Can research bodies use the EuroCloud Federation under CADA?

Summary As proposed in the Cloud and AI Development Act (CADA), public research bodies can participate in the EuroCloud Federation, but only if they qualify as "public sector bodies" or "Union entities" under EU law. Article 34 establishes the Federation specifically to enable these public actors to share secure, sovereign cloud and data centre services. For research institutions, this creates a mechanism to pool computational resources and process sensitive data with high Union assurance, offering a trusted, sovereign alternative to commercial hyperscalers for critical projects.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, aims to strengthen Europe's cloud and AI ecosystem by reducing dependencies on non-European providers and enhancing technological sovereignty. A central pillar of this proposal is the establishment of the EuroCloud Federation, a voluntary framework designed to facilitate the sharing of public-sector cloud capacities across the Union.

Who can join the EuroCloud Federation?

Under Article 34(1) of the proposed Regulation, the EuroCloud Federation is established and is open for participation on a voluntary basis to two specific categories of actors:

1. Union entities: These are the Union institutions, bodies, offices, and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU), or the Treaty establishing the European Atomic Energy Community.
2. Public sector bodies: Defined in Article 2(6) of the proposal by reference to Article 2, point (1), of Directive (EU) 2019/1024.

For research bodies, the critical determination is whether they qualify as a "public sector body." Generally, this includes entities governed by public law and established for specific public-interest purposes, not having an industrial or commercial character. Public universities, state-funded research institutes, national laboratories, and government-funded research councils often fall into this category. However, private research entities, commercial spin-offs, or non-profit foundations not governed by public law would not be eligible to join the Federation directly under Article 34.

What does the Federation do for research?

The primary purpose of the EuroCloud Federation, as stated in Article 34(2), is to facilitate the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies. For the research sector, this offers several strategic advantages:

• Resource Pooling: Research projects, particularly those involving large-scale simulations, genomic data analysis, or climate modeling, require immense computational power. The Federation allows Member States and EU bodies to share idle or underutilized cloud capacity. This prevents the need for every individual research institute to build its own massive infrastructure, reducing costs and improving efficiency.
• Secure Data Handling: Many research activities involve sensitive data, such as personal health data for medical research, commercially sensitive industrial data, or data related to defense and security. The EuroCloud Federation is designed to operate within the CADA's broader sovereignty framework. By participating, research bodies can access cloud services that meet specific Union assurance levels (as detailed in Article 16 and Annex II of the proposal). This ensures that data remains under EU jurisdiction and is protected from extraterritorial access by third countries.
• Interoperability: The Commission will establish a platform for the Federation (Article 34(3)) that includes a catalogue of available services and a service platform for exchanging and orchestrating computing, storage, and network resources. This standardizes how public bodies interact with cloud infrastructure, simplifying procurement and technical integration for research consortia.

Sovereign Alternatives for Sensitive Research

One of the driving forces behind CADA is the concern that reliance on third-country hyperscalers exposes the EU to risks such as unauthorized data access, service disruption, or vendor lock-in. For research bodies handling critical data, the EuroCloud Federation provides a sovereign alternative.

Under the CADA proposal, public procurement of cloud services is tied to risk assessments (Article 29). If a research project involves data that contributes to the preservation of public order or involves sensitive personal data, the risk assessment may require a higher Union assurance level (Level 2, 3, or 4). Services within the EuroCloud Federation are expected to be designed to meet these stringent sovereignty criteria, ensuring that research data is processed and stored exclusively within the Union, with strict controls on personnel and subcontractors.

Participation Mechanism

Participation is voluntary. Union entities and public sector bodies may request the Commission to join the EuroCloud Federation (Article 34(1)). The Commission will adopt implementing acts to specify the procedure for participation and the content of the request for participation (Article 34(4)). Once a member, a "sharing entity" can provide services to a "using entity" within the Federation, provided they meet specific technical, operational, and organizational security measures (Article 35).

Crucially, Article 35(5) clarifies that the sharing entity may charge a fee to the using entity, but this fee must be limited strictly to the costs incurred in relation to the sharing of the service (e.g., allocating resources, managing access, ensuring compliance). It must not constitute a pecuniary interest or a public contract within the meaning of Directive 2014/24/EU. This ensures that the sharing of capacity within the Federation remains a public-sector cooperation anchored in the public interest, rather than a commercial transaction.

What this means for you

For public-sector procurement officers and IT leaders in research institutions, the EuroCloud Federation represents a significant shift in how cloud infrastructure is acquired and managed.

• Check Your Status: First, determine if your research body qualifies as a "public sector body" under Directive (EU) 2019/1024. If you are a state-funded university or national research council, you likely do. If you are a private research institute, you cannot join the Federation directly but may still benefit from procurement opportunities linked to it.
• Prepare for Voluntary Application: Since participation is voluntary, monitor the Commission's implementing acts for the application procedure. Early engagement may allow your institution to influence the technical standards of the shared platform.
• Re-evaluate Procurement Strategies: CADA introduces new procurement rules. For projects involving sensitive data, you may be required to conduct a risk assessment (Article 29) to determine the necessary Union assurance level. If your risk assessment mandates Level 2, 3, or 4, you may be restricted from using non-compliant third-country providers. The EuroCloud Federation offers a compliant pathway to access high-assurance cloud resources.
• Leverage Shared Capacity: Instead of negotiating individual contracts with commercial cloud providers for short-term compute spikes, explore whether the EuroCloud Federation's catalogue (Article 34(3)(a)) can provide the necessary resources. This could lead to cost savings and greater data sovereignty.
• Ensure Technical Compliance: If your institution intends to share its own cloud capacity with other members, you must implement appropriate technical, operational, and organizational measures (Article 35(2)). This includes robust cybersecurity, incident handling policies, and interoperability standards.

Common misconceptions

Misconception 1: Any research organization can join the EuroCloud Federation. Reality: Only "Union entities" and "public sector bodies" as defined in EU law can participate. Private research companies or non-profit research foundations that are not governed by public law are excluded from direct membership under Article 34.

Misconception 2: The EuroCloud Federation is a single, centralized cloud provider. Reality: The Federation is a network for sharing existing capacities among members. It is not a new cloud provider built by the EU. Members share their own data centre and cloud services with each other through a common platform managed by the Commission.

Misconception 3: Participation is mandatory for all public research bodies. Reality: Article 34(1) explicitly states that participation is on a voluntary basis. Institutions are not forced to join, but they may find it advantageous for securing sovereign cloud resources for sensitive projects.

Misconception 4: The Federation replaces commercial cloud providers entirely. Reality: The Federation is one option among many. Public bodies can still procure from commercial providers, but for certain high-risk or sensitive use cases, CADA's risk assessment and sovereignty requirements may make the Federation or other sovereign providers the only compliant choice.

Related

• EuroCloud Federation: How CADA enables public bodies to share sovereign cloud
• Can defence contractors use frontier-AI support under CADA?
• Can a bank use CADA impact assessments instead of public-sector risk assessments?
• Which CADA assurance level should defence workloads use?
• When do CADA research-support measures take effect?

This is general information about a draft EU regulation, not legal advice.