Summary Under the proposed Cloud and AI Development Act (CADA), Slovak public-sector bodies must align their digital procurement with national cloud and AI strategies that prioritize the "AI first" principle and technological sovereignty. Public authorities are required to conduct risk assessments to determine the appropriate level of Union assurance for cloud services, mandating that activities involving public order use only recognized sovereign services. Additionally, procurement processes must incorporate Union added value criteria and actively support innovation, particularly for SMEs, while leveraging local Experience and Acceleration Centres for AI to facilitate adoption.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework for strengthening the European cloud and AI ecosystem. For public-sector bodies in Slovakia, compliance is not merely about purchasing technology; it involves strategic alignment, rigorous risk assessment, and active participation in the broader EU digital sovereignty agenda. The obligations fall into three main categories: strategic alignment via national strategies, risk-based procurement mandates, and operational support through EU-wide networks.

National Strategy and the "AI First" Principle

The foundation of public-sector compliance lies in the national implementation of CADA's strategic objectives. Under Article 7, Member States, including Slovakia, are required to establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies must include key objectives for cloud and AI adoption, explicitly incorporating the "AI first" principle. As defined in the proposal, this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks."

For Slovak public authorities, this means that cloud and AI adoption cannot be an afterthought. The national strategy must outline measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs). The strategy must also detail measures to support the broad deployment of AI in strategic industrial and public sectors, including healthcare, energy, and mobility. Public-sector bodies must ensure their internal digital transformation plans are consistent with these national priorities. If a Member State already has a strategy that adequately covers these objectives, it may update it rather than creating a new one, but the alignment with CADA's goals is mandatory.

Crucially, the national strategy serves as the roadmap for the "AI first" principle. It requires Slovak ministries and agencies to proactively identify where AI can improve decision-making, simplify administrative procedures, and reduce burdens, particularly in critical public domains. This strategic alignment ensures that procurement decisions made by individual bodies contribute to the broader national and Union objectives of competitiveness and resilience.

Procurement Obligations and Risk Assessments

The core operational requirement for public-sector bodies is found in Article 30, which dictates how cloud computing services must be procured. The approach is risk-based and hinges entirely on the outcome of risk assessments mandated by Article 29.

Risk Assessments (Article 29): Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (1, 2, 3, or 4) is appropriate for specific activities. The assessment must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption. These assessments must be conducted initially within one year of the Regulation's entry into force, and thereafter every two years, or whenever necessary.

For Slovakia, this means that public bodies must systematically categorize their operations. Activities falling under sectors listed in Annex I or II of the NIS2 Directive, or in areas of national security, internal security, external border management, defence, justice, or law enforcement, are prime candidates for higher assurance levels. The risk assessment is not a one-time exercise; it is a dynamic process that must be updated to reflect evolving threats and technological changes.

Procurement Mandates (Article 30): Based on these risk assessments, procurement obligations are strictly defined:

  1. General Public Sector: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1. This level requires the provider to be established in the Union, with infrastructure and data located within the Union, and compliance with state-of-the-art cybersecurity standards.
  2. Critical Public Order Activities: Contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4. These higher levels impose stricter requirements, including mandatory independent audits, Union citizenship for personnel (conditional at L2, mandatory at L3/L4), and guarantees against third-country control.

This creates a tiered compliance model. Slovak public bodies must first classify their activities via the risk assessment. If an activity is deemed critical to public order, standard commercial cloud services that do not meet the higher assurance levels cannot be used. The Regulation allows for derogations only in exceptional circumstances, such as when no recognized service exists in the central repository and no adequate alternative is available, or if compliance would result in disproportionate costs.

Union Added Value and Innovation Procurement

Beyond sovereignty, CADA aims to strengthen the European digital supply chain. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. Specifically, authorities must assess:

  • The extent to which the tenderer strengthens the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including research results from Union-funded programs.
  • The contribution of the innovation to strengthening the security of supply.
  • The delivery of services using hardware components designed or manufactured in the Union, where feasible.

These criteria must be "ancillary and not decisive in the award of the contract," ensuring that technical and financial performance remains primary. However, they provide a mechanism to favor European providers and reduce dependency on non-EU technologies. The proposal suggests a maximum weighting of 15 out of 120 points for these criteria to ensure proportionality.

Furthermore, Article 33 introduces monitoring and targets for innovation procurement. Member States must monitor their use of procurement of innovation in cloud and AI. A key target is that at least 25% of procurement for cloud computing services and AI systems should be awarded to innovative SMEs. Slovak public bodies must report yearly on SME participation trends and take measures to improve SME access, such as dividing contracts into lots. This provision aims to create concrete opportunities for smaller EU-based providers, fostering a more diverse and resilient market.

Role of Experience and Acceleration Centres for AI

To support this transition, Article 5 establishes Experience and Acceleration Centres for AI (Centres for AI) in each Member State. In Slovakia, these Centres will build on existing European Digital Innovation Hubs (EDIHs). They serve as entry points for the European AI innovation ecosystem, tasked with:

  • Helping organizations accelerate digital transformation through access to AI technologies.
  • Connecting organizations with European providers of cloud and AI technologies.
  • Ensuring access to upskilling and reskilling schemes.
  • Supporting the scaling-up of spin-offs and start-ups.

For Slovak public-sector bodies, these Centres are not just support resources but strategic partners. They facilitate the integration of AI use cases in strategic sectors and help navigate the technical and regulatory complexities of adopting sovereign cloud solutions. Public bodies are encouraged to leverage these Centres for training, testing, and identifying suitable European providers. The Centres act as a bridge between the national strategy and practical implementation, ensuring that the "AI first" principle is operationalized effectively.

What this means for you

For procurement officers and digital leaders in Slovak public administration, CADA introduces a structured, compliance-heavy approach to cloud and AI adoption. Here is how to prepare:

  1. Align with National Strategy: Review your department's digital roadmap against the Slovak national cloud and AI strategy. Ensure that the "AI first" principle is embedded in your planning. If your current strategy does not address AI opportunities and risks, update it to comply with Article 7.
  2. Conduct Risk Assessments: Do not wait for the final legislation. Begin internal reviews of your cloud dependencies. Identify which services process sensitive data or support critical public order functions. These will require higher Union assurance levels (2, 3, or 4) under Article 30. Start mapping your current providers against the forthcoming CADA assurance criteria.
  3. Revise Procurement Templates: Update your standard procurement documents to include the non-price award criteria for Union added value as specified in Article 32. Ensure these criteria are linked to the subject matter of the contract and are expressly set out in procurement documents.
  4. Target SMEs: Set internal goals to award at least 25% of your AI and cloud innovation procurement to SMEs, as per Article 33. Use the Centres for AI to identify qualified local SMEs and structure your tenders to be SME-friendly (e.g., by splitting lots).
  5. Engage with Centres for AI: Establish contact with the Slovak Experience and Acceleration Centres for AI. Use them for staff training on AI literacy and to test new AI solutions before full-scale deployment. They can also help you understand which European providers meet the sovereignty requirements.

Common misconceptions

  • Misconception 1: CADA replaces the AI Act.
    • Reality: CADA and the AI Act are complementary. The AI Act regulates the safety and fundamental rights aspects of AI systems themselves. CADA focuses on the infrastructure (cloud), sovereignty, and public procurement mechanisms. You must comply with both.
  • Misconception 2: Only defense and intelligence need high-assurance cloud.
    • Reality: Under Article 29 and Article 30, any public sector activity identified as contributing to the preservation of public order requires higher assurance levels. This can include healthcare, emergency services, and critical infrastructure management, not just defense.
  • Misconception 3: Union added value criteria can override price.
    • Reality: Article 32 explicitly states that Union added value criteria must be "ancillary and not decisive." Technical and financial performance remain the primary drivers of contract awards. These criteria are a tie-breaker or a quality differentiator, not a subsidy.
  • Misconception 4: SMEs are exempt from sovereignty requirements.
    • Reality: While CADA encourages SME participation, all cloud providers, including SMEs, must meet the Union assurance levels if they wish to supply critical public sector activities. However, SMEs have simplified recognition procedures for Union assurance level 1 (self-assessment) under Article 17.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.