Can a private company reuse software from the EU OSS Catalogue under CADA?

Summary Yes, a private company can reuse software from the EU Open Source Solutions Catalogue, provided the specific software is released under an open source licence that permits such use. As proposed in the Cloud and AI Development Act (CADA), the catalogue is a centralised repository for software made available for reuse by Union entities and public sector bodies. While the legal obligation to publish software in the catalogue falls on public authorities, the open source licences governing that software generally allow private sector reuse, subject to the specific terms of each licence. The proposal explicitly tracks "downloads by third parties" as a key performance indicator, confirming that private usage is anticipated and monitored.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a comprehensive framework to promote open source software within the European public sector. The primary objectives are to reduce vendor lock-in, enhance security, foster innovation, and strengthen technological sovereignty. A central pillar of this framework is the establishment of the EU Open Source Solutions Catalogue (referred to in the proposal as the "EU OSS Catalogue").

The Legal Basis: Article 43 and the Catalogue's Purpose

Under Article 43(1) of the proposed Regulation, the European Commission is mandated to "provide and maintain an EU Open Source Solutions Catalogue ('EU OSS Catalogue') as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies."

This provision establishes the catalogue not as a restrictive repository, but as a discovery and access mechanism. The text explicitly defines its function: to serve as a centralised point where software, once made available for reuse by public bodies, can be accessed. The regulation does not limit the access to the catalogue to public bodies alone; rather, it limits the obligation to publish to Union entities and public sector bodies.

The mechanism operates through a three-step process defined in the proposal:

1. Public Sector Obligation to Publish: Under Article 42, when a Union entity or public sector body decides to make software (to which they hold intellectual property rights) available for reuse under an open source licence, they must do so using a catalogue or repository that is "connected to, and made accessible through, the EU OSS Catalogue."
2. Universal Accessibility: Article 43(2) specifies that the EU OSS Catalogue shall be hosted on the Interoperable Europe portal and shall be "accessible electronically free of charge." The phrase "accessible electronically" implies a digital interface available to any entity with internet access, without explicit restriction to public sector login credentials.
3. Connection of Repositories: The Commission retains the authority to decide, based on "objective and relevant criteria," whether to connect other catalogues or repositories owned by Union entities or public sector bodies to the main EU OSS Catalogue (Article 43(3)). This ensures a unified front-end for discovering public sector software.

Who Can Use the Software? The Role of Recital 83

The text of CADA focuses primarily on the obligations of public bodies to share software. It does not contain a clause explicitly restricting who can access, download, or reuse that software once it is published.

Recital 83 of the explanatory memorandum provides critical context regarding the intended audience and the scope of reuse. It states that the EU OSS Catalogue "shall serve as a centralised catalogue for any public administration to search and access software made available for reuse by Union entities and public sector bodies."

While the phrasing highlights "any public administration" as the primary intended beneficiaries for cross-governmental interoperability and efficiency, this description does not constitute a legal exclusion of private entities. The recital explains the purpose of the catalogue (facilitating public sector reuse) but does not define the scope of rights granted by the software licences.

Crucially, the software listed in the catalogue is released under open source licences. The rights to use, modify, distribute, and incorporate that software into commercial products are governed by the terms of those specific licences, not by the CADA regulation itself. CADA mandates the publication of the software under an open source licence; it does not override the standard legal effects of those licences.

The Role of Open Source Licences in Private Reuse

CADA encourages the use of open standards and components released under open source licences (Article 41). When public sector bodies release software into the EU OSS Catalogue, they must attach an open source licence. The nature of these licences determines the rights of private companies.

• Permissive Licences: Many open source licences (such as MIT, Apache 2.0, or BSD) explicitly permit private companies to use, modify, and distribute the software for commercial purposes. These licences often impose minimal conditions, such as retaining copyright notices or including a disclaimer of warranty. A private company can legally integrate such software into a proprietary cloud service or sell it as part of a commercial product.
• Copyleft Licences: Other licences (such as the GNU General Public License or AGPL) also permit private reuse but may impose "copyleft" conditions. For instance, if a private company modifies the software and distributes it, they may be required to release the source code of their derivative work under the same licence.

Therefore, a private company's ability to reuse software from the catalogue depends entirely on the specific licence attached to that software entry. CADA does not impose a "public sector only" restriction on the use of the software; it only mandates the publication of publicly developed software under terms that facilitate reuse.

Tracking and Metrics: The KPI for Third-Party Downloads

Although private companies are free to use the software, the EU is interested in the impact and diffusion of these releases. The proposal includes specific mechanisms to track the usage of open source solutions as a measure of the framework's success.

Recital 83 notes that hosting the catalogue on the Interoperable Europe portal ensures that solutions can be easily linked to further relevant information and training. Furthermore, the proposal's financial statement and performance indicators explicitly track the effectiveness of these measures.

One of the key performance indicators (KPIs) for Objective 4 (contributing to the protection of public order by enhancing the resilience of supply) is defined in the Legislative Financial Statement. It includes tracking the "Number of public sector solutions released as open source in the repository, and their downloads by third parties."

The explicit mention of "downloads by third parties" as a metric confirms that:

1. Private entities (third parties) are expected to download the software.
2. The Commission intends to monitor this activity to assess the uptake of European open source solutions.
3. The framework anticipates and validates the commercial and non-commercial reuse of public sector software by the private sector.

What this means for you

For cloud service providers, data centre operators, software vendors, and other private sector entities subject to the broader CADA framework (such as sovereignty assurance levels), the EU OSS Catalogue represents a strategic resource.

1. Source Code Access and Innovation: You can search the EU OSS Catalogue for software components developed by EU public bodies. This may include middleware, security tools, data processing scripts, or infrastructure management software that aligns with the "European cloud stacks" promoted under the Cloud Leadership Initiative. Accessing these tools can accelerate development and reduce costs.
2. Licence Compliance is Paramount: Before integrating any software from the catalogue into your commercial offerings, you must review the specific open source licence attached to the code. Ensure that your intended use (e.g., embedding in a proprietary cloud service, modifying for internal use, or reselling) is compliant with that licence. If you are unsure, consult which-licences-open-source-cada for guidance on common open source licences and their commercial implications.
3. Sovereignty Alignment: Using software from the EU OSS Catalogue may support your compliance with CADA's sovereignty requirements. Software developed by Union entities is likely to meet high standards for data localisation, operational autonomy, and transparency. This can potentially ease your path to achieving Union assurance levels under the sovereignty framework, particularly regarding the software supply chain criteria in Annex II.
4. Contribution and Ecosystem Growth: While CADA mandates public sector sharing, private contributions can strengthen the European open source stack. If your company develops software in collaboration with public sector bodies, or if you voluntarily release your own tools, you may consider contributing to the ecosystem. A robust European open source community is a key objective of the Regulation.

Common misconceptions

Misconception 1: The EU OSS Catalogue is only for public sector use. Reality: While Recital 83 highlights public administrations as the primary users for cross-governmental interoperability, the software is released under open source licences. These licences generally allow anyone, including private companies, to use the software. There is no clause in CADA that prohibits private commercial use of catalogue software. The KPI tracking "downloads by third parties" further confirms this.

Misconception 2: CADA forces private companies to use open source. Reality: CADA encourages Union entities and public sector bodies to use and facilitate the reuse of open source solutions (Article 41). It does not mandate that private companies must use open source software. However, private companies operating in critical sectors (as defined in NIS2) may be encouraged to conduct impact assessments similar to those required for public bodies, where open source transparency could be a beneficial factor.

Misconception 3: Downloading from the catalogue grants unlimited rights. Reality: The catalogue is a discovery tool. The rights granted to you are defined by the open source licence attached to each piece of software. Some licences may require you to disclose your source code if you modify the software (copyleft), while others may be more permissive. Always read the licence terms before reuse.

Misconception 4: Private companies must publish their software in the catalogue. Reality: Article 42 only obliges Union entities and public sector bodies to make software available in a connected catalogue when they choose to release it for reuse. Private companies are not required to publish their proprietary or open source software in the EU OSS Catalogue.

Related

• How do you find and reuse software in the EU OSS Catalogue?
• How can SMEs benefit from the EU OSS Catalogue under CADA?
• Can the EU OSS Catalogue federate with private-sector catalogues?
• What records or metadata are needed to list software in the EU OSS Catalogue?
• CADA Article 42: What happens if a public body shares open source software outside the EU OSS Catalogue?

This is general information about a draft EU regulation, not legal advice.