When can a public buyer use a derogation from CADA's assurance-level procurement rules?

Summary Under the proposed Cloud and AI Development Act (CADA), public buyers are generally bound to procure cloud services meeting a specific Union assurance level determined by their risk assessment. However, Article 30(4) provides a narrow safety valve, allowing a derogation from these requirements on an exceptional basis and where duly justified. This derogation is strictly limited to three scenarios: (1) no suitable recognised service exists in the central repository; (2) a similar procurement within the previous year failed to attract suitable tenders; or (3) compliance would impose disproportionate cost. Crucially, any absence of a suitable service must not result from an "artificial narrowing down of the parameters of the public procurement procedure."

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for the sovereignty of cloud computing services in the public sector. The core obligation is set out in Article 30(2) and Article 30(3). For public sector activities not identified as contributing to the preservation of public order, contracting authorities must procure services recognised at Union assurance level 1. For activities identified as contributing to public order—such as those in national security, internal security, defence, justice, or law enforcement—authorities must procure services recognised at Union assurance levels 2, 3, or 4.

These obligations are designed to ensure that critical public functions are supported by infrastructure that guarantees data confidentiality, operational autonomy, and resilience against third-country interference. However, the Commission recognises that the market for sovereign cloud services is still evolving. To prevent the sovereignty framework from paralyzing essential public services due to temporary market gaps, Article 30(4) introduces a derogation mechanism.

This mechanism is not a general exemption. It is a strictly defined exception that applies only "on an exceptional basis and where duly justified." The text of Article 30(4) explicitly enumerates three cumulative conditions under which a contracting authority may decide not to procure a recognised service.

The Three Exceptional Grounds for Derogation

1. Absence of a Suitable Recognised Service

The first ground applies when "the subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository referred to in Article 22."

This ground is not triggered merely because a provider is not yet recognised. It requires a specific finding that no adequate or reasonable alternative or comparable cloud computing service exists. This implies a two-step test:

1. Market Scarcity: The authority must demonstrate that no service in the central repository (established under Article 22) can meet the functional requirements of the tender.
2. No Artificial Narrowing: The text explicitly states that this absence must "not be the result of an artificial narrowing down of the parameters of the public procurement procedure."

This second element is a critical safeguard against abuse. A contracting authority cannot draft technical specifications that are so specific, unique, or tailored to a single non-compliant vendor that no sovereign provider can meet them, and then claim that no suitable service exists. The parameters must be functional and open. If a recognised provider can meet the core needs but lacks a minor, non-essential feature that the authority has insisted upon, the authority cannot invoke this derogation. The burden is on the buyer to prove that the tender was designed to be inclusive of the sovereign market.

2. Failure of Previous Procurement Attempts

The second ground applies if "the contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants."

This provision acknowledges the "chicken and egg" problem of market development: providers may not seek recognition if there is no demand, and public bodies may not demand recognition if they believe no providers exist. By looking at the immediate past, CADA allows authorities to rely on recent market feedback.

• Time Limit: The "previous year" constraint is strict. If a procurement was launched 13 months ago, this ground no longer applies. The authority must reassess the market.
• Nature of Failure: The failure must be genuine. The authority must have received no suitable tenders or no suitable participants. If a tender was launched but received bids that were technically non-compliant or financially unviable, this ground may apply. However, if the authority received bids from recognised providers that were simply not selected for other reasons, this ground does not apply.

3. Disproportionate Cost

The third ground allows a derogation if "applying the requirements of this Regulation would require the contracting authority to procure services at disproportionate cost."

The proposal does not define a specific numerical threshold for "disproportionate." This leaves the assessment to the discretion of the contracting authority, subject to the principles of proportionality and the duty to justify.

• High Bar: A higher price for sovereign services is expected and does not automatically constitute "disproportionate cost." The cost must be so high relative to the budget or the value of the service that it fundamentally undermines the viability of the procurement or the public task.
• Contextual Analysis: The assessment must consider the specific financial context of the authority. What is disproportionate for a small municipality might not be for a large national agency. However, the justification must be robust, demonstrating that the cost premium is not just a budgetary inconvenience but a barrier to execution.

The Duty to Justify and Avoid Artificial Narrowing

The phrase "duly justified" in Article 30(4) imposes a significant documentary burden on the contracting authority. The derogation is not a self-executing right; it is a decision that must be substantiated.

Documentation Requirements:

• For Ground 1: The authority must maintain evidence of the search in the central repository, a detailed analysis of why no service was adequate, and a review of the tender parameters proving they were not artificially narrowed.
• For Ground 2: The authority must retain records of the previous procurement process, including the call for tenders, the evaluation of bids, and the specific reasons why no suitable tenders were received.
• For Ground 3: The authority must produce a detailed cost-benefit analysis or total cost of ownership (TCO) comparison, demonstrating the specific financial impact and why it is disproportionate.

The Prohibition on Artificial Narrowing: The explicit mention of "artificial narrowing down of the parameters" in Article 30(4) serves as a direct warning against "tailoring" tenders to exclude sovereign providers. If an authority specifies a proprietary technology, a unique interface, or a specific feature that is not essential to the service's core function, solely to match a non-compliant incumbent, this constitutes artificial narrowing. In such a case, the absence of a recognised service is self-inflicted, and the derogation is invalid. The authority must ensure that its technical specifications are functional, performance-based, and open to any provider capable of meeting them, including those in the central repository.

What this means for you

For public-sector procurement officers, legal counsel, and compliance teams, Article 30(4) represents a high-risk area of the proposed CADA. It is a tool of last resort, not a standard procurement option. Here is how to navigate it in practice:

1. Conduct a Rigorous Central Repository Search

Before even considering a derogation, you must search the central repository of recognised services (established under Article 22). If a service with the required assurance level is listed, you generally cannot claim "no suitable service" unless you can prove it is technically inadequate for your specific use case.

• Action: Document the search query, the date of the search, and the specific services reviewed.
• Action: If a service exists but lacks a feature, ask: Is this feature essential? If not, remove it from the tender. If it is essential, can a sovereign provider develop it? If yes, the derogation is invalid.

2. Audit Your Technical Specifications

To avoid the "artificial narrowing" trap, review your tender parameters with a sovereignty lens.

• Action: Ensure specifications are functional (what the service must do) rather than prescriptive (how it must be done).
• Action: Avoid referencing specific proprietary standards or interfaces that only non-compliant vendors support.
• Action: If you must include a specific feature, justify its necessity in the procurement file. If it is a "nice-to-have," exclude it to keep the market open.

3. Quantify "Disproportionate Cost"

If you are relying on cost, do not simply state that sovereign services are more expensive.

• Action: Prepare a side-by-side cost comparison between the recognised service and the non-compliant alternative.
• Action: Demonstrate the impact on the overall budget. Is the cost premium 10%? 50%? 200%? Show that the premium threatens the project's viability or forces the cancellation of other essential services.
• Action: Consider the long-term Total Cost of Ownership (TCO), including security risks and potential data breaches, which might make the "cheaper" non-compliant option more expensive in the long run.

4. Track the "One-Year" Clock

If you are using the "previous failed tender" ground, the timeline is critical.

• Action: Record the exact launch date of the previous procurement.
• Action: If more than one year has passed, this ground expires. You must re-evaluate the market. New providers may have gained recognition, or the market may have matured.
• Action: Ensure the previous tender was "similar" in scope and subject matter. A failed tender for a generic email service does not justify a derogation for a high-security defence application.

5. Prepare for Scrutiny and Audit

Assume your derogation decision will be reviewed by national competent authorities, the Commission, or auditors.

• Action: Create a dedicated "Derogation File" containing all evidence: market analysis, cost comparisons, minutes of decision-making meetings, and the justification statement.
• Action: Ensure the decision is signed by a senior official with the authority to make such a determination.
• Action: Be prepared to explain why the market is not ready and why the parameters were not narrowed.

Common misconceptions

"I can use a derogation if a sovereign provider is too expensive." Incorrect. The cost must be disproportionate, not just higher. A modest price premium for increased security and sovereignty is expected and does not justify a derogation. You must prove the cost is so high it disrupts the procurement's viability or forces the cancellation of the public task.

"If no European provider has the exact feature I need, I can derogate." Incorrect. You must ensure your tender parameters were not "artificially narrowed." If you specify a feature that is not essential to the core service, you may be accused of tailoring the tender to exclude compliant providers. The absence of a service must be genuine, not engineered by the buyer.

"I can derogate indefinitely if the market isn't ready." Incorrect. The derogation is for exceptional cases. The "previous failed tender" ground is limited to one year. The "no suitable service" ground requires ongoing justification. As the market develops, the burden of proof for derogation will increase. You should revisit your procurement strategy regularly, not assume a permanent exemption.

"I don't need to document the justification if it's an emergency." Incorrect. The requirement to be "duly justified" applies regardless of urgency. While emergency procurement rules may apply under other laws, CADA's sovereignty framework requires clear documentation to prevent abuse. Lack of documentation is a significant compliance risk and could lead to the invalidation of the contract.

"The derogation applies to all cloud services." Incorrect. The derogation applies only to the assurance level requirement. It does not exempt the authority from other CADA obligations, such as the duty to conduct a risk assessment under Article 29 or to use open-source solutions where possible under Article 41.

Related

• How does a public buyer verify a provider's CADA assurance level before awarding?
• How does a public buyer justify procuring above the minimum CADA assurance level?
• How can a Member State buyer use the Commission's central procurement under CADA?
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• How to determine the required CADA Union assurance level for public workloads

This is general information about a draft EU regulation, not legal advice.