What must public-sector bodies in Sweden do to comply with CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Sweden must align their cloud and AI procurement with the Union's sovereignty framework. This requires procuring services recognized at least at Union assurance level 1, with higher levels (2–4) mandatory for activities preserving public order. Swedish authorities must conduct biennial risk assessments to determine the appropriate assurance level for specific use cases. Compliance is driven by Sweden's national cloud and AI strategy, which must integrate the 'AI first' principle and leverage Experience and Acceleration Centres for AI as entry points for adoption. Additionally, procurement processes must incorporate Union added value criteria to strengthen the European digital supply chain, with a specific target to award at least 25% of innovation procurement to SMEs.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem. For Sweden, as a Member State, compliance involves a multi-layered approach spanning national strategy formulation, risk assessment, and specific procurement rules. The proposal aims to reduce dependence on non-European providers and ensure the resilience of critical public services.

The Role of the National Cloud and AI Strategy (Article 7)

The foundation of public-sector compliance lies in the national strategy. Under Article 7(1), Member States, including Sweden, must establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies are not merely aspirational; they serve as the binding roadmap for public-sector adoption.

Article 7(2) mandates that these national strategies include specific measures to:

• Accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
• Support the broad deployment and uptake of AI in strategic industrial and public sectors, including healthcare, energy, and mobility.
• Support the deployment of data centre capacity with a focus on high-value, energy-efficient facilities.
• Promote the 'AI first' principle, urging organizations to reflect on their business processes and consider the opportunities offered by AI while managing potential risks.

For Swedish public-sector bodies, this means that local and national procurement policies must be coherent with the objectives set out in Sweden's national strategy. The strategy must also contribute to the Digital Decade targets, such as the adoption of cloud computing services by at least 75% of enterprises. Article 7(6) further clarifies that the European Artificial Intelligence Board (AI Board) will advise and assist Member States in coordinating these national strategies, ensuring that Sweden's approach is consistent with broader EU objectives.

Procurement Obligations and the Sovereignty Framework (Articles 16–30)

The core of CADA's impact on public procurement is the Union cloud computing sovereignty framework, which defines four 'Union assurance levels' of trust and security. Article 16 sets out the criteria for these levels, ranging from Level 1 (basic establishment in the Union and data localization) to Level 4 (highest security, Union citizenship for personnel, and no third-country control).

Article 30 imposes direct procurement obligations on contracting authorities:

1. Baseline Requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized under Article 17 as having a Union assurance level 1.
2. Public Order Requirement: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement) must only procure services recognized as having Union assurance levels 2, 3, or 4.

This creates a mandatory baseline for all Swedish public procurement of cloud services. Authorities cannot simply choose the cheapest provider; they must verify that the provider holds the appropriate recognition in the central repository maintained by the Commission (Article 22).

Risk Assessments (Article 29)

To determine which assurance level is required, Member States and Union entities must conduct risk assessments. Article 29(1) requires these assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.

The risk assessment must:

• Identify public sector activities using cloud services that contribute to preserving public order in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defense, justice, or law enforcement.
• Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.

Article 29(2) specifies that these assessments must consider the sensitivity, criticality, and magnitude of data processed, the risk of unlawful access by third countries, and the risk of service disruption. If a risk assessment determines that a migration to a different cloud service is required, Article 29(6) mandates that the migration must occur within a reasonable transition period not exceeding 12 months, taking into account technical feasibility and data portability.

Union Added Value and Innovation (Articles 32–33)

Beyond sovereignty, CADA introduces criteria to strengthen the European digital supply chain. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, Article 32(3) allows authorities to evaluate:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union.
• The extent to which critical computing, storage, and networking hardware components are designed and/or manufactured in the Union.

Article 33 further encourages the procurement of innovation. Member States must monitor and report on their use of procurement of innovation in cloud and AI. Article 33(4) sets an objective for Member States to ensure that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. This requires Swedish authorities to design procurement strategies that are SME-friendly, such as dividing contracts into lots, to facilitate access for smaller European providers.

Support Mechanisms: Experience and Acceleration Centres for AI (Article 5)

To support public-sector bodies and SMEs in meeting these new requirements, CADA establishes a network of Experience and Acceleration Centres for AI (Centres for AI). Article 5(1) requires each Member State to establish these Centres, building on existing European Digital Innovation Hubs.

For Swedish public-sector bodies, these Centres serve as critical entry points. Article 5(3) tasks them with:

• Helping organizations accelerate digital transformation by connecting them with European providers of cloud and AI technologies.
• Ensuring access to upskilling and reskilling schemes.
• Supporting the scaling-up of spin-offs and start-ups.

Public authorities are expected to leverage these Centres to navigate the technical complexities of sovereign cloud procurement and AI integration, ensuring that the 'AI first' principle is implemented effectively without compromising security or sovereignty.

What this means for you

For public-sector procurement officers and digital strategists in Sweden, CADA introduces a structured, mandatory compliance pathway for cloud and AI procurement. Here is how you should prepare:

1. Align with the National Strategy: Ensure your organization's digital procurement policies are updated to reflect the 'AI first' principle and the specific objectives of Sweden's national cloud and AI strategy as required by Article 7. This strategy will dictate the pace and scope of your AI adoption.
2. Conduct and Update Risk Assessments: Initiate the risk assessment process outlined in Article 29 immediately. Identify which of your activities relate to public order, national security, or critical infrastructure. This assessment will determine whether you need Union assurance level 1 (baseline) or levels 2–4 (enhanced sovereignty). Remember, these assessments must be repeated every two years.
3. Verify Provider Recognition: Before issuing tenders, verify that potential cloud providers are recognized in the Commission's central repository (Article 22) at the appropriate Union assurance level. You cannot procure from providers who have not undergone the conformity self-assessment (Level 1) or independent audit (Levels 2–4) procedures.
4. Integrate Union Added Value Criteria: Update your procurement templates to include the non-price award criteria specified in Article 32. Evaluate tenders based on their contribution to the European digital supply chain, such as the use of EU-designed hardware or software. This is not optional for innovative cloud and AI procurements.
5. Support SME Participation: Design procurement processes to meet the 25% target for innovative SMEs as per Article 33. Consider breaking large contracts into smaller lots and providing clear technical specifications to help smaller European providers compete against global hyperscalers.
6. Leverage Local Support: Engage with Sweden's Experience and Acceleration Centres for AI (Article 5) for technical guidance, skills training, and connections to European cloud providers. These Centres are designed to help public bodies navigate the transition to sovereign cloud services.

Common misconceptions

• Misconception: CADA bans all non-European cloud providers.
  • Reality: CADA does not ban non-European providers outright. Instead, it establishes a tiered sovereignty framework. Providers from third countries can qualify for Union assurance levels if they meet strict criteria, including data localization, personnel requirements, and, for higher levels, the absence of third-country control. Article 18 even provides a mechanism for the Commission to recognize third countries that offer sufficient safeguards, allowing their providers to qualify for Level 3.
• Misconception: Only high-security agencies need to worry about sovereignty levels.
  • Reality: All public-sector bodies must procure at least Union assurance level 1 services (Article 30(2)). This baseline requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union unless explicitly required otherwise by the public body.
• Misconception: Union added value criteria are decisive for contract awards.
  • Reality: Article 32(2) explicitly states that these criteria must be "ancillary and not decisive in the award of the contract." They are part of the quality evaluation but must remain subordinate to technical and financial criteria directly connected to performance.
• Misconception: The 'AI first' principle means AI must be used in every decision.
  • Reality: The 'AI first' principle, referenced in Article 7(2), urges organizations to consider the opportunities and needs offered by AI. It is a strategic mindset for innovation and efficiency, not a mandate to deploy AI where it is inappropriate or risky. The associated risk assessments ensure that AI deployment is proportionate and secure.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must public-sector bodies in Spain do to comply with CADA?
• What must public-sector bodies in Slovenia do to comply with CADA?
• What must public-sector bodies in Slovakia do to comply with CADA?
• What must public-sector bodies in Romania do to comply with CADA?
• What must public-sector bodies in Portugal do to comply with CADA?

This is general information about a draft EU regulation, not legal advice.