What must public-sector bodies in Romania do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Romanian public-sector bodies must align their digital transformation with a national strategy embedding the "AI first" principle, mandated within one year of the Regulation's entry into force. Procurement obligations would require a baseline of Union assurance level 1 for all cloud services, escalating to levels 2–4 for activities critical to public order, determined by mandatory risk assessments. Additionally, authorities must apply "Union added value" criteria to boost domestic capabilities and leverage Experience and Acceleration Centres for AI as entry points for adoption and upskilling.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. For Romania, as a Member State, compliance is not merely a matter of updating procurement templates; it requires a structural shift in how public bodies plan, procure, and deploy digital services. The obligations fall into three main pillars: strategic alignment via national strategies, sovereignty-based procurement driven by risk assessments, and innovation-driven purchasing supported by dedicated infrastructure.

1. Strategic Alignment: The National Cloud and AI Strategy

Compliance begins at the strategic level. Under Article 7 of CADA, Romania is required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy is not optional guidance; it is a binding framework that must include key objectives for cloud and AI adoption, explicitly incorporating the "AI first" principle.

The "AI first" principle, as defined in the proposal, urges organizations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Romanian public-sector bodies, this national strategy serves as the roadmap for digital transformation. The strategy must outline measures to accelerate cloud and AI adoption at national, regional, and local levels, particularly for public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).

Crucially, the national strategy must include measures to support the deployment of data centre capacity and high-intensity computing infrastructure, such as AI factories and quantum computers. Public bodies in Romania must ensure their individual digital plans are consistent with these national objectives. This ensures that local procurement and deployment efforts contribute to the broader goals of technological sovereignty and competitiveness, rather than fragmenting the internal market. The strategy must also be consistent with the digital targets established under the Digital Decade Policy Programme 2030, including the adoption of cloud computing services by at least 75% of Union enterprises.

2. Sovereignty-Based Procurement Obligations

The core operational impact of CADA on Romanian public bodies lies in Article 30, which dictates how cloud computing services must be procured. The Regulation introduces a "Union cloud computing sovereignty framework" with four assurance levels (1–4), defined in Annex II of the proposal. These levels are not voluntary; they are mandatory minimums based on the risk profile of the activity.

• Baseline Requirement (Union Assurance Level 1): All contracting authorities in Romania, including those whose activities have not been identified as contributing to the preservation of public order, must procure cloud computing services that have been formally recognised as offering Union assurance level 1. Under Annex II, this level requires providers to be established in the Union, with infrastructure and assets located in the Union, and customer data remaining exclusively within the Union unless explicitly required otherwise by the public body. It also requires compliance with state-of-the-art cybersecurity standards and transparency regarding subcontractors.
• Elevated Requirements (Union Assurance Levels 2–4): For public-sector activities identified through a mandatory risk assessment (under Article 29) as contributing to the preservation of public order, the requirements are stricter. These activities typically fall under sectors listed in Annex I or II of the NIS2 Directive, or areas such as national security, internal security, external border management, defence, justice, or law enforcement. For these high-criticality use cases, Romanian authorities must only procure services recognised as offering Union assurance levels 2, 3, or 4.

These higher levels impose significantly stricter criteria. For instance, Union assurance level 3 and 4 require that personnel involved in the provision of the service are Union citizens (conditional at level 2 if the public body requires it, mandatory at levels 3 and 4). They also require a European cybersecurity certificate of at least "substantial" assurance (levels 2 and 3) or "high" assurance (level 4). Furthermore, levels 3 and 4 generally prohibit the provider from being subject to the control of a third country, unless a specific derogation is granted by the Commission under Article 18.

3. Risk Assessments and Migration

Before determining the required assurance level, Romanian Member State authorities and Union entities must conduct risk assessments as outlined in Article 29. These assessments must be carried out by the deadline (one year after entry into force) and updated every two years.

The risk assessment must identify public sector activities that use or will use cloud services and determine the appropriate assurance level (2, 3, or 4) based on the sensitivity, criticality, and magnitude of the data processed. The assessment must consider the risk of unlawful access by a third country and the risk of service disruption. If a risk assessment determines that a migration to a different cloud service is necessary to meet the required assurance level, the public body must migrate within a reasonable transition period, which shall not exceed 12 months. This ensures that critical public order functions are not left vulnerable during the transition to sovereign infrastructure.

4. Union Added Value and Innovation Procurement

Beyond sovereignty, CADA aims to boost the European cloud and AI ecosystem through procurement policy. Article 32 requires Romanian contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, authorities must assess:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including results from Union-funded research.
• The extent to which the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These "Union added value" criteria are ancillary and not decisive in the award of the contract, but they must be expressly set out in procurement documents. Additionally, Article 33 sets an objective for Member States to award at least 25% of their procurement for cloud computing services and AI systems to innovative SMEs. Romania must monitor and report on this uptake, implementing measures to improve SME access to public procurement markets, such as dividing contracts into lots.

5. Leveraging Experience and Acceleration Centres for AI

To facilitate this transition, Article 5 mandates the establishment of Experience and Acceleration Centres for AI (Centres for AI) in each Member State. In Romania, these centres will build on existing European Digital Innovation Hubs. They serve as critical entry points for public bodies and SMEs, providing access to AI technologies, upskilling schemes, and expertise transfer.

Romanian public-sector bodies are encouraged to engage with these centres to accelerate their digital transformation. The Centres for AI are tasked with helping organizations access and use AI technologies, connecting them with European providers of cloud and AI technologies, and ensuring access to relevant upskilling and reskilling schemes. They also facilitate the transfer of expertise across regions and support the scaling-up of spin-offs and start-ups. For public bodies, these centres act as a bridge to the "AI first" principle, providing the technical and strategic support needed to identify use cases and navigate the new procurement landscape.

What this means for you

For public-sector procurement officers, IT directors, and policy makers in Romania, CADA introduces a rigorous new compliance regime. Your immediate actions should focus on:

1. Monitoring the National Strategy: Track the development of Romania's national cloud and AI strategy under Article 7. Ensure your department's digital plans are aligned with the "AI first" principle and the specific measures outlined for data centre deployment and AI adoption.
2. Auditing Current Contracts: Review existing cloud contracts against the proposed Union assurance level 1 criteria. If your current provider does not meet these standards (e.g., data resides outside the EU, the provider is not EU-established, or lacks the required cybersecurity certification), you must prepare for migration.
3. Conducting Risk Assessments: Collaborate with national authorities to identify which of your activities fall under "public order" relevance. This will determine if you need to procure services at assurance levels 2, 3, or 4. Remember that for levels 3 and 4, personnel must be Union citizens and the provider must not be subject to third-country control.
4. Updating Procurement Templates: Integrate the new non-price award criteria related to EU-added value (Article 32) into your tender documents. Ensure that your evaluation methodology clearly defines how "Union-designed" or "Union-manufactured" components will be assessed, keeping in mind these criteria are ancillary.
5. Engaging with Local Centres: Identify the designated Experience and Acceleration Centres for AI in your region. Use them as technical advisors to help navigate the new requirements, access European providers, and upskill your staff.
6. Supporting SMEs: Design procurement lots to be accessible to SMEs, aiming to meet the 25% innovation procurement target for SMEs as encouraged by Article 33.

Common misconceptions

• "CADA bans all non-European cloud providers." This is incorrect. CADA does not ban non-European providers outright. Instead, it creates a tiered system. For low-risk public sector activities, providers must meet Union assurance level 1, which can include non-European providers if they are established in the EU, have infrastructure in the EU, and meet strict data residency and control criteria. For higher-risk activities, stricter levels (2–4) apply, which may effectively exclude many non-European providers due to requirements like Union citizenship for personnel or the absence of third-country control.

• "The 'AI first' principle means we must use AI in every process." No. The "AI first" principle, as referenced in Article 7, requires organizations to consider the opportunities and needs offered by AI when reflecting on business processes. It is a strategic mindset shift, not a mandatory deployment mandate for every administrative task. It also requires taking into account potential risks.

• "Union added value criteria will make contracts too expensive." Article 32 explicitly states that these criteria must be "ancillary and not decisive" in the award of the contract. They are part of the quality evaluation but cannot override the core technical and financial criteria. The goal is to strengthen the European supply chain, not to impose disproportionate costs.

• "Only the public sector is affected." While the procurement obligations fall on contracting authorities, the sovereignty framework reaches any provider wanting to serve them. Furthermore, Article 31 allows private sector entities in high-criticality sectors (under NIS2) to conduct similar impact assessments, and the data centre acceleration measures affect the wider market.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Portugal do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.