Summary Under the proposed Cloud and AI Development Act (CADA), software made available for reuse by Union entities and public sector bodies must be shared via the EU Open Source Solutions Catalogue (EU OSS Catalogue) under an open source licence. Reusers cannot unilaterally relicense or sublicense this software to alter its legal terms; their ability to do so is strictly governed by the specific obligations of the original open source licence chosen by the provider. If the original licence is permissive, relicensing into a different open source licence may be possible, but if it is copyleft, the original licence terms must be preserved and propagated. CADA itself does not create a new licence or override existing intellectual property terms.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A core pillar of this framework is the promotion of open source solutions to reduce vendor lock-in, enhance transparency, and foster technological sovereignty. To operationalise this, CADA introduces specific obligations for Union entities and public sector bodies regarding the sharing and reuse of software they develop or commission.
The Obligation to Share via the EU OSS Catalogue
Article 42 of the CADA proposal mandates that when a Union entity or public sector body decides to make software to which it holds intellectual property rights available for reuse under an open source licence, it must do so using a catalogue or repository connected to the EU Open Source Solutions Catalogue. This centralised catalogue, established and maintained by the Commission under Article 43, is hosted on the Interoperable Europe portal. Its primary function is to serve as a single point of discovery for reusable public sector software, ensuring that solutions developed with public funds are findable, accessible, and interoperable across the Union.
Crucially, Article 42 does not dictate which specific open source licence must be used. It merely requires that the software be made available "under an open source licence." This leaves the choice of licence to the intellectual property holder (the Union entity or public sector body), subject to the definition of "open source licence" provided in the Regulation.
Definition of Open Source Licence
To ensure legal certainty and consistency across the single market, CADA defines the term "open source licence" in Article 2(25). This definition explicitly cross-references Article 2, point (12) of Regulation (EU) 2024/903 (the Interoperable Europe Act). By anchoring the definition in existing EU interoperability law, CADA ensures that any licence used under its framework meets established criteria for openness, such as the freedom to run, study, share, and modify the software.
This definition is critical for understanding the scope of reuse. It confirms that CADA recognises a broad spectrum of licences, ranging from permissive licences (like MIT or Apache 2.0) to strong copyleft licences (like the GNU GPL or AGPL). The Regulation does not exclude any specific open source licence model, provided it aligns with the definition in the Interoperable Europe Act.
Relicensing and Sublicensing: The Role of the Original Licence
A common point of confusion is whether CADA grants reusers a blanket right to relicense or sublicense software found in the EU OSS Catalogue. The answer is no. CADA does not create a bespoke "CADA Licence" nor does it override the intellectual property terms attached to the software by the original provider.
The rules governing relicensing and sublicensing are entirely determined by the specific open source licence selected by the original provider. CADA acts as a distribution mechanism, not a licence grantor.
Sublicensing
In open source terminology, "sublicensing" refers to the right to grant further permissions to third parties that the original licensee does not possess. Most major open source licences (such as the MIT, Apache 2.0, or GPL variants) do not require explicit sublicensing because they grant rights directly to all downstream users. The licence terms apply automatically to anyone who receives the software.
However, if a specific licence explicitly prohibits sublicensing or restricts the scope of rights granted, a reuser cannot grant broader rights than those they hold. CADA does not override these contractual restrictions. If the original licence prohibits sublicensing, the reuser is bound by that prohibition.
Relicensing
Relicensing involves distributing the software under a different licence. Whether a reuser can do this depends entirely on the nature of the original licence:
- Permissive Licences (e.g., MIT, BSD, Apache 2.0): These licences generally allow relicensing. A reuser can combine permissively licensed code with their own code and distribute the combined work under a different licence, including a proprietary one, provided they comply with the attribution and notice requirements of the original licence. In this scenario, the reuser effectively "relicenses" the derivative work under new terms, while the original code retains its original licence status.
- Copyleft Licences (e.g., GNU GPL, AGPL): These licences impose strong viral conditions. If a reuser modifies or distributes software licensed under a copyleft licence, the resulting derivative work must be distributed under the same licence. Relicensing a copyleft-licensed work into a different open source licence (or a proprietary licence) is generally prohibited unless the original copyright holders grant explicit permission. The "open source" definition in Article 2(25) explicitly includes these copyleft licences, meaning CADA-compliant software may carry strict redistribution requirements that prevent relicensing.
Implications for Reusers
For in-house counsel and compliance officers, this means that the EU OSS Catalogue is a repository of software with diverse licensing terms. There is no "CADA Licence" that standardises the legal regime for all software in the catalogue. Before relicensing or integrating software from the catalogue into a new product, legal teams must perform a thorough audit of the original licence.
If the software is dual-licensed or available under multiple options, the reuser may select the most appropriate licence for their use case, but they must adhere strictly to the terms of the selected version. The act of downloading or accessing software via the CADA-mandated catalogue does not confer any additional rights beyond those granted by the underlying open source licence.
What this means for you
For in-house counsel, compliance officers in the public sector, and private entities engaging with public sector software, the following operational steps are critical:
- Audit the Original Licence: When sourcing software from the EU OSS Catalogue, do not assume a uniform licence. Identify the specific open source licence attached to each component. This determines your ability to relicense, modify, or distribute the software. The presence of software in the catalogue confirms it meets the Article 2(25) definition, but not its specific terms.
- Respect Copyleft Boundaries: If the software is under a strong copyleft licence (e.g., GPL v3), you cannot relicense it into a proprietary or more restrictive open source licence. You must preserve the original licence terms in any derivative works you distribute. Attempting to relicense such software would constitute a breach of the original licence and potentially infringe copyright.
- Document Provenance: CADA promotes transparency. Maintain clear records of the original source, the version, and the licence terms from the EU OSS Catalogue. This documentation is essential for demonstrating compliance with the original open source obligations and for managing intellectual property risks.
- No Automatic Sublicensing Rights: You do not gain automatic rights to sublicense software in a way that contradicts the original licence. If you distribute software to third parties, you are bound by the same obligations as the original provider. The catalogue facilitates access, but it does not alter the contractual chain of rights.
Common misconceptions
"CADA imposes a specific licence on all reused software." No. CADA does not mandate a single licence. It requires software to be released under an open source licence, as defined in Article 2(25) by referencing the Interoperable Europe Act. The choice of licence (MIT, Apache, GPL, etc.) remains with the provider, and the terms of that chosen licence govern all downstream reuse.
"Software from the EU OSS Catalogue can be freely relicensed into proprietary software." This is only true if the original licence is permissive. If the software is released under a copyleft licence, relicensing into a proprietary format is prohibited. The "open source" definition in Article 2(25) includes copyleft licences, which carry strict redistribution requirements that prevent the software from becoming proprietary.
"Sublicensing is a standard right under CADA." No. CADA does not grant sublicensing rights. Sublicensing is a contractual concept governed by the original open source licence. Most open source licences do not require sublicensing because they grant rights directly to all users, but they also do not grant the right to override the original licence terms. If the original licence restricts sublicensing, CADA does not remove that restriction.
Related
- Can a Member State run its own national open source catalogue under CADA?
- CADA Open Source Obligations: Beyond the EU OSS Catalogue Listing
- CADA Open Source: The Commission's Role in the EU OSS Catalogue and OSPO Network
- What is the EU Open Source Solutions Catalogue under CADA?
- CADA Article 42: What happens if a public body shares open source software outside the EU OSS Catalogue?
This is general information about a draft EU regulation, not legal advice.