Summary Public-sector buyers must prepare for the Cloud and AI Development Act (CADA) by aligning procurement strategies with the proposed Union assurance levels and mandatory risk assessments. As proposed in COM(2026) 502 final, the Regulation applies one year after entry into force (Article 48), creating a critical transition window. During this period, buyers must conduct risk assessments under Article 29, review existing contracts for sovereignty compliance, and budget for new administrative fees related to the EuroCloud Federation and common procurement frameworks. Failure to prepare before the application date could result in the inability to procure services for public-order-relevant activities.

Detail

The Cloud and AI Development Act (CADA) represents a paradigm shift for public procurement in the EU. While the EU AI Act governs the software layer, CADA targets the infrastructure and market structure beneath it, establishing a "Union cloud computing sovereignty framework" to reduce dependencies on third-country providers. For contracting authorities, the most immediate operational impact lies in Title IV, specifically the procurement obligations tied to Union assurance levels.

The Transition Timeline: Article 48

The clock for compliance begins with the Regulation's entry into force, but the obligation to apply the rules starts later. Article 48 of the proposal explicitly states:

"This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from [same day and month as date of entry into force plus 1 year]."

This one-year gap is not merely a grace period; it is a mandatory preparation phase. During this window, public-sector bodies must:

  1. Conduct Risk Assessments: Under Article 29, Member States and Union entities must carry out risk assessments to identify which public sector activities "contribute to the preservation of public order." This assessment determines whether a buyer is restricted to Union assurance level 1 (baseline) or must procure only services at levels 2, 3, or 4.
  2. Align with National Strategies: Article 7 requires Member States to adopt national cloud and AI strategies within one year of entry into force. These strategies will provide the local context for how risk assessments are interpreted and how assurance levels are mapped to specific sectors.
  3. Prepare for Migration: Article 29(6) mandates that if a risk assessment requires migration to a different cloud service, the transition must occur within a "reasonable transition period that shall not exceed 12 months." Buyers who wait until the application date to start this process may face a breach of the 12-month migration deadline immediately upon entry into force.

Procurement Obligations: The Assurance Level Hierarchy

Under Article 30, procurement obligations are tiered based on the outcome of the Article 29 risk assessment. Buyers must distinguish between two distinct categories of activities:

1. Baseline Procurement (Union Assurance Level 1) For Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order, Article 30(2) mandates the use of cloud computing services recognized as having at least Union assurance level 1.

  • Criteria: Level 1 requires the provider to be established in the Union, with infrastructure and data located in the Union (unless explicitly required otherwise by the public body). It also requires compliance with state-of-the-art cybersecurity standards and transparency regarding subcontractors.
  • Self-Assessment: Crucially, Level 1 recognition relies on a conformity self-assessment by the provider (Article 19), meaning no independent third-party audit is required for this baseline level.

2. Public Order Procurement (Union Assurance Levels 2, 3, or 4) For contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement, or sectors under the NIS2 Directive), Article 30(3) imposes a stricter requirement: they "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

  • Criteria: These higher levels introduce mandatory independent third-party audits (Article 20), stricter personnel requirements (including Union citizenship for Level 3 and 4), and prohibitions on third-country control (with limited derogations under Article 18).
  • Audit Requirement: Providers seeking Level 2, 3, or 4 must undergo an independent audit and obtain a "positive" audit opinion. Buyers must verify this recognition in the central repository established under Article 22 before awarding contracts.

Anticipating Implementing Acts and Fees

While the core obligations are set in the Regulation, the operational details will be fleshed out through secondary legislation. Buyers must anticipate two key streams of implementing acts:

1. Methodology for Risk Assessments (Article 29) The Commission is empowered to adopt implementing acts to specify the methodology, templates, and elements for the risk assessments required under Article 29(3). These acts will define how to calculate the "sensitivity, criticality, and magnitude" of data and how to map these factors to specific assurance levels. Buyers should monitor these acts to ensure their internal assessment methodologies align with the Commission's guidance.

2. Fee Structures for Shared Services (Articles 36 & 40) CADA introduces new cost centers for public buyers through two distinct fee mechanisms, both subject to implementing acts:

  • EuroCloud Federation Fees: Under Article 36, the Commission may recover costs incurred in establishing and managing the EuroCloud Federation (the European public sector cloud federation) through fees levied on members. Article 36(4) empowers the Commission to adopt implementing acts laying down detailed rules for determining these fees. Buyers participating in the federation must budget for these membership costs, which are designed to be cost-recovery based.
  • Common Procurement Framework Fees: Under Article 40, the Commission may levy fees on participating contracting authorities to cover the costs of the common procurement framework (where the Commission acts as a central purchasing body). Article 40(5) mandates implementing acts to specify the estimated costs, individual fee amounts, and payment conditions. These fees are intended to cover direct and indirect costs of the procurement activities, including platform development and administrative support.

Strategic Preparation Steps for Buyers

To navigate the transition from the current landscape to the CADA-compliant future, public-sector buyers should execute the following steps immediately:

  1. Initiate the Article 29 Risk Assessment: Do not wait for the Commission's implementing acts. Begin mapping current cloud services against the criteria for public order relevance. Identify which services support national security, law enforcement, or critical infrastructure. This mapping is the prerequisite for determining your required assurance level.
  2. Audit the Current Portfolio: Review existing cloud contracts for compatibility with the proposed sovereignty framework. Identify any services that rely on third-country control or data locations outside the Union. If a current provider cannot meet the required assurance level (e.g., Level 2 or 3), a migration plan must be initiated immediately to meet the 12-month transition window.
  3. Monitor National Strategies: Engage with national authorities to track the development of the national cloud and AI strategy required under Article 7. These strategies will likely provide sector-specific guidance on how to interpret "public order" and which assurance levels are expected for specific use cases.
  4. Budget for New Cost Centers: Update multi-annual financial plans to include potential fees for the EuroCloud Federation and common procurement frameworks. While these are cost-recovery mechanisms, they represent a new line item that must be accounted for in procurement budgets.
  5. Engage with the EuroCloud Federation: Consider early engagement with the EuroCloud Federation (Article 34) to facilitate the sharing of secure public-sector cloud capabilities. This can provide access to pre-vetted, sovereign services and reduce the burden of individual compliance.

What this means for you

As a public-sector procurement officer, your role is evolving from a transactional buyer to a strategic guardian of EU sovereignty. The CADA framework places the onus on you to ensure that every cloud contract aligns with the Union's resilience and autonomy goals.

  • Proactive Mapping is Non-Negotiable: You cannot wait for the application date to determine your assurance level. The risk assessment under Article 29 is the foundation of your procurement strategy. If you fail to identify a service as "public order relevant" before the application date, you may inadvertently procure a Level 1 service for a critical function, violating Article 30(3).
  • Vendor Due Diligence Must Deepen: Your vendor engagement must go beyond price and performance. You must verify a provider's establishment, data location, and control structure. For Level 2, 3, and 4 services, you must confirm the provider has a valid "positive" audit opinion and is listed in the central repository.
  • Architect for Resilience: Article 29(9) explicitly encourages buyers to consider multi-vendor or multi-cloud strategies to limit dependency. Your architectural planning should now prioritize diversity of supply to enhance resilience against third-country interference.
  • Legal and Financial Alignment: Work with your legal and finance teams to update standard procurement clauses to reflect the new transparency and audit obligations. Ensure your budget models account for the new fee structures under Articles 36 and 40, which will be detailed in upcoming implementing acts.

Common misconceptions

"All public cloud procurement will require the highest assurance level." This is incorrect. The framework is strictly proportionate. Article 30(2) establishes Union assurance level 1 as the baseline for all public procurement. Only activities specifically identified as contributing to the preservation of public order under the Article 29 risk assessment are required to procure at levels 2, 3, or 4. Most standard administrative services will likely remain at Level 1.

"The assurance levels are static and fixed forever." The criteria are set out in Annex II, but Article 16(2) empowers the Commission to adopt delegated acts to amend these levels and the evidence requirements. The framework is designed to evolve with technological and market developments. Buyers must stay informed of these updates to ensure continued compliance.

"Non-EU providers are completely banned from the EU market." Non-EU providers are not automatically excluded. Article 18 provides a mechanism for the Commission to recognize third countries that meet specific criteria (e.g., adequacy decisions, no extraterritorial data access laws). Providers from these "associated third countries" can be audited for Union assurance level 3. However, the bar is high, and the default expectation for public-order activities remains EU-established providers.

"The fees will be a significant new tax on public budgets." The fees for the EuroCloud Federation (Article 36) and common procurement framework (Article 40) are designed as cost-recovery mechanisms, not revenue generators. They are intended to cover the administrative and operational costs of these shared services. While they represent a new cost, they are offset by the economies of scale and reduced total cost of ownership that federated approaches aim to deliver.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.