Does CADA give the Commission delegated powers over open source?

Summary No, the proposed Cloud and AI Development Act (CADA) does not grant the European Commission delegated or implementing powers to amend the substance of the open source chapter (Title IV, Chapter V). While the Commission holds broad delegated powers to update technical criteria for cloud sovereignty (Annex II) and audit evidence (Annex III) under Article 45, the open source obligations in Articles 41, 42, 43, and 44 are static legislative mandates. The Commission's role is strictly limited to maintaining the EU Open Source Solutions Catalogue and coordinating the network of Open Source Programme Offices (OSPOs), rather than issuing binding technical standards or modifying the legal text via secondary legislation.

Detail

Under the proposed CADA, the distinction between the Commission's regulatory powers in the cloud sovereignty framework versus the open source framework is deliberate and significant. To understand the scope of Commission authority, it is necessary to examine the specific provisions of Title IV, Chapter V (Articles 41–44) and contrast them with the enabling clauses found elsewhere in the regulation, particularly Article 45.

The Open Source Chapter: Static Obligations, No Delegated Powers

The open source provisions in CADA are designed as direct, self-executing obligations for Union entities and Member States, without a mechanism for the Commission to tweak their substance through delegated acts. The text of the proposal contains no reference to Article 290 TFEU (delegated acts) or Article 291 TFEU (implementing acts) within the open source chapter itself.

• Article 41 (Promoting open source solutions and open source first): This article mandates that the Union and Member States take measures to encourage the use of open standards and components released under an open source licence. It explicitly lists criteria such as functionalities, security, and total cost of ownership. The text contains no clause empowering the Commission to amend these criteria, redefine "open source," or issue further technical specifications via delegated act. The obligation is fixed by the primary legislation.
• Article 42 (Share and reuse of software): This article requires that when Union entities or public sector bodies make software available for reuse under an open source licence, they must do so using a catalogue or repository connected to the EU OSS Catalogue. There is no provision allowing the Commission to alter the definition of "reuse," the connectivity requirements, or the scope of this obligation through secondary legislation.
• Article 43 (EU Open Source Solutions Catalogue): The Commission is tasked with providing and maintaining the EU OSS Catalogue. Crucially, Article 43(3) states the Commission shall decide on requests to connect external catalogues based on "objective and relevant criteria." However, the regulation does not delegate power to the Commission to define or amend these criteria through delegated acts. The decision-making process remains an administrative function of the Commission under the primary law, not a legislative one. The criteria themselves are not subject to future amendment by the Commission.
• Article 44 (Network of Open Source Programme Offices): This article establishes the OSPO Network to facilitate cooperation on implementation. The Commission supports and coordinates this network, convening meetings at least twice a year. Again, there is no delegated power to alter the network's structure, its specific tasks, or its membership criteria. The network's role is to facilitate exchange and provide non-binding guidance, not to create binding rules.

Contrast with Other Titles: Where Delegated Powers Exist

To appreciate the limitation in the open source chapter, one must look at Article 45 (Exercise of the delegation). This article explicitly confers delegated powers on the Commission to adopt acts in accordance with Article 290 TFEU. These powers are exhaustive regarding the articles they reference and include:

1. Amending Annex I: To reflect market and technological developments regarding the Cloud and AI Leadership Initiatives.
2. Amending Annex II: To update the criteria for Union assurance levels (the sovereignty framework).
3. Supplementing the Regulation: To lay down detailed rules for the performance of audits (referencing Article 20).
4. Amending Annex III: To update audit evidence requirements (referencing Article 21).
5. Specifying Assurance Levels: For contracting authorities (referencing Article 16).
6. Requiring Impact Assessments: For private companies in high-criticality sectors (referencing Article 31).

Notably, the list of delegated powers in Article 45 does not cite Articles 41, 42, 43, or 44. This omission is deliberate; the legislator chose to keep the open source framework rigid and politically determined, rather than technocratically adjustable. Unlike the sovereignty framework, where the Commission can adapt assurance levels to new threats, the open source obligations remain fixed as proposed.

The Commission's Actual Role in Open Source

Without delegated powers, how does the Commission act? Its role is operational and coordinative, not legislative:

• Catalogue Maintenance: Under Article 43, the Commission hosts the catalogue on the Interoperable Europe portal. It decides on access based on existing criteria but cannot change the criteria via delegated act.
• Network Coordination: Under Article 44, the Commission convenes and chairs meetings of the OSPO Network. It facilitates the exchange of information, experience, and best practices, but it does not issue binding technical specifications for open source adoption. Any guidance produced by the network (e.g., templates or recommendations) is explicitly "voluntary and non-binding" under Article 44(3)(c).

What this means for you

For in-house counsel, compliance officers, and public sector bodies, the absence of delegated powers in the open source chapter offers regulatory stability but requires strict adherence to the primary text.

1. No Moving Targets: You do not need to monitor the Official Journal for delegated acts that might redefine what constitutes an "open source licence" or alter the criteria for the EU OSS Catalogue. The legal requirements are fixed in the regulation as proposed.
2. Strict Connectivity Requirement: Article 42 mandates that any software made available for reuse must be in a catalogue connected to the EU OSS Catalogue. There is no room for the Commission to issue implementing acts that might allow for alternative reporting mechanisms or decouple the requirement. Your technical architecture for software distribution must ensure direct interoperability with the central catalogue.
3. Audit Readiness for Sovereignty, Not Open Source: While you will need to prepare for dynamic changes in the cloud sovereignty framework (where the Commission can update assurance criteria via delegated acts under Article 16 and Annex II), your open source compliance strategy can be built on a static foundation. Focus resources on ensuring your software reuse processes align exactly with Articles 41–44, as these will not be subject to future technical tweaks by the Commission.
4. OSPO Engagement: Since the Commission coordinates the OSPO Network (Article 44), active participation in this network is the primary channel for guidance. Expect non-binding best practices and templates to flow from this network, rather than binding technical standards issued via delegated acts.

Common misconceptions

"The Commission can update the definition of open source via delegated acts." No. CADA does not define "open source licence" in its own Article 2, but rather refers to the definition in Article 2(12) of Regulation (EU) 2024/903 (Interoperable Europe Act). Even if it did, Article 45 does not grant the Commission power to amend definitions in the open source chapter. The definition remains anchored in existing EU law.

"The Commission will issue detailed technical standards for open source adoption similar to cybersecurity standards." No. While the Commission can adopt implementing acts for audit procedures (Article 20) and assurance levels (Article 16), it lacks this power for open source. Any technical guidance will come from the OSPO Network (Article 44) as non-binding best practices, not as legally binding implementing acts.

"Article 43 allows the Commission to create new criteria for catalogue access via delegated act." No. Article 43(3) states the Commission decides based on "objective and relevant criteria." It does not state that the Commission is empowered to adopt or amend these criteria through delegated acts. The criteria must be derived from the primary law or existing administrative practice, not created via secondary legislation.

Related

• CADA Open Source: The Commission's Role in the EU OSS Catalogue and OSPO Network
• Why does CADA promote open source for digital sovereignty?
• Who must promote open source under CADA? Article 41 explained
• Which licences count as open source for CADA purposes?
• CADA Open Source Chapter: Articles 41–44 Explained

This is general information about a draft EU regulation, not legal advice.