Summary Under the proposed Cloud and AI Development Act (CADA), the contracting authority (the specific public body) bears the primary legal responsibility for procurement compliance. This includes verifying that cloud services meet the required Union assurance levels (Article 30) and applying Union added-value criteria (Article 32). While the Member State is responsible for monitoring innovation procurement and reporting on SME participation (Article 33), and the European Commission manages central purchasing activities under Chapter IV, the individual public buyer remains accountable for ensuring the specific service procured aligns with their national risk assessment and sovereignty requirements.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a multi-layered governance framework for public procurement of cloud and AI. It does not centralise all compliance duties at the EU level; rather, it distributes specific obligations across the contracting authority, the Member State, and the Commission. Understanding this division is critical for public bodies to avoid non-compliance.

1. The Contracting Authority: Direct Compliance Obligations

The contracting authorityβ€”defined as the public body issuing the tenderβ€”holds the direct burden of compliance. As proposed, the regulation does not allow these entities to outsource their legal obligations to verify sovereignty or apply innovation criteria.

Ensuring Sovereignty Levels (Article 30) Article 30 imposes a mandatory obligation on contracting authorities to procure cloud computing services that have been formally recognised as offering specific Union assurance levels. The required level is not arbitrary; it is dictated by the risk assessment conducted by the Member State or Union entity under Article 29.

  • Baseline Requirement: For public sector activities not identified as contributing to the preservation of public order, the contracting authority must procure services recognised as having at least Union assurance level 1 (Article 30(2)).
  • Public Order Requirement: For activities identified as contributing to the preservation of public order (e.g., national security, internal security, defence, justice, law enforcement, and sectors under the NIS2 Directive), the contracting authority must only procure services recognised as having Union assurance levels 2, 3, or 4 (Article 30(3)).

The contracting authority is responsible for verifying that the cloud provider holds the necessary recognition in the central repository established by the Commission. They cannot rely on generic cybersecurity certificates or self-declarations alone; they must ensure the specific CADA assurance level is met and documented.

Applying Union Added-Value Criteria (Article 32) Beyond sovereignty, Article 32 requires contracting authorities to include non-price award criteria in procurement procedures for innovative cloud and AI services. These criteria must evaluate the tenderer's contribution to the European cloud and AI ecosystem. Specifically, authorities must assess:

  • Strengthening the digital technology supply chain in the Union (e.g., using hardware or software designed or manufactured in the EU).
  • Integration of technologies developed in the Union.
  • Innovation that strengthens supply security.
  • Delivery of services using critical computing hardware designed or manufactured in the Union.

Crucially, Article 32(2) states that these criteria must be ancillary and not decisive in the award of the contract. They must be linked to the subject matter, expressly set out in the procurement documents, and cannot confer unrestricted freedom of choice to the authority. The contracting officer is responsible for drafting these criteria correctly to ensure they are proportionate and non-discriminatory.

2. The Member State: Monitoring and Strategic Oversight

While the contracting authority executes the individual procurement, the Member State holds the macro-level responsibility for monitoring, reporting, and strategic planning, particularly regarding innovation and SME participation.

Monitoring Innovation Procurement (Article 33) Article 33 places the obligation on Member States to monitor and report on their use of "procurement of innovation" in cloud and AI. This is a national-level task, not an individual buyer's duty. Member States must:

  • Identify barriers to SME participation in procurement procedures.
  • Report annually to the Commission on SME participation trends, including the number of contracts awarded to SMEs and their share of total contract value (Article 33(3)).
  • Pursue the objective that at least 25% of procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)).

Member States must include plans in their national cloud and AI strategies (under Article 7) detailing how they intend to achieve this 25% SME target. Therefore, while a public buyer writes the tender, the Member State is responsible for tracking whether the broader strategy is working and reporting the aggregate results to the Commission.

3. The European Commission: Central Purchasing Activities

For public bodies that lack the resources or expertise to conduct complex cloud procurements, CADA introduces a mechanism for central purchasing managed by the European Commission under Chapter IV (Articles 37–40).

In this scenario:

  • The Commission may act as a central purchasing body for Union entities and contracting authorities of Member States, procuring data centre services, cloud computing services, software, and AI systems on their behalf.
  • Participating entities are considered to have fulfilled their public procurement obligations if they acquire services through these Commission-led contracts (Article 39(1)).
  • The Commission is responsible for the operation and management of these procurement activities, including setting fees to cover costs (Article 40).

However, this mechanism does not absolve the public body of all responsibility. The public body must still ensure that the services procured via the Commission's framework meet the sovereignty requirements (Article 30) applicable to their specific use case. The Commission facilitates the process and the contract, but the compliance with the correct assurance level remains tied to the end-user's risk assessment.

What this means for you

As a procurement officer in a public body, your role under the proposed CADA shifts from purely administrative to strategically compliant. Here is your checklist:

  1. Map Your Assurance Level: Before issuing a tender, consult your national risk assessment (mandated by Article 29). Determine if your use case requires Level 1 (baseline) or Levels 2–4 (critical/public order). You cannot tender for a Level 1 service if your risk assessment mandates Level 3.
  2. Verify Provider Status: Only invite tenders from providers listed in the Commission's central repository as having the required Union assurance level. Do not accept generic ISO certifications as a substitute for CADA recognition.
  3. Draft Smart Award Criteria: When procuring innovative cloud/AI solutions, include the Union added-value criteria from Article 32. Ensure they are clearly defined, non-discriminatory, and secondary to technical/financial quality. Avoid making "European origin" the sole deciding factor, as this would violate the "ancillary and not decisive" rule in Article 32(2).
  4. Coordinate with National Authorities: If you are an SME-focused innovator or a smaller authority, work with your national competent authority to ensure your procurements feed into the national reporting requirements under Article 33. Your data helps your Member State meet the 25% SME target.
  5. Consider Commission Frameworks: If your body lacks procurement capacity, investigate joining the Commission's central purchasing activities under Chapter IV. This can reduce administrative burden, but you must still validate that the selected services meet your sovereignty needs.

Common misconceptions

  • "Cybersecurity certification equals CADA compliance." Incorrect. While CADA references cybersecurity standards (e.g., EUCS), a provider can be cyber-secure but not sovereign. CADA assurance levels include strict requirements on data location, personnel citizenship, and third-country control that go beyond technical security. You must look for the specific CADA Union assurance level recognition.
  • "The Commission handles everything if I use central purchasing." Incorrect. The Commission manages the procurement process and contracts, but the obligation to use the correct assurance level remains with the contracting authority. If you are a law enforcement agency, you still cannot use a Level 1 service, even if it is available through a Commission framework. You must filter the available options against your risk assessment.
  • "EU added-value criteria can override price." Incorrect. Article 32 explicitly states that Union added-value criteria must be ancillary and not decisive. They cannot be used to disqualify a technically superior or more cost-effective tender solely based on origin if the criteria are not properly linked to the subject matter and proportionate.
  • "Member States handle individual tender compliance." Incorrect. Member States are responsible for monitoring trends and reporting on SME participation (Article 33). They do not review or approve individual tender documents for compliance with Article 30 or 32. That responsibility lies with the contracting authority issuing the tender.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.