Summary Under the proposed Cloud and AI Development Act (CADA), "contracting authorities" are defined by reference to Directive 2014/24/EU. As proposed, Article 2(22) captures the State and regional and local authorities, bodies governed by public law, and associations formed by such authorities or bodies. These entities are the primary addressees of CADA's procurement duties for cloud computing services — and, as proposed, they must procure recognised services at the appropriate Union assurance level.

Detail

CADA (COM(2026) 502 final) sets out rules for how the public sector procures cloud computing services and AI systems. Which bodies are bound turns on a single defined term.

The legal definition As proposed, Article 2(22) states that "contracting authorities" means "contracting authorities as defined in Article 2(1), point (1), of Directive 2014/24/EU."

By importing this definition, CADA aligns with the existing EU public-procurement framework. Under Directive 2014/24/EU, contracting authorities cover three categories:

  1. The State, regional or local authorities: central government, ministries, regional and municipal administrations and other territorial bodies.
  2. Bodies governed by public law: entities established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character, and financed or controlled mainly by the State or other public authorities. This typically includes many public hospitals, universities and research institutes.
  3. Associations formed by one or more such authorities or bodies.

How the definition triggers obligations The definition matters because Article 30 ("Public procurement") attaches duties to these entities. As proposed:

  • Where their public-sector activities have not been identified as contributing to the preservation of public order under the risk assessment in Article 29(1), Union entities and public sector bodies must use cloud services recognised at Union assurance level 1 (Article 30(2)).
  • Where contracting authorities' activities have been identified as contributing to public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement — they must procure only services recognised at Union assurance level 2, 3 or 4 (Article 30(3)).
  • By way of derogation, on an exceptional and duly justified basis, contracting authorities may decide not to procure a recognised service in limited circumstances, for example where no adequate recognised alternative exists in the central repository (Article 30(4)).

The utilities question (Directive 2014/25/EU) EU procurement law separates general public procurement (Directive 2014/24/EU) from the utilities sector (Directive 2014/25/EU). Because CADA's "contracting authorities" definition references only Directive 2014/24/EU, entities regulated solely under the utilities directive are not, strictly, "contracting authorities" for CADA's Article 2(22).

That does not necessarily place them outside CADA entirely. The proposal also uses the broader term "public sector body", defined in Article 2(6) by reference to Article 2, point (1), of Directive (EU) 2019/1024. Several CADA provisions — for example the obligation in Article 30(2) and the European public sector cloud federation (the "EuroCloud Federation") in Article 34 — apply to "Union entities and public sector bodies." A utility may fall within "public sector body" even where it is not a "contracting authority." Procurement officers in utility sectors should assess both terms.

Union entities CADA also applies to Union entities, defined in Article 2(7) as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community." Under Article 30(1), the procurement rules apply to Union entities procuring cloud services for their exclusive use, without prejudice to the EU's own financial regulation.

What this means for you

For public-sector procurement officers, confirming your entity's status is the first compliance step.

  1. Confirm your classification: A ministry, council, public hospital or public university will generally be a "contracting authority" under Article 2(22), and so within Article 30's procurement duties.
  2. Conduct risk assessments: Under Article 29, Member States and Union entities must carry out risk assessments to identify which activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate. The outcome determines whether you procure at level 1 or at a higher level.
  3. Utilities and mixed-status entities: A public water or energy company regulated under Directive 2014/25/EU may not be a "contracting authority," yet may still be a "public sector body" or "Union entity" within other CADA provisions. Assess both.
  4. Documentation: Reference the required Union assurance level in your procurement documents and procure from services listed in the central repository (Article 22).

Common misconceptions

  • "Only government ministries are affected." As proposed, the definition extends to bodies governed by public law — including many public universities, hospitals and research institutes — where they meet the financing or control criteria of Directive 2014/24/EU.
  • "Utilities are completely exempt from CADA." Utilities regulated under Directive 2014/25/EU may not be "contracting authorities," but may still be "public sector bodies" or "Union entities" within other CADA provisions.
  • "Private companies are contracting authorities." Private companies are not contracting authorities. Separately, certain private entities in NIS2 sectors of high criticality may carry out impact assessments under Article 31, but that is not a procurement obligation for contracting authorities.

Related

This is general information about a draft EU regulation, not legal advice.