Summary
EU public sector spending on artificial intelligence, cloud computing, cybersecurity, and digital transformation is projected to exceed €100 billion across member states by 2027, driven by the EU's Digital Decade policy targets and national recovery plans funded through the Recovery and Resilience Facility (RRF). For technology suppliers, the public sector is now one of the most valuable growth channels — but winning requires understanding the specific CPV codes, compliance requirements, and evaluation logic that govern public digital procurement. The EU AI Act, which began applying in August 2024, is reshaping how public authorities procure AI systems and what suppliers must demonstrate.
Scale and Drivers of EU Digital Public Procurement
Digital technology contracts represent one of the fastest-growing segments of EU public procurement. The European Commission's Digital Decade policy framework targets 100% online public service delivery, 80% of citizens using digital ID, and 75% of EU enterprises using cloud, AI, or big data by 2030. Achieving these targets requires massive public procurement of technology — from national identity platforms and e-health systems to AI-assisted border control and smart city infrastructure.
The Recovery and Resilience Facility (RRF) has been a major accelerant. With over €300 billion in grants and loans allocated across EU member states, RRF national plans have directed 20% of spending to digital transformation by requirement — creating thousands of public digital transformation tenders in 2022–2026. Countries including Italy (PNRR), Spain (Plan de Recuperación), and Poland (KPO) have all published major digital procurement programmes using RRF funds, many still active or entering renewal phases in 2026.
At EU institutional level, the European Commission's DG DIGIT and DIGIT's DIGIT TM (Technology Management) unit manage framework contracts for IT services used across Commission DGs and EU agencies. These multi-year frameworks — covering application development, infrastructure services, cybersecurity, and data analytics — are accessible to both large systems integrators and specialised boutiques through cascade or further competition mechanisms.
Key CPV Codes for AI and Digital Tenders
Monitoring the right CPV codes is essential for building a digital tender pipeline. The most important codes for AI and digital transformation contracts are:
- 72000000 — IT services: consulting, software development, internet and support
- 72200000 — Software programming and consultancy services
- 72210000 — Programming services of packaged software products
- 72212000 — Programming services of application software
- 72220000 — Systems and technical consultancy services
- 72230000 — Custom software development services
- 72300000 — Data services
- 72310000 — Data processing services
- 72315000 — Data management services
- 72400000 — Internet services
- 72500000 — Computer-related services
- 72600000 — Computer support and consultancy services
- 72700000 — Computer network services
- 72800000 — Computer audit and testing services
- 48000000 — Software package and information systems
- 79410000 — Business and management consultancy services (commonly used for digital strategy work)
AI-specific contracts often use 72000000 as the primary code alongside 73000000 (research services) for AI development work. There is currently no dedicated EU CPV code for artificial intelligence — a gap that makes keyword search on TED equally important alongside CPV monitoring.
The EU AI Act: Implications for Public Procurement
The EU AI Act (Regulation 2024/1689), which entered into force in August 2024 and is being phased in through 2026, has direct implications for suppliers of AI systems to public bodies. The Act classifies AI systems into four risk tiers: unacceptable risk (banned), high-risk, limited risk, and minimal risk. Many AI applications procured by public authorities — including AI used in welfare benefit decisions, law enforcement analytics, border management, employment screening, and critical infrastructure management — fall into the high-risk category.
High-risk AI systems supplied to public authorities must comply with extensive requirements including: registration in the EU AI database; conformity assessments; transparency and explainability documentation; human oversight mechanisms; accuracy, robustness and cybersecurity standards; and data governance requirements. From August 2026, public authorities procuring high-risk AI must verify supplier compliance before deployment. This is already appearing in tender specifications for 2026 contracts — with authorities requesting CE marking declarations, AI conformity assessment documentation, and model cards as part of technical selection criteria.
For technology suppliers, early investment in AI Act compliance documentation is now a competitive differentiator. Firms that can provide clear, pre-prepared AI conformity documentation — including technical dossiers, risk management system descriptions, and post-market monitoring plans — will score significantly better on technical quality criteria in AI-related tenders from mid-2026 onward.
The EU AI Act is also generating entirely new procurement categories. Article 9 conformity assessments for high-risk AI systems require specialist auditing services — a market segment that did not meaningfully exist before 2024. Demand for AI testing tools, AI governance frameworks, and AI risk management consultancy is growing rapidly as both public authorities and private AI suppliers scramble to meet compliance deadlines. DIGIT framework contracts specifically targeting AI tools and AI management platforms are expected to be tendered in 2025–2026, creating early-mover opportunities for vendors positioned in this space.
Cloud Procurement and Data Sovereignty
Cloud computing procurement by EU public bodies is increasingly shaped by data sovereignty and GDPR compliance requirements. Following the invalidation of the EU-US Privacy Shield (Schrems II, 2020), EU public authorities have faced sustained pressure to procure cloud services hosted on EU-based infrastructure with strong data residency guarantees. This has benefited European cloud providers (Scaleway, OVHcloud, IONOS, T-Systems) and has prompted US hyperscalers (AWS, Azure, Google Cloud) to establish dedicated EU sovereign cloud products.
The EUCS (EU Cybersecurity Certification Scheme for Cloud Services), developed by ENISA under the EU Cybersecurity Act, is being finalised and is expected to become a requirement in public cloud procurement specifications during 2026. The scheme defines three assurance levels (Basic, Substantial, High) — with High level potentially restricting eligible providers to those under EU jurisdiction. Technology suppliers bidding on cloud contracts should monitor EUCS developments and be prepared to address certification status in tender responses.
Bid Strategy for Digital Transformation Tenders
Digital transformation contracts are predominantly evaluated on MEAT (Most Economically Advantageous Tender) criteria, with technical quality typically weighted at 50–70%. The most common technical sub-criteria are: proposed methodology and approach (how the supplier will deliver the digital change); understanding of the contracting authority's context and needs; team qualifications and specific digital domain expertise; quality assurance and testing approach; and transition and knowledge transfer planning.
Price competition on digital contracts is intense — especially on framework agreements where multiple suppliers cascade down. Winning on price alone is rarely sustainable. The most successful technology suppliers win on the quality of their methodology narratives, demonstrating a genuine understanding of the authority's legacy systems, change management challenges, and political constraints. Investing in pre-bid research — reviewing the authority's existing IT strategy documents, digital transformation plans, and previous procurement notices — generates the contextual intelligence that differentiates a generic methodology response from a tailored, high-scoring one.
Key Takeaways
- EU public digital procurement is worth over €100 billion across member states by 2027; RRF-funded digital programmes continue driving volumes through 2026 across Italy, Spain, Poland, and other beneficiary states.
- The primary CPV codes to monitor are 72000000 (IT services) and 48000000 (software packages); AI-specific work often carries 73000000 alongside — keyword search for "artificial intelligence" on TED is essential given the absence of a dedicated AI CPV code.
- The EU AI Act creates new compliance obligations for suppliers of high-risk AI to public bodies; CE marking documentation and conformity assessment readiness are becoming selection criteria in 2026 specifications.
- EUCS cloud certification at High assurance level may restrict public cloud procurement to EU-jurisdiction providers during 2026 — a development that changes the competitive landscape significantly for hyperscalers vs. European alternatives.
- Technical quality methodology scores (weighted 50–70%) are the decisive differentiator in digital tenders; pre-bid research into the authority's IT strategy and legacy context is the highest-ROI investment for competitive bids.
Frequently Asked Questions
What CPV codes cover AI and digital tenders in the EU?
The main divisions are 72xxxxxx (IT services: consulting, software development, support) and 48xxxxxx (software packages). There are no dedicated AI-specific CPV codes — AI contracts appear under 72212000 (software programming) and 72300000 (data services). Cloud contracts use 72300000 and 72400000 (internet services).
Does the EU AI Act affect public procurement?
Yes. The EU AI Act (applying from August 2024, phasing through 2026–2027) requires public bodies procuring high-risk AI systems to include conformity assessments, CE marking, and technical documentation in contract specifications. Suppliers of high-risk AI must provide full technical documentation and post-market monitoring plans.
How large is EU public IT procurement?
EU public sector IT spending exceeds €80 billion annually across all 27 member states. Germany, France, and the Netherlands are the largest buyers. The European Commission's DIGIT framework alone exceeds €3 billion. Digital transformation spending is growing at 8–12% per year driven by EU Digital Decade targets.
What is EUCS and why does it matter for cloud tenders?
EUCS (EU Cybersecurity Certification Scheme for Cloud Services) is ENISA's certification framework defining basic, substantial, and high assurance levels for cloud providers. Public authorities increasingly specify EUCS certification in cloud tender requirements. High assurance EUCS effectively requires EU-based data processing.
How do SMEs win EU digital transformation tenders?
Focus on below-threshold IT contracts via national platforms (not just TED), target framework calldowns rather than prime contracts, and position around niche capabilities — cybersecurity, specific ERP modules, AI implementation — rather than competing on scale with large integrators. DIGIT and national framework competitions regularly include SME-accessible lots.