What must public-sector bodies in Spain do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Spain must align their digital transformation with a new national cloud and AI strategy that enshrines the 'AI first' principle. Contracting authorities would be required to conduct risk assessments to determine the necessary Union assurance level for their services, mandating the procurement of at least Union assurance level 1 for general activities and higher levels (2–4) for activities critical to public order. Additionally, Spain must establish Experience and Acceleration Centres for AI to serve as entry points for public bodies and SMEs to access expertise, testing facilities, and European cloud providers.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a legislative instrument designed to strengthen the EU's cloud and AI ecosystem by increasing computing capacity, ensuring sustainable deployment, and enhancing technological sovereignty. For public-sector bodies in Spain, CADA introduces a structured framework of obligations regarding national strategy alignment, procurement practices, and the utilization of support structures. As the proposal is not yet in force, these requirements would apply once the regulation is adopted and enters into force.

National Strategy and the 'AI First' Principle

A foundational step for Spain under CADA is the adoption of a comprehensive national cloud and AI strategy. Under Article 7 of the proposal, Member States must establish this strategy within one year of the regulation's entry into force. This strategy serves as the primary roadmap for Spain's digital transformation and directly dictates how public-sector bodies approach cloud and AI adoption.

The national strategy must explicitly include key objectives and priorities for cloud and AI adoption, aligned with the 'AI first' principle. As defined in the proposal, this principle urges organizations to "reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks." For Spanish public bodies, this means that AI integration must become a proactive consideration in operational planning rather than a reactive afterthought.

Furthermore, Article 7 mandates that the national strategy include specific measures to:

• Accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
• Support the broad deployment of AI in strategic industrial and public sectors, including healthcare, energy, and mobility.
• Support the deployment of data centre capacity with a focus on high-value, environmentally sustainable facilities.
• Invest in high-intensity computing infrastructure, such as AI factories and quantum computers, as strategic national assets.
• Support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Spanish public-sector bodies must operate strictly within the framework defined by this strategy. The strategy must be consistent with the objectives of CADA and contribute to the digital targets established under the Digital Decade Policy Programme. Member States must notify the Commission of their national strategies within three months of adoption and assess them at least every three years based on key performance indicators.

Procurement Obligations and Risk Assessments

CADA introduces a rigorous framework for public procurement of cloud computing services and AI systems, centered on sovereignty and security. The core mechanism is the Union cloud computing sovereignty framework, which defines four Union assurance levels (UAL 1–4) in Annex II.

Risk Assessments (Article 29) Before procuring cloud services, Spanish contracting authorities and Union entities must conduct risk assessments. These assessments, required within one year of the regulation's entry into force and thereafter every two years, must:

1. Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, as well as in national security, internal security, external border management, defence, justice, or law enforcement.
2. Determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

The risk assessment must consider the sensitivity, criticality, and magnitude of personal and non-personal data processed, the risk of unlawful access by third countries, and the risk of service disruption. If a risk assessment determines that a migration to another cloud computing service is required, the migration must occur within a reasonable transition period not exceeding 12 months.

Procurement Requirements (Article 30) Based on the risk assessment, Article 30 sets clear procurement obligations:

• General Rule: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1.
• Critical Public Order Activities: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in defence, law enforcement, or critical infrastructure) must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4.

Derogations are allowed only on an exceptional basis where no adequate alternative exists, no suitable tenders were received in the previous year, or compliance would require disproportionate costs.

Union Added Value and Innovation (Articles 32–33) When procuring innovative cloud computing services and AI systems, Spanish contracting authorities must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem (Article 32). These criteria should assess:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union.
• The use of critical computing, storage, and networking hardware components designed and/or manufactured in the Union, where feasible.

These criteria must be ancillary and not decisive in the award of the contract but should be expressly set out in procurement documents.

Additionally, Article 33 requires Member States to monitor their procurement of innovation in cloud and AI. Spain must pursue the objective that at least 25% of its procurement for cloud computing services and AI systems be awarded to innovative SMEs. Public bodies should promote preliminary market consultations and matchmaking between public buyers and innovative European SMEs and start-ups.

Support via Experience and Acceleration Centres for AI

To facilitate compliance and adoption, Article 5 requires each Member State, including Spain, to establish Experience and Acceleration Centres for AI (Centres for AI). These centres build on the existing network of European Digital Innovation Hubs (EDIHs).

For Spanish public-sector bodies, these Centres for AI serve as critical entry points. Their objectives include:

• Supporting the integration and scaling-up of AI use cases in strategic public sectors.
• Accelerating the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs and public sector bodies.
• Helping organizations accelerate digital transformation through access to and use of AI technologies, including by connecting them with European providers.
• Ensuring access to upskilling and reskilling schemes.

Public bodies can leverage these centres for expertise, testing, and skills support to meet their CADA obligations effectively. The Centres are tasked with facilitating the transfer of expertise across regions and supporting the scaling-up of spin-offs and start-ups emerging from universities and incubators.

What this means for you

For public-sector procurement officers and digital transformation leaders in Spain, CADA represents a shift towards more structured, sovereignty-conscious procurement.

1. Align with National Strategy: Ensure your organization's digital roadmap aligns with Spain's national cloud and AI strategy. Incorporate the 'AI first' principle into business process reviews to identify where AI can add value while managing risks.
2. Conduct Risk Assessments: Prepare to conduct mandatory risk assessments for all cloud-dependent activities. Determine which services are critical to public order. This classification will dictate your procurement options (UAL 1 vs. UAL 2–4).
3. Update Procurement Policies: Revise tender documents to include Union added value criteria as per Article 32. Ensure you are evaluating suppliers not just on price and technical merit, but on their contribution to the European digital supply chain.
4. Engage with Centres for AI: Utilize the local Experience and Acceleration Centres for AI for guidance, training, and access to European cloud providers. These centres are designed to help public bodies navigate the complexities of AI adoption and compliance.
5. Support SMEs: Actively seek opportunities to award at least 25% of innovative cloud and AI procurement contracts to SMEs, as encouraged by Article 33.

Common misconceptions

• Misconception: CADA bans the use of non-European cloud providers.
  • Reality: CADA does not ban non-European providers outright. However, it establishes a sovereignty framework where public bodies must procure services meeting specific Union assurance levels. Services controlled by third-country entities may face significant hurdles in achieving higher assurance levels (UAL 3–4) unless specific safeguards are in place.
• Misconception: All public sector activities require the highest level of sovereignty (UAL 4).
  • Reality: The framework is risk-based. Only activities identified as contributing to the preservation of public order in critical sectors require UAL 2, 3, or 4. General public sector activities must use at least UAL 1.
• Misconception: The 'AI first' principle means AI must be used in every process.
  • Reality: 'AI first' means considering AI opportunities and risks when reviewing business processes. It does not mandate AI usage where it is not appropriate or necessary.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Sweden do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?
• What must public-sector bodies in Portugal do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.