What must public-sector bodies in Poland do to comply with CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require Poland, as an EU Member State, to adopt a national cloud and AI strategy within one year of entry into force, embedding the 'AI first' principle to drive public-sector digital transformation. Polish public-sector bodies would be obligated to procure cloud computing services meeting at least Union assurance level 1, with higher levels (2, 3, or 4) mandatory for activities deemed critical to public order. Procurement processes must integrate Union added value criteria to strengthen the European digital supply chain, while the newly established Experience and Acceleration Centres for AI would serve as key entry points for support, skills, and provider connections.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with specific obligations for Member States and their public-sector bodies. For Poland, compliance involves a three-pillar approach: strategic alignment via a national strategy, rigorous procurement standards based on risk, and active engagement with national support networks. The obligations are primarily driven by the national strategy mandated under Article 7 and the procurement rules set out in Articles 29 through 33.

The National Cloud and AI Strategy and the 'AI First' Principle

Under Article 7, Member States, including Poland, must establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies serve as the foundational documents driving public-sector cloud and AI adoption. Article 7(2) explicitly requires that these national strategies include key objectives and priorities for cloud and AI adoption in line with the 'AI first' principle.

The 'AI first' principle, referenced in the Apply AI Strategy and enshrined in CADA, urges organizations to reflect on their business processes and consider the needs and opportunities offered by AI while taking into account potential risks. For Polish public-sector bodies, this means the national strategy must outline measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels.

Crucially, Article 7(2)(c) mandates measures to support the broad deployment and uptake of AI in strategic industrial and public sectors, explicitly including healthcare, energy, and mobility. This corrects a common misattribution; while Article 7(2)(b) focuses on accelerating adoption among public bodies, SMEs, and small mid-caps generally, the specific sectoral list (healthcare, energy, mobility) is found in paragraph (c).

Furthermore, the national strategy must include measures to support the deployment of data centre capacity and invest in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers, as strategic national assets (Article 7(2)(e)). The strategy must also detail how public procurement measures will be used to support the development of cloud and AI capabilities, referencing the innovation measures set out in Article 33 (Article 7(2)(f)). Polish public-sector bodies must align their operational plans with these national strategic goals, ensuring their digital transformation efforts contribute to the broader EU objectives of technological sovereignty and competitiveness. The European Artificial Intelligence Board, established by the AI Act, would advise and assist Poland regarding the coordination of these national strategies (Article 7(6)).

Procurement Obligations and Union Assurance Levels

The core of CADA's impact on public-sector procurement is found in Articles 29 and 30. Polish public-sector bodies cannot simply choose any cloud provider; they must adhere to a tiered system of "Union assurance levels" based on the criticality of their activities.

Risk Assessments (Article 29) Before procuring cloud services, Polish public-sector bodies must participate in risk assessments conducted by the Member State or Union entities. Article 29(1) requires these assessments to identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in the areas of national security, internal security, external border management, defence, justice, or law enforcement.

These risk assessments determine which Union assurance level (2, 3, or 4) is appropriate for specific activities. The assessment must consider the sensitivity, criticality, and magnitude of the data processed, including personal and non-personal data, and the risk of unlawful access by third countries or service disruption (Article 29(2)). The Commission would specify the methodology for these assessments via implementing acts (Article 29(3)).

Procurement Rules (Article 30) Based on the risk assessment, procurement obligations are strictly defined:

• Union Assurance Level 1: Contracting authorities whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1 (Article 30(2)). This serves as the baseline requirement for most standard public-sector cloud usage.
• Union Assurance Levels 2, 3, or 4: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., critical infrastructure, defence, justice) must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4 (Article 30(3)).

Derogations from these rules are possible only under exceptional circumstances, such as when the subject matter cannot be supplied by recognized services in the central repository (and no adequate alternative exists), when no suitable tenders were received in a similar procurement within the previous year, or when applying the requirements would result in disproportionate cost (Article 30(4)).

Union Added Value and Innovation Procurement

Beyond assurance levels, CADA introduces specific criteria to boost the European cloud and AI ecosystem. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Article 32(3) allows authorities to evaluate:

• The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including results from Union-funded research.
• The use of critical computing, storage, and networking hardware components designed and/or manufactured in the Union, where feasible.

These Union added value criteria must be ancillary and not decisive in the award of the contract, preserving the primacy of technical and financial criteria (Article 32(2)). However, they provide a mechanism for Polish public-sector bodies to favor providers that contribute to European technological sovereignty.

Additionally, Article 33 encourages innovation procurement. Member States, including Poland, must monitor their use of procurement of innovation in cloud and AI and strive for an objective that at least 25% of such procurement be awarded to innovative SMEs (Article 33(4)). This requires Polish authorities to actively report on SME participation and take measures to remove barriers to SME access, such as dividing contracts into lots (Article 33(2)).

Experience and Acceleration Centres for AI

To support compliance and adoption, CADA establishes Experience and Acceleration Centres for AI (Centres for AI) under Article 5. Poland must establish these centres, building on the existing European Digital Innovation Hubs. These centres act as entry points to the European AI innovation ecosystem for public-sector bodies, SMEs, and small mid-caps.

The objectives of these centres include supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors and accelerating the broad adoption of cloud and AI technologies at regional and local levels (Article 5(2)). For Polish public-sector bodies, these centres provide access to expertise, testing facilities, and upskilling schemes. They help organizations connect with European providers of cloud and AI technologies and facilitate the transfer of expertise across regions (Article 5(3)). Utilizing these centres is a key mechanism for Polish authorities to meet the national strategy's goals of accelerating AI adoption and reducing dependency on non-EU providers.

What this means for you

For public-sector procurement officers and IT directors in Poland, CADA introduces a structured, compliance-heavy approach to cloud and AI purchasing.

1. Align with the National Strategy: Review Poland's national cloud and AI strategy once adopted. Ensure your department's digital transformation plans reflect the 'AI first' principle and contribute to the strategic priorities outlined in Article 7, particularly in sectors like healthcare, energy, and mobility.
2. Conduct and Respect Risk Assessments: Participate actively in the risk assessments mandated by Article 29. Determine whether your specific activities fall under public order preservation. This classification will dictate your minimum assurance level requirement (Level 1 vs. Levels 2-4).
3. Verify Assurance Levels: When procuring cloud services, verify that providers hold the appropriate Union assurance level recognition. For standard services, ensure Level 1 recognition. For critical services, ensure Level 2, 3, or 4 recognition as determined by your risk assessment. Do not procure from providers without the necessary recognition unless an exceptional derogation applies.
4. Integrate Union Added Value Criteria: Update your procurement templates to include the non-price award criteria specified in Article 32. Evaluate tenders based on their contribution to the European digital supply chain and the use of EU-designed hardware and software.
5. Engage with Centres for AI: Utilize the Experience and Acceleration Centres for AI established under Article 5. These centres can provide technical assistance, help identify suitable European providers, and offer training to your staff, facilitating compliance and effective AI adoption.
6. Support SMEs: Aim to award at least 25% of your innovation procurement in cloud and AI to SMEs, as encouraged by Article 33. Structure your procurement processes to be accessible to smaller, innovative European companies, including by dividing contracts into lots.

Common misconceptions

• "CADA bans non-EU cloud providers." This is incorrect. CADA does not ban non-EU providers outright. Instead, it establishes a sovereignty framework with Union assurance levels. Non-EU providers can qualify for Level 3 recognition if their home country is designated as an "associated third country" under Article 18, provided they meet strict criteria regarding data protection, lack of extraterritorial data access laws, and service continuity guarantees. However, for most public-sector use cases, especially those involving public order, EU-based providers or those meeting the highest assurance standards will be required.
• "Union added value criteria are the most important factor in procurement." No. Article 32(2) explicitly states that Union added value criteria must be "ancillary and not decisive in the award of the contract." Technical and financial criteria directly connected to performance requirements remain primary. The added value criteria are a secondary consideration to favor European ecosystem development.
• "The 'AI first' principle means AI must be used in every process." The 'AI first' principle is a strategic mindset, not a mandate to force AI into every workflow. It requires organizations to consider the opportunities and needs offered by AI while assessing risks. It is about proactive evaluation and integration where appropriate, not indiscriminate adoption.
• "Experience and Acceleration Centres are only for private companies." Article 5 explicitly includes public-sector bodies in the target audience for Centres for AI. These centres are designed to support the integration of AI in strategic public sectors and accelerate adoption at regional and local levels, making them vital resources for public procurement and IT officers.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.