Summary Under the proposed Cloud and AI Development Act (CADA), a contracting authority acting as a central purchasing body (CPB) cannot simply resell cloud services without passing on the legal obligations it holds. Article 39(3) explicitly mandates that a CPB which acquires data centre services, cloud computing services, software, or AI systems from the Commission (or another source) "shall ensure, in its agreements with the contracting authorities it serves, compliance with any contractual requirements by which it is itself bound." This creates a mandatory "flow-down" mechanism. As proposed, this ensures that critical sovereignty standardsβ€”such as Union Assurance Levels, data localisation, and personnel requirementsβ€”are preserved throughout the supply chain and not diluted when services reach the end-user public body.

Detail

The proposed CADA framework (COM(2026) 502 final) introduces a novel procurement architecture designed to leverage collective buying power while safeguarding the Union's strategic autonomy. While Article 37 empowers the Commission to act as a central purchasing body for Member States and Union entities, the regulation also facilitates a multi-tiered system where national contracting authorities may act as CPBs for other public bodies. Article 39 defines the legal rules governing these transactions, specifically addressing the continuity of contractual obligations.

The Legal Mechanism: Article 39(3)

The core obligation is found in Article 39(3), which states:

"A contracting authority that has acquired data centre services, cloud computing services, software and AI systems from the Commission as a central purchasing body shall ensure, in its agreements with the contracting authorities it serves, compliance with any contractual requirements by which it is itself bound."

This provision establishes a strict chain of custody for contractual terms. It operates on two levels:

  1. Scope of Acquisition: It applies specifically to the acquisition of "data centre services, cloud computing services, software and AI systems."
  2. Mandatory Flow-Down: The phrase "shall ensure" creates a binding duty. The CPB must actively incorporate the upstream requirements into its downstream agreements. It is not sufficient to merely reference the upstream contract; the downstream agreement must legally bind the end-user to the same standards.

Context: Why This Matters for Sovereignty

The necessity of this flow-down mechanism is rooted in the sovereignty objectives of CADA. The regulation establishes Union Assurance Levels (1–4) in Annex II, which impose rigorous criteria on cloud providers, including:

  • Data Localisation: Customer data must remain exclusively within the Union (Annex II, 1.1(c), 2.1(c), etc.).
  • Personnel Requirements: Higher assurance levels (L3/L4) require personnel to be Union citizens (Annex II, 3.1(d), 4.1(d)).
  • Third-Country Control: Restrictions on control by non-EU entities (Annex II, 3.1(g), 4.1(g)).

If a national CPB procures a service at Union Assurance Level 3 from the Commission but fails to bind its downstream clients to these same terms, the end-user might inadvertently allow third-country access or use non-compliant personnel. This would breach the conditions of the original procurement and undermine the "Union assurance" status of the service. Article 39(3) prevents this dilution by legally requiring the CPB to enforce the upstream terms downstream.

Interaction with Other Articles

  • Article 39(1): This paragraph provides legal certainty for the initial acquisition, stating that a participating entity is "deemed to have fulfilled its obligations under applicable Union public procurement law" when acquiring services through the Commission. However, this exemption applies to the procurement procedure itself, not the operational compliance of the service. Article 39(3) ensures that once the service is acquired, the operational standards remain intact.
  • Article 39(2): This paragraph clarifies that procedural provisions applicable to Union institutions apply to the award of specific contracts under framework contracts or dynamic purchasing systems. This ensures that the process of awarding specific contracts remains aligned with EU institutional standards, while Article 39(3) ensures the substance of the contract (the requirements) flows down to the end-user.

The Role of the CPB

As proposed, the CPB acts as a gatekeeper. It is not merely a reseller but a compliance enforcer. If a CPB fails to ensure that its downstream agreements reflect the upstream requirements, it risks:

  1. Breach of its own contract with the Commission or the original provider.
  2. Undermining the sovereignty framework of CADA, potentially invalidating the Union Assurance Level of the service for the entire chain.
  3. Liability under national law for failing to enforce the terms it agreed to.

What this means for you

For legal counsel, procurement officers, and compliance teams within public sector bodies, Article 39(3) introduces specific due diligence requirements.

1. For Central Purchasing Bodies (CPBs)

  • Contractual Mapping: You must map every critical requirement in your master agreement with the Commission (or upstream provider) to your downstream agreements. This includes specific clauses on data residency, cybersecurity certification (e.g., EUCS), and personnel screening.
  • Active Enforcement: You cannot rely on passive compliance. Your agreements with the bodies you serve must explicitly state that they are bound by the upstream requirements. You must include audit rights or reporting mechanisms to verify that your clients are adhering to these terms.
  • Risk Management: If a downstream client violates a flow-down requirement (e.g., by attempting to transfer data outside the EU), you may be in breach of your upstream contract. You must have mechanisms to detect and remedy such breaches immediately.

2. For End-User Public Authorities

  • Review Your Agreements: When signing an agreement with a national CPB, do not assume the terms are standard. Scrutinize the contract to identify the "upstream" requirements you are being bound to.
  • Operational Alignment: Your internal IT policies and operational procedures must align with the contractual requirements passed down by the CPB. For example, if the CPB contract prohibits third-country data access, your staff must be trained to prevent such access.
  • Audit Readiness: Be prepared to demonstrate compliance not just with your own internal policies, but with the specific contractual terms of the CPB's upstream agreement.

Common misconceptions

"Article 39(1) means we have no obligations once we buy through a CPB." Incorrect. Article 39(1) only deems the procurement procedure compliant with EU public procurement law. It does not exempt the end-user from the contractual and sovereignty obligations contained in the service agreement. Article 39(3) explicitly re-imposes these obligations by requiring the CPB to ensure the end-user complies with them.

"The CPB is solely responsible for compliance; the end-user is not." While the CPB has the duty to ensure compliance, this is achieved by binding the end-user contractually. If the end-user violates the terms, they are in breach of their agreement with the CPB. The CPB may face liability for failing to enforce the terms, but the end-user remains directly liable for their own non-compliance.

"This only applies if the Commission is the CPB." While Article 39(3) specifically mentions acquiring services "from the Commission," the logic of the regulation suggests that any CPB acting under CADA's framework must preserve the integrity of the procurement. If a national CPB procures directly under CADA (e.g., for a specific strategic project), the same principle of preserving sovereignty requirements would apply to ensure the Union's strategic objectives are met.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.