What must public-sector bodies in Portugal do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Portugal must align their digital strategies with a mandatory national framework centred on the "AI first" principle. As proposed, Portugal must establish Experience and Acceleration Centres for AI to support adoption, while public procurement must strictly adhere to Union assurance levels (Level 1 as a baseline, Levels 2–4 for public-order-critical activities) determined by mandatory risk assessments. Furthermore, procurement procedures must include Union added value criteria to strengthen the European supply chain and aim to award at least 25% of innovative cloud and AI contracts to SMEs.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a unified framework to strengthen Europe's cloud and AI ecosystem. For public-sector bodies in Portugal, compliance is not merely a technical adjustment but a strategic realignment of national policy, procurement practices, and digital transformation efforts. The regulation imposes specific, binding obligations regarding national strategy formulation, risk-based sovereignty procurement, and the utilization of support infrastructures.

The National Strategy and the "AI First" Principle

Compliance begins at the strategic level. Under Article 7 of the proposed regulation, Member States, including Portugal, are required to establish national cloud and AI strategies within one year of the regulation's entry into force. These strategies are not optional guidelines; they are binding frameworks that must include specific measures to accelerate the adoption of cloud and AI technologies at national, regional, and local levels.

Crucially, these national strategies must incorporate the "AI first" principle, as defined in the Apply AI Strategy and referenced in the CADA proposal. This principle urges public organizations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. For Portuguese public bodies, this means that when designing new administrative procedures or updating existing ones, AI integration must be a primary consideration rather than an afterthought. The national strategy must also outline measures to support the broad deployment of AI in strategic sectors, including healthcare, energy, and mobility, and must include plans for the deployment of data centre capacity and high-intensity computing infrastructure.

Portuguese public-sector bodies are required to ensure their operational plans are consistent with these national strategies. The European Artificial Intelligence Board (AI Board) will advise and assist Member States in coordinating these strategies, ensuring that Portugal's approach is aligned with broader EU objectives. Failure to align public-sector procurement and deployment activities with the national strategy could result in a lack of coherence in the EU's digital single market and undermine the collective goal of technological sovereignty.

Procurement Obligations and Sovereignty Assurance Levels

The core of CADA's impact on Portuguese public procurement lies in Article 30, which mandates the use of cloud computing services that meet specific "Union assurance levels." These levels represent a harmonized framework for sovereignty, ensuring that public data and critical infrastructure are protected from third-country dependencies and potential disruptions.

1. The Baseline Requirement: Union Assurance Level 1 For all public-sector bodies and Union entities whose activities have not been identified as contributing to the preservation of public order, Article 30(2) mandates the use of cloud computing services recognized as offering Union Assurance Level 1. This is the minimum standard for all public cloud procurement in Portugal. Level 1 requires that the cloud computing service provider is established in the Union, that infrastructure and assets are located in the Union, and that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise. It also requires compliance with state-of-the-art cybersecurity standards and full transparency regarding subcontractors.

2. Enhanced Requirements for Public Order Activities: Levels 2, 3, and 4 For contracting authorities whose activities are identified as contributing to the preservation of public order, the requirements are significantly stricter. Article 30(3) states that these authorities must only procure cloud computing services recognized as offering Union Assurance Level 2, 3, or 4.

To determine which level applies, Member States and Union entities must conduct risk assessments under Article 29. These assessments, which must be carried out within one year of the regulation's entry into force and repeated every two years, identify public sector activities that use cloud services and contribute to public order in sectors such as national security, internal security, external border management, defence, justice, and law enforcement. The risk assessment must evaluate the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third countries. Based on this assessment, the appropriate assurance level (2, 3, or 4) is determined.

• Level 2 introduces independent third-party audits, stricter personnel screening options (conditional on public body requirements), and requirements for European cybersecurity certification of at least "substantial" assurance.
• Level 3 adds mandatory Union citizenship for personnel handling the service, strict controls on third-country control, and requirements for software supply chain transparency, including Software Bills of Materials (SBOMs).
• Level 4 is the highest level, requiring that sensitive data identified in risk assessments remains exclusively in the Union, and that providers and subcontractors are not subject to third-country control. It also mandates high-level European cybersecurity certification.

Portuguese public bodies involved in critical infrastructure, law enforcement, or national security must therefore map their cloud usage against these risk assessments to ensure they are procuring services at the correct assurance level. Procuring a Level 1 service for a public order-critical activity would be a direct violation of Article 30(3).

Union Added Value and Innovation Procurement

Beyond sovereignty, CADA aims to boost the European cloud and AI ecosystem. Article 32 introduces Union added value criteria for public procurement of innovative cloud computing services and AI systems. Portuguese contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

These criteria must assess:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including results from EU-funded research.
• The extent to which the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These criteria must be ancillary and not decisive in the award of the contract, but they must be expressly set out in procurement documents. This encourages Portuguese public bodies to favor providers that contribute to the EU's technological sovereignty, indirectly supporting the growth of European cloud providers.

Furthermore, Article 33 requires Member States to monitor and report on their use of procurement of innovation in cloud and AI. Portugal must aim to award at least 25% of its procurement for cloud computing services and AI systems to innovative small and medium-sized enterprises (SMEs). This objective must be included in the national cloud and AI strategy, and Portugal must report yearly to the Commission on SME participation trends and measures taken to improve their access to procurement markets.

The Role of Experience and Acceleration Centres for AI

To support public bodies and SMEs in meeting these obligations, Article 5 requires Member States to establish Experience and Acceleration Centres for AI (Centres for AI). In Portugal, these centres will build on the existing network of European Digital Innovation Hubs (EDIHs).

These centres serve as entry points to the European AI innovation ecosystem. Their objectives include supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors, and accelerating the broad adoption of cloud and AI technologies at regional and local levels. For Portuguese public-sector bodies, these centres offer:

• Access to expertise and testing facilities.
• Support for digital transformation through access to AI technologies.
• Upskilling and reskilling schemes for public servants.
• Assistance in connecting with European providers of cloud and AI technologies.

Public bodies are encouraged to leverage these centres to navigate the complexities of AI adoption, ensure compliance with the "AI first" principle, and identify suitable sovereign cloud providers. The centres also facilitate the transfer of expertise across regions and support the scaling-up of spin-offs and start-ups, fostering a local AI ecosystem.

What this means for you

For public-sector procurement officers and digital transformation leaders in Portugal, CADA introduces a structured, compliance-heavy environment for cloud and AI adoption.

1. Review National Strategy Alignment: Ensure your organization's digital roadmap aligns with Portugal's national cloud and AI strategy. Adopt the "AI first" mindset in all new project designs, considering AI opportunities and risks from the outset.
2. Conduct and Document Risk Assessments: If your body handles activities related to public order, national security, or critical infrastructure, you must conduct detailed risk assessments under Article 29. Document the sensitivity of data and the potential impact of third-country access. This assessment will dictate whether you must procure Level 2, 3, or 4 services.
3. Update Procurement Specifications: Amend all future cloud and AI tender documents to require Union Assurance Level 1 as a minimum. For public order-critical services, specify the required higher assurance level based on your risk assessment. Include Union added value criteria under Article 32 to evaluate bids on their contribution to the EU supply chain.
4. Engage with Centres for AI: Utilize the local Experience and Acceleration Centres for AI for technical support, training, and vendor identification. These centres can help you navigate the technical requirements of the assurance levels and find compliant providers.
5. Prioritize SME Innovation: Set targets to award at least 25% of innovative cloud and AI contracts to SMEs, as required by Article 33. Structure procurement lots to be accessible to smaller, innovative European providers.

Common misconceptions

• "All public cloud procurement requires the highest sovereignty level."
  • Correction: No. Only activities identified as contributing to the preservation of public order require Level 2, 3, or 4 services. All other public bodies must use at least Level 1 services, which are less restrictive but still ensure data remains in the EU and providers are EU-established.
• "CADA replaces the GDPR."
  • Correction: CADA complements the GDPR. While GDPR focuses on data protection and privacy rights, CADA focuses on sovereignty, operational autonomy, and supply chain security. Providers must comply with both.
• "Union added value criteria are the main factor in winning a contract."
  • Correction: These criteria must be ancillary and not decisive. Technical and financial criteria related to performance remain primary. Union added value is a tie-breaker or a secondary quality factor to boost European supply chains.
• "SMEs are excluded from large public cloud contracts."
  • Correction: CADA actively encourages SME participation. Member States must aim for 25% of innovative procurement to go to SMEs, and Centres for AI are designed to support their integration into public projects.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.