first' principle. Contracting authorities would generally need to procure cloud computing services recognized as meeting at least Union assurance level 1, while activities deemed critical to public order would require higher assurance levels determined through mandatory risk assessments. Additionally, the Netherlands would need to establish Experience and Acceleration Centres for AI to support public bodies and SMEs in adopting these technologies.

Detail

The proposed Cloud and AI Development Act (CADA), currently a legislative proposal (COM(2026) 502 final), introduces a comprehensive framework designed to strengthen Europe's cloud and AI ecosystem. For public-sector bodies in the Netherlands, compliance would involve navigating three interconnected pillars: national strategic alignment, rigorous procurement obligations based on sovereignty assurance levels, and the utilization of support infrastructure. As a proposal, these measures are not yet in force; if adopted, they would fundamentally reshape how Dutch public administrations procure and deploy cloud and AI technologies.

The Role of the National Cloud and AI Strategy (Article 7)

A foundational step for Dutch public-sector compliance would be adherence to the national cloud and AI strategy. Under Article 7, Member States, including the Netherlands, would be obligated to establish national strategies within one year of the Regulation's entry into force. These strategies must include key objectives for cloud and AI adoption, specifically incorporating the 'AI first' principle. As defined in the proposal, this principle "urges organisations to reflect on their business processes, considering the needs of an opportunities offered by AI, while taking into consideration the potential risks."

For Dutch public bodies, this means their digital transformation plans cannot exist in a vacuum. They must align with the national strategy's governance and monitoring framework. The strategy would need to outline measures to accelerate cloud and AI adoption at national, regional, and local levels, particularly among public sector bodies. It would also mandate measures to support the deployment of data centre capacity and invest in high-intensity computing infrastructure. By integrating the 'AI first' principle, Dutch authorities would be encouraged to proactively identify use cases for AI in healthcare, energy, mobility, and public administration, ensuring that AI is considered as a default option for improving service delivery and decision-making, rather than an afterthought.

The national strategy would also need to include measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty. This aligns with the broader CADA objective of reducing dependencies on critical technologies and fostering the adoption of cloud computing services across the public sector.

Procurement Obligations and Union Assurance Levels (Article 30)

The core of CADA's impact on Dutch procurement lies in the Union cloud computing sovereignty framework. Article 30 establishes strict rules for contracting authorities procuring cloud computing services for their exclusive use. The compliance burden is divided based on the nature of the public sector activity, determined by a prior risk assessment under Article 29:

1. General Public Sector Activities: For public sector activities that have not been identified as contributing to the preservation of public order, contracting authorities would be required to use cloud computing services recognized as having Union assurance level 1. This baseline level ensures that the provider is established in the Union, infrastructure is located in the Union, and customer data remains exclusively within the Union, unless the public sector body explicitly requires otherwise.
2. Public Order-Relevant Activities: For activities identified as contributing to the preservation of public order—such as those in national security, internal security, external border management, defence, justice, or law enforcement—contracting authorities would only be permitted to procure services recognized as offering Union assurance levels 2, 3, or 4. These higher levels impose stricter criteria, including requirements for personnel citizenship, European cybersecurity certification, and stricter controls on third-country influence.

To determine which level applies, Dutch authorities must conduct risk assessments under Article 29. These assessments must identify which activities contribute to public order and determine the appropriate assurance level. The risk assessment must consider the sensitivity and criticality of the data processed, the risk of unlawful access by third countries, and the risk of service disruption. If a risk assessment mandates a migration to a different cloud service, the transition must occur within a reasonable period, not exceeding 12 months.

Union Added Value and Innovation Procurement (Articles 32-33)

Beyond security and sovereignty, CADA aims to boost the European industrial base. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Dutch procurement officers would need to evaluate:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including research results from Union-funded programs.
• The use of critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These criteria must be ancillary and not decisive in the award of the contract, preserving the primacy of technical and financial criteria. However, they provide a mechanism to favor European providers and reduce dependency on non-European incumbents.

Furthermore, Article 33 focuses on innovation procurement. Member States must monitor and report on their use of procurement of innovation in cloud and AI. The Netherlands would be expected to pursue an objective where at least 25% of procurement for cloud computing services and AI systems is awarded to innovative SMEs. This requires active measures to improve SME access, such as dividing contracts into lots and promoting preliminary market consultations. Member States must include plans on how they intend to achieve this objective in their national strategies.

Support Infrastructure: Experience and Acceleration Centres (Article 5)

To facilitate compliance and adoption, Article 5 requires the Netherlands to establish Experience and Acceleration Centres for AI (Centres for AI). These centres, built on the existing European Digital Innovation Hubs, would serve as critical entry points for Dutch public bodies and SMEs. Their objectives include supporting the integration and scaling-up of AI use cases in strategic sectors, accelerating the broad adoption of cloud and AI technologies, and providing access to upskilling and reskilling schemes.

For Dutch public-sector officers, these centres would be resources for connecting with European providers of cloud and AI technologies, facilitating the transfer of expertise, and supporting the scaling-up of spin-offs and start-ups. They would play a vital role in helping public bodies navigate the complexities of the new sovereignty framework and identify suitable AI solutions that meet the required assurance levels. The centres would also be tasked with ensuring or providing access to relevant upskilling and reskilling schemes, in close collaboration with the AI Skills Academy.

What this means for you

For procurement officers and digital strategy leaders in the Netherlands, the proposed CADA implies a shift from purely cost-driven procurement to a model heavily weighted toward sovereignty, security, and European value.

• Audit Your Current Contracts: Review existing cloud contracts to determine if they meet the baseline requirements of Union assurance level 1. Identify any services handling data critical to public order, as these will need to migrate to level 2, 3, or 4 providers.
• Conduct Risk Assessments: Begin mapping public sector activities to the criteria in Article 29. Determine which activities involve national security, law enforcement, or critical infrastructure. These assessments will dictate your procurement choices under Article 30.
• Engage with National Strategy: Align your departmental digital transformation plans with the upcoming Dutch national cloud and AI strategy. Ensure that the 'AI first' principle is embedded in your process redesigns.
• Utilize Support Centres: Leverage the Experience and Acceleration Centres for AI for technical advice, training, and connections to European providers. These centres will be essential for navigating the new assurance levels and finding innovative SME solutions.
• Update Procurement Templates: Incorporate the non-price award criteria from Article 32 into your tender documents. Ensure that your evaluation matrices allow for the assessment of European added value, such as the use of EU-designed hardware and software.

Common misconceptions

• "CADA bans non-European cloud providers." This is incorrect. CADA does not ban third-country providers. Instead, it establishes a sovereignty framework where providers can qualify for different assurance levels. A non-European provider could theoretically qualify for level 1 if it meets the criteria, but levels 2, 3, and 4 have stricter requirements regarding establishment, personnel, and third-country control that may be difficult for non-EU entities to meet.
• "All public sector bodies must use the highest assurance level." No. Article 30 mandates Union assurance level 1 as the minimum for general public sector activities. Higher levels (2, 3, or 4) are only required for activities specifically identified through risk assessments as contributing to the preservation of public order.
• "Union added value criteria will override price." Article 32 explicitly states that these criteria must be ancillary and not decisive in the award of the contract. They are part of the quality evaluation but do not replace the primacy of technical and financial criteria.
• "The AI first principle means every process must use AI." The 'AI first' principle, as referenced in Article 7, urges organizations to reflect on their processes and consider the opportunities offered by AI. It is a strategic approach to innovation, not a mandate to force AI into every workflow regardless of suitability or risk.

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.