Summary Yes, under the proposed Cloud and AI Development Act (CADA), a sharing entity may refuse to share cloud or data centre services with a specific using entity within the EuroCloud Federation. As set out in Article 35(1), sharing is framed as a permissive right ("may share") rather than a mandatory obligation. While the framework aims to optimize resource utilization, it does not compel a public body to provide capacity if doing so would violate security protocols, exceed technical limits, or conflict with the sharing entity's operational constraints. Participation is voluntary, and the sharing entity retains full discretion to accept or reject requests.

Detail

The EuroCloud Federation, established under Title IV, Chapter III of the CADA proposal, is designed to facilitate the sharing of public-sector data centre and cloud computing services among Union entities and public sector bodies. However, the legal architecture of this federation is explicitly built on voluntary cooperation rather than forced resource pooling. The regulation ensures that no public body is forced to surrender control of its infrastructure to another.

Voluntary Participation and Discretionary Sharing The foundational rule for sharing is set out in Article 35(1) of the CADA proposal. The text states: "A member of the EuroCloud Federation (the 'sharing entity') may share data centre services and cloud computing services with another member of the EuroCloud Federation (the 'using entity')..."

The use of the permissive verb "may" is legally significant. It indicates that sharing is an option, not a duty. A sharing entity retains the discretion to accept or reject requests from using entities. There is no provision in the Regulation that creates an enforceable right for a using entity to demand access to another member's idle capacity. Consequently, a refusal to share is a lawful exercise of the entity's discretion under the proposed framework.

Control and Ownership Prerequisites For sharing to occur at all, strict conditions must be met regarding who controls the infrastructure. Article 35(1) requires that the sharing entity must directly, or indirectly through an intermediate legal entity it controls, own the hardware through which the service is made available. Furthermore, the sharing entity must exercise control over that intermediate entity if applicable.

This structural requirement ensures that the entity refusing or granting access has genuine authority over the infrastructure. If a public body does not meet these ownership or control criteria, it cannot share services, effectively resulting in a "refusal" by operation of law. Even if an entity meets these criteria, it is not obligated to open its hardware to others; the "may" in Article 35(1) remains the governing principle.

Security and Operational Limits Article 35(2) mandates that "The sharing entity shall put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

This obligation grants the sharing entity the authorityβ€”and indeed the dutyβ€”to refuse sharing if doing so would compromise security or resilience. The sharing entity is responsible for risk analysis, access control policies, incident handling, and business continuity. If a using entity's intended workload poses a cybersecurity risk, conflicts with existing data protection mandates, or would degrade the service quality for other users, the sharing entity can deny access to maintain compliance with its security obligations. The regulation does not allow a using entity to override the sharing entity's security assessment.

Capacity and Resource Constraints Cloud and data centre capacity is finite. The EuroCloud Federation aims to share idle or underutilized capacity. If a sharing entity's infrastructure is fully committed to its own operations or existing contracts, it physically cannot share additional resources. The Regulation does not require entities to over-provision capacity or to degrade their own primary services to accommodate a using entity. Therefore, a refusal based on lack of available resources is a standard operational outcome and a valid reason for non-participation in a specific sharing request.

The Role of the Commission and Fees Article 35(3) and (4) introduce a gatekeeping role for the European Commission. Before sharing begins, the sharing entity must demonstrate to the Commission that it fulfills the conditions of ownership, control, and security. The Commission then assesses this information and allows the sharing to proceed.

While this is a validation step, it reinforces that sharing is contingent on meeting specific criteria, not an automatic right. If a sharing entity is not recognized as compliant, or if the Commission determines that a specific sharing arrangement does not meet the required standards, the sharing cannot legally occur. Additionally, Article 35(5) allows the sharing entity to charge a fee limited strictly to the costs incurred. If a using entity is unwilling or unable to pay these cost-recovery fees, the sharing entity is under no obligation to provide the service for free, providing another valid ground for refusal.

What this means for you

For public-sector procurement officers, IT directors, and policy makers, understanding this discretionary framework is crucial for planning digital infrastructure strategies.

  • Do Not Assume Guaranteed Access: When designing your cloud strategy, do not treat the EuroCloud Federation as a guaranteed backup source of compute capacity. You cannot legally compel another Member State's authority or Union entity to provide you with server space.
  • Negotiation and Bilateral Agreements: Sharing within the Federation will likely operate through bilateral agreements or service-level agreements (SLAs) between the sharing and using entities. You will need to negotiate terms, security protocols, and capacity commitments directly with potential sharing entities.
  • Security as a Veto Point: If you are a using entity, be prepared to provide rigorous security documentation. Sharing entities will use their security obligations under Article 35(2) as the primary filter for accepting new users. If your use case is high-risk or poorly defined, expect refusal.
  • Strategic Planning for Sharing Entities: If you are a potential sharing entity, you have the leverage to define your own boundaries. You can refuse sharing that would interfere with your core mission-critical services. Ensure your technical and organizational measures are robust, as you are liable for the security of the shared environment.

Common misconceptions

"The EuroCloud Federation creates a single, pooled resource pool where any member can draw capacity." No. The Federation is a framework for interconnection and sharing, not a centralized utility. Capacity remains under the control of the individual sharing entities, who can refuse access at any time based on their own operational needs.

"If I am a member, I have a right to use idle capacity." No. Membership is voluntary, and sharing is discretionary ("may share"). There is no enforceable right to access another member's infrastructure. The regulation explicitly avoids creating a "right to share."

"The Commission forces entities to share if they have idle capacity." No. The Commission assesses compliance and enables the platform, but it does not mandate the volume or recipient of shared services. The sharing entity retains operational control and the right to refuse.

Related

This is general information about a draft EU regulation, not legal advice.