What must public-sector bodies in Slovenia do to comply with CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require Slovenian public-sector bodies to align their cloud and AI procurement with a mandatory national strategy driven by the "AI first" principle. Contracting authorities must conduct risk assessments to determine the required Union assurance level for cloud services, mandating at least Union assurance level 1 for general use and higher levels (2–4) for activities preserving public order. Additionally, Slovenia must establish Experience and Acceleration Centres for AI to serve as entry points for public bodies and SMEs to access expertise, testing facilities, and European providers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem. For public-sector bodies in Slovenia, compliance is not merely a matter of purchasing software but involves strategic planning, rigorous risk management, and active participation in the national innovation infrastructure. The obligations are interlinked, flowing from the national strategy down to specific procurement decisions and operational support mechanisms.

The National Cloud and AI Strategy and the "AI First" Principle

The foundation of public-sector compliance lies in the national strategy. Under Article 7, Member States, including Slovenia, must establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies are not optional guidelines; they are mandatory instruments that must include key objectives and priorities for cloud and AI adoption, explicitly aligned with the "AI first" principle.

The "AI first" principle, as referenced in the Apply AI Strategy and incorporated into CADA, urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration potential risks. For Slovenian public bodies, this means the national strategy would likely mandate a proactive approach to AI integration. Article 7(2) requires these strategies to include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).

Crucially, Article 7(2)(b) specifies that these measures must support the Experience and Acceleration Centres for AI (Centres for AI) as entry points to the European AI innovation ecosystem. This creates a direct operational link for Slovenian public bodies: they are expected to engage with these Centres to facilitate their digital transformation. The national strategy must also include measures to support the broad deployment of AI in strategic industrial and public sectors, such as healthcare, energy, and mobility, as well as measures to ensure the accessibility of high-quality data for AI development.

Procurement Obligations and Union Assurance Levels

The core of CADA's impact on daily operations is found in the procurement rules. Article 30 sets out strict obligations for contracting authorities procuring cloud computing services. The obligations are tiered based on a risk assessment conducted under Article 29.

First, all Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1. This establishes a baseline of sovereignty and security for all public cloud usage in Slovenia.

Second, and more stringently, contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure services recognized as having Union assurance level 2, 3, or 4. The determination of which activities require these higher levels is made through the risk assessment process mandated by Article 29. This assessment must identify public sector activities that use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.

The risk assessment must consider the sensitivity, criticality, and magnitude of the data processed, the risk of unlawful access by third countries, and the risk of service disruption. If a risk assessment determines that a higher assurance level is needed, the public body must migrate to a compliant service within a reasonable transition period, which must not exceed 12 months, taking into account technical feasibility and data portability.

Union Added Value and Innovation Procurement

Beyond security and sovereignty, CADA introduces mechanisms to boost the European cloud and AI ecosystem. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Article 32(3) outlines that these criteria should evaluate:

• The extent to which the tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including results from Union-funded research.
• Whether the innovation contributes to strengthening security of supply.
• The delivery of services using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

These criteria must be ancillary and not decisive in the award of the contract, ensuring that technical and financial criteria remain primary. However, they provide a formal mechanism for Slovenian public bodies to prioritize European providers and technologies, directly supporting the goal of reducing dependence on third-country providers.

Furthermore, Article 33 sets a target for Member States to ensure that at least 25% of their procurement for cloud computing services and AI systems is awarded to innovative SMEs. Slovenia must monitor and report on this uptake, including identifying barriers to SME participation and promoting simplified procurement strategies. This places a duty on Slovenian procurement officers to actively seek out and facilitate the participation of smaller, innovative European providers.

The Role of Experience and Acceleration Centres for AI

To support public bodies in meeting these complex obligations, Article 5 mandates the establishment of Experience and Acceleration Centres for AI in each Member State. In Slovenia, these Centres would build on the existing European Digital Innovation Hubs.

For public-sector bodies, these Centres serve as critical support structures. Their objectives include supporting the integration and scaling-up of AI use cases in strategic public sectors and accelerating the broad adoption of cloud and AI technologies at regional and local levels. Article 5(3) tasks these Centres with helping organisations accelerate their digital transformation through access to AI technologies and by connecting organisations with European providers of cloud and AI technologies. They are also responsible for ensuring access to upskilling and reskilling schemes.

Slovenian public bodies are expected to leverage these Centres for expertise, testing, and skills development. The Centres would facilitate the transfer of expertise across regions and support the scaling-up of spin-offs and start-ups, thereby creating a local ecosystem that public bodies can tap into for procurement and innovation.

What this means for you

For public-sector and procurement officers in Slovenia, CADA would introduce a structured, compliance-driven approach to cloud and AI adoption.

1. Align with the National Strategy: Monitor the development of Slovenia's national cloud and AI strategy. Ensure your department's digital transformation plans align with the "AI first" principle and the specific measures outlined in the strategy, particularly those supporting the Experience and Acceleration Centres for AI.
2. Conduct Rigorous Risk Assessments: Prepare for the mandatory risk assessments under Article 29. You must identify which of your activities contribute to the preservation of public order. This will determine whether you need Union assurance level 1 (baseline) or levels 2–4 (higher security/sovereignty). Document the sensitivity and criticality of your data thoroughly.
3. Review Procurement Criteria: Update your procurement templates to include the non-price award criteria for "Union added value" as specified in Article 32. Evaluate tenders based on the strength of the European supply chain, the use of Union-designed hardware/software, and contributions to security of supply.
4. Engage with AI Centres: Proactively engage with Slovenia's designated Experience and Acceleration Centres for AI. Use them for technical advice, skills training for your staff, and to connect with European AI and cloud providers. They are your designated entry point for navigating the new regulatory landscape.
5. Support SME Participation: Actively look for ways to award at least 25% of your cloud and AI innovation procurement to SMEs, as targeted by Article 33. Simplify your procurement processes to make them more accessible to smaller, innovative providers.

Common misconceptions

• "CADA only applies to high-risk AI systems." Incorrect. While the AI Act focuses on high-risk systems, CADA's cloud sovereignty framework applies to all public-sector procurement of cloud computing services, regardless of whether AI is involved. The assurance levels apply to the cloud service itself.
• "Union added value criteria are optional." Incorrect. Article 32 mandates that contracting authorities shall include these non-price award criteria when procuring innovative cloud and AI services. They are a legal requirement, not a discretionary choice.
• "SMEs are exempt from assurance levels." Incorrect. All cloud services procured by the public sector must meet the relevant Union assurance level. However, CADA includes provisions to support SMEs, such as the 25% procurement target and simplified procedures, to help them compete and comply.
• "The national strategy is just a policy document." Incorrect. Article 7 makes the national strategy a binding element of the CADA framework. Public bodies are expected to align their measures with the strategy, which includes specific mandates for adopting AI first and engaging with Centres for AI.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?
• What must public-sector bodies in Portugal do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.