On 3 June 2026, the European Commission published its proposal for the Cloud and AI Development Act (“CADA”). This proposal fits into a series of recent legislative initiatives aimed at increasing the EU’s strategic autonomy in specific strategic sectors, with public procurement as a crucial means to achieve this goal (e.g., the Net Zero Industry Act and the Industrial Accelerator Act). While the CADA puts EU sovereignty at the forefront when contracting authorities procure cloud services and AI systems, it also further adds to the complex patchwork that the EU public procurement rules are quickly becoming.
Scope and applicability of the CADA
The proposed regulation will apply to contracting authorities and EU entities when procuring cloud computing services and AI systems. Public undertakings active in the utilities sector are not subject to the CADA’s public procurement rules.
Contrary to well-established practice in EU public procurement law, the CADA applies irrespective of specific monetary thresholds. The CADA applies to all contracting authorities, but the level of obligation is determined by the outcome of mandatory, biennial risk assessments that classify public sector activities according to four assurance levels.
Mandatory assurance levels for cloud computing services
The CADA aims to reduce the EU’s critical dependence on a limited number of cloud computing service providers subject to the control of non-EU countries, given the risks associated with such dependence (e.g., access to sensitive information, economic coercion, technology lock-ins, and monopoly pricing). To achieve this aim, the regulation establishes a four-tier sovereignty framework (assurance levels 1 through 4) that cloud computing service providers must meet to supply services to public sector bodies. Member States must also aim to award at least 25% of the procurement for cloud computing services and AI systems to innovative small and medium-sized enterprises (“SMEs”).
When procuring cloud computing services for their exclusive use, all contracting authorities must, as a minimum, comply with assurance level 1 (data is processed and stored in infrastructure located in the EU). The Commission considers mandating assurance level 1 necessary to establish a consistent baseline of safeguards for the public sector. It also hopes for spillover effects on the private sector, with assurance level 1 becoming the market standard for cloud service providers active in the EU.
The assurance levels under the CADA complement the requirements of the General Data Protection Regulation (“GDPR”). While the GDPR already imposes strict conditions on international data transfers (Articles 44-49 GDPR), CADA's sovereignty framework adds a public-procurement-specific layer of requirements. Notably, assurance level 1’s requirement that data be processed and stored in EU-located infrastructure aligns with data localisation concerns that have gained prominence following the Schrems II judgment (C-311/18). Higher assurance levels, particularly level 4’s requirement of no third-country interference, provide additional safeguards against foreign government access.
Where a Member State’s biennial risk assessment shows that the activities of a contracting authority procuring cloud computing services are relevant to public order (e.g., in the law enforcement, transport or health sector), that authority must apply a higher assurance level. The Commission will adopt implementing acts that specify the elements to be considered when determining the applicable assurance level – with assurance level 4 (providers have full control over their software supply chain and there is no interference from a non-EU country) being the highest. When the risk assessment requires the migration to another cloud computing service, the migration must take place within 12 months, subject to technical feasibility and continuity of service requirements.
Assurance level-dependent conformity self-assessment or third-party audit
Cloud computing service providers seeking recognition as offering assurance level 1 carry out a conformity self-assessment with the relevant criteria and subsequently publicly issue an EU statement of conformity. This statement of conformity is submitted to the competent national authority for review, unless the provider is an SME – in which case the statement is directly and automatically recognised throughout the EU. Providers seeking recognition as offering assurance level 2, 3 or 4 must submit to a third-party audit. When they obtain such recognition, it is registered in a dedicated, publicly accessible repository. This allows contracting authorities to easily verify whether they have received tenders from providers that meet the assurance level with which they must comply. Annual reviews of the audit opinions are required.
On an exceptional basis and where duly justified, contracting authorities can decide to disregard the applicable assurance level when no recognised provider can supply the services, a previous award procedure did not result in suitable tenders or if the assurance level would result in disproportionate costs. Interestingly, the proposal does not indicate when costs are disproportionate, unlike the recently proposed Industrial Accelerator Act. In that proposal, estimated cost differences of more than 25 % are presumed to be disproportionate, significantly limiting the applicability of the “Buy European” criteria set out in that Act. If contracting authorities exercise this option under the proposed CADA, challenges by competitors of the chosen service provider are likely.
As a result, contracting authorities will need to be aware of the assurance level their specific purchase requires, and they will need to carefully review tenderers’ conformity with the corresponding requirements.
EU added value award criteria
The proposed CADA requires contracting authorities, when procuring innovative cloud computing services and AI systems (regardless of the contract value), to use award criteria evaluating tenderers’ contributions to the development of a European cloud and AI ecosystem as part of the quality evaluation of tenders. Specifically, contracting authorities must evaluate the extent to which a tenderer contributes to strengthening the EU digital supply chain, integrates EU-developed technologies, and delivers services using hardware designed or manufactured in the EU.
Remarkably, the CADA provides that these obligatory award criteria cannot be decisive in the award of the contract. A suggested weighting of up to 15 out of 120 points is referenced in the recitals. However, even such limited weighting can be decisive for the award decision. A contracting authority can never predict what the range of offered prices and quality will be.
Central purchasing activities by the European Commission
The proposed CADA further provides that the Commission may act as a central purchasing body for procuring data centre services, cloud computing services, software, and AI systems. The Commission may do so not only on behalf of EU entities, but also for national contracting authorities and partner organisations. An agreement between the Commission and at least two Member States is required, but a national contracting authority can use the Commission’s framework agreements and dynamic purchasing systems even if its Member State has not acceded to the agreement.
Objective and non-discriminatory conditions for the accession of national contracting authorities can be established, particularly relating to their size, the minimum amounts of the envisaged procurement, and the acceptance of support services provided by the Commission. Specific rules may also be imposed for national central purchasing bodies wishing to accede to the agreement. The proposed CADA further provides that the Commission can set up a common procurement platform to facilitate the uptake of the services it will centrally procure and provide to the interested parties.
The Commission taking up the role of central purchasing body itself, including for the benefit of national contracting authorities, is rather unique under EU procurement law. It seems that the Commission considers that the cloud computing, data centre, and AI systems sectors are especially in need of intervention to leverage the EU’s purchasing power to enhance its sovereignty in these fields. It remains to be seen whether the European Commission can design specifications for a framework agreement that allows contracting authorities to order services for a wide range of different projects.
Relation to the Public Procurement directives
The proposed CADA is published against the backdrop of the long-awaited reform of the (general) Public Procurement Directives, for which proposals are also expected this year. In the proposed CADA, the European Commission asserts that a targeted sectoral approach for cloud computing and AI systems services is required, which would be difficult to sufficiently account for through an overarching approach within the Public Procurement Directives. Be that as it may, the Commission’s renewed choice of a sectoral procurement approach further increases the complexity of EU public procurement law. It is hoped that the Commission’s proposals for the new (general) Public Procurement Directives (or Regulations) sufficiently account for the interplay with the various sectoral initiatives that have been launched over the past years.
In any case, our public procurement law and data teams are monitoring these developments intently and are ready to assist you in their implementation.
