Summary To win public cloud tenders under the proposed Cloud and AI Development Act (CADA), providers must first obtain formal recognition as offering a specific Union assurance level (1, 2, 3, or 4) under Article 17. This recognition is the mandatory gatekeeper for public procurement: ordinary public buyers must procure at least Level 1 services, while buyers in public-order-critical sectors (such as defense, law enforcement, or national security) must procure Level 2, 3, or 4 services as determined by national risk assessments under Article 30. Once recognized, your service must be listed in the central repository established under Article 22 to be eligible for consideration by contracting authorities. Without this triad of recognition, audit, and registration, a provider is effectively ineligible for CADA-regulated public contracts.

Detail

The proposed CADA establishes a rigorous sovereignty framework that directly dictates eligibility for public sector contracts. Unlike previous frameworks that relied on voluntary certifications or general cybersecurity standards, CADA creates a binding "Union cloud computing sovereignty framework" (Article 16). This framework categorizes cloud services into four assurance levels based on their ability to protect Union public order, data confidentiality, and operational autonomy.

For a cloud service provider (CSP), winning a tender is no longer solely a matter of technical capability or price; it is a compliance-driven process where recognition is the primary prerequisite.

The Gatekeeper: Recognition under Article 17

You cannot simply claim your service is "sovereign" or "trusted." You must undergo a formal recognition process administered by the national competent authority of establishment (the Member State where your main establishment is located).

  • Application Process: Providers must submit an application for recognition to the competent authority, including all relevant evidence required for the specific assurance level sought (Article 17(1)).
  • Level 1 (Self-Assessment): For the baseline assurance level, providers carry out a conformity self-assessment against the criteria in Annex II and issue an EU statement of conformity. Notably, for SMEs, this statement is directly and automatically recognized in all Member States without the need for prior intervention by the competent authority (Article 17(3)).
  • Levels 2–4 (Independent Audit): For higher assurance levels, the bar is significantly higher. Providers must undergo independent third-party audits by an accredited auditing organization. You must submit a "positive" audit opinion and the full audit report to the competent authority (Article 17(4)). Failure to meet any requirement of a lower level precludes conformity with higher levels (Article 20(1)).
  • EU-Wide Validity: The process includes a cross-border review. Once the evaluating national competent authority accepts the evidence, it notifies other Member States. If no reasoned objection is raised within the 60-day review period, the service is recognized throughout the entire Union at that specific assurance level (Article 17(7)).

The Procurement Mandate: Article 30

Recognition is useless if buyers are not legally required to use it. Article 30 makes this recognition a mandatory precondition for public procurement of cloud computing services, creating a two-tiered market.

  1. Minimum Baseline (Level 1): Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognized as having Union assurance level 1. This is the floor for all public procurement.
  2. Public Order Requirement (Levels 2–4): Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., sectors falling under Annex I or II of the NIS2 Directive, national security, internal security, external border management, defence, justice, or law enforcement) must only procure services recognized as having Union assurance levels 2, 3, or 4.
  3. The Risk Assessment Link: The specific level (2, 3, or 4) required is not arbitrary; it is determined by the Member State's risk assessment under Article 29. If a risk assessment determines that a specific activity (e.g., processing classified data) requires Level 4 assurance, a provider offering only Level 2 or 3 is legally ineligible for that tender.

The Visibility Requirement: Article 22

Even if you are recognized, you must be visible. Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognized under Article 17.

  • Registration: The national competent authority that recognizes your service is responsible for registering it in this central repository (Article 22(2)).
  • Public Access: The repository is publicly available. Contracting authorities will use this list to identify eligible bidders. If your service is not in the repository, it effectively does not exist for the purposes of CADA-compliant public procurement.
  • Revocation Visibility: If your recognition is revoked (e.g., due to incorrect information or a change in circumstances), this is published in the repository and remains visible for five years (Article 22(3)). This ensures transparency and prevents "zombie" providers from bidding.

What this means for you

For cloud service providers, data centre operators, and their legal/compliance teams, the path to winning CADA tenders requires a strategic shift from "selling features" to "proving sovereignty."

1. Audit Early and Strategically

If you target the public sector, particularly in critical sectors, you must engage an accredited auditing organization early. The audit criteria for Levels 2–4 are rigorous and cover:

  • Data Localization: Customer data must remain exclusively within the Union (Annex II).
  • Personnel: For Levels 3 and 4, personnel must be Union citizens (Annex II 3.1(d), 4.1(d)).
  • Third-Country Control: You must demonstrate you are not subject to control by a third country that could compromise service continuity or data access (Annex II 3.1(g), 4.1(g)).
  • Supply Chain: You must provide a complete Software Bill of Materials (SBOM) and demonstrate controls against remote tampering (Annex II 2.1(i), 3.1(i)).

2. Target Your Assurance Level Correctly

  • Level 1 Strategy: If you only seek Level 1, ensure your self-assessment documentation is robust and publicly available. This is sufficient for general administrative IT but excludes you from critical infrastructure contracts.
  • Level 2–4 Strategy: If you seek higher levels, prepare for independent audits that verify your infrastructure, assets, and personnel are located in the Union. Be aware that for Level 3, a derogation exists for providers controlled by a third country only if the Commission has adopted an implementing act identifying that third country as providing sufficient assurances (Article 18).

3. Monitor the Repository and Risk Assessments

Ensure your national competent authority registers you in the central repository promptly after recognition. Check the repository regularly to ensure your status is accurate. Furthermore, monitor which public sector activities are classified as "public order" relevant by Member States under Article 29. This determines whether your Level 1, 2, 3, or 4 status is sufficient for specific tenders.

4. Understand the "Gatekeeper" Nature

Article 30(4) allows for derogations only in exceptional circumstances (e.g., no suitable service exists in the repository, or disproportionate cost). Do not rely on these exceptions; they are narrow and require strict justification. The default rule is: No recognition in the repository = No bid.

Common misconceptions

"Cybersecurity certification is enough." No. While Levels 2–4 services must obtain a European cybersecurity certificate of at least "substantial" assurance (Level 2/3) or "high" assurance (Level 4) under the Cybersecurity Act (Annex II 2.1(e), 3.1(e), 4.1(e)), this is only one criterion. CADA's sovereignty framework includes strict requirements on data localization, personnel nationality, and absence of third-country control that go far beyond technical cybersecurity.

"I can bid if I'm a global provider with EU data centers." Not necessarily. For Levels 2–4, the criteria require that the provider and its subcontractors are established in the Union, and that infrastructure, assets, and personnel are located in the Union (Annex II 2.1(a)-(b)). Furthermore, for Level 3 and 4, the provider must not be subject to the control of a third country, with very limited exceptions for associated third countries with specific safeguards (Annex II 3.1(g), 4.1(g)). Merely having a data center in the EU is insufficient if the parent company is controlled by a third country without a specific Commission decision.

"Recognition is automatic once I pass the audit." No. The national competent authority must formally issue a recognition decision. Other Member States have a 60-day review period to raise reasoned objections (Article 17(5)-(6)). Only after this process is complete is the service recognized EU-wide.

"Private sector tenders are unaffected." While Article 30 focuses on public procurement, the proposal encourages private entities in critical sectors (under NIS2) to conduct similar impact assessments (Article 31). Market pressure will likely drive private buyers to prefer recognized services, creating a de facto requirement for many large commercial contracts.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.