CADA & Interoperable Europe Act

Summary As proposed, the Cloud and AI Development Act (CADA) establishes the EuroCloud Federation (Article 34) to facilitate the voluntary cross-border sharing of public sector cloud and data centre services. While CADA governs the sovereignty, security, and ownership conditions for this sharing, the Interoperable Europe Act (IEA) provides the mandatory technical, semantic, and organisational interoperability framework that these services must follow. Recital 69 of CADA explicitly links the Federation to the "Berlin Declaration" and Council conclusions on digital policy, while the IEA (referenced in Article 43 and Recital 83) ensures the underlying services can communicate seamlessly. Together, they ensure that cross-border public cloud infrastructure is both sovereign (under CADA) and interoperable (under the IEA).

Detail

The Cloud and AI Development Act (CADA) and the Interoperable Europe Act (IEA) are designed to operate in tandem to strengthen Europe's digital sovereignty and public administration efficiency. CADA addresses the strategic need for sovereign, secure cloud infrastructure, while the IEA ensures that the digital services running on that infrastructure can communicate seamlessly across borders.

The EuroCloud Federation as the Operational Vehicle

At the heart of CADA's cross-border public cloud strategy is the EuroCloud Federation, established under Article 34. This federation is a voluntary mechanism open to Union entities and public sector bodies. Its primary purpose, as outlined in Article 34(2), is to "facilitate the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies."

Recital 69 of the CADA proposal provides the strategic context, noting that Member States have expressed interest in "federating cloud capacities by interconnecting cloud computing infrastructures across the Union." The EuroCloud Federation is the legislative instrument that operationalises this interconnection. It is not merely a procurement club; it is a structural framework for sharing idle or underutilised public cloud capacity, thereby reducing reliance on third-country hyperscalers and fostering a domestic European cloud ecosystem.

Interoperable Europe Act: The Interoperability Mandate

While CADA provides the infrastructure and sovereignty framework, it does not dictate the technical standards for how different public administrations' systems should talk to each other. That role belongs to the Interoperable Europe Act (IEA).

The IEA mandates that public sector bodies ensure their digital services are interoperable across borders. When a public authority joins the EuroCloud Federation to share or consume cloud services, those services must comply with the interoperability requirements set out in the IEA. Specifically:

1. Technical Interoperability: The cloud services shared within the EuroCloud Federation must use open standards and specifications that allow for seamless data exchange and service integration, as required by the IEA's interoperability assessment process.
2. Semantic Interoperability: Data exchanged across the federation must adhere to common semantic standards (e.g., controlled vocabularies, data models) to ensure that information remains meaningful when it crosses national borders.
3. Organisational Interoperability: The IEA requires clear governance and legal frameworks for cross-border service delivery. The EuroCloud Federation's governance structure, as defined in Articles 34–36 of CADA, must align with these organisational interoperability principles.

How They Interact: Sovereignty Meets Interoperability

The interaction between CADA and the IEA is complementary and mutually reinforcing:

• CADA ensures trust and sovereignty: Before any cloud service can be shared within the EuroCloud Federation, it must meet the strict sovereignty and security criteria. Article 35(2) requires the sharing entity to put in place "appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services." This ensures that the infrastructure is trusted and compliant with EU data protection and cybersecurity laws.
• IEA ensures functionality and exchange: Once the sovereignty baseline is met, the IEA ensures that the services are technically capable of interacting. For example, if a German public administration shares cloud capacity with a French one via the EuroCloud Federation, the IEA ensures that the API endpoints, data formats, and authentication protocols are compatible.

Recital 69 of CADA explicitly references the "Berlin Declaration on Digital Society and Value-Based Digital Government," which calls for "interoperable public digital services." The IEA is the legal instrument that gives effect to this declaration, while CADA provides the secure, sovereign cloud substrate upon which these services run.

Legal and Compliance Implications for Public Authorities

For in-house counsel and compliance officers, the interaction between these two acts creates a dual compliance obligation:

1. CADA Compliance (Sovereignty & Security):

   • Article 34(1): Voluntary participation in the EuroCloud Federation.
   • Article 35(1): The sharing entity must own the hardware (directly or indirectly) and exercise control over any intermediate legal entity.
   • Article 35(5): Fees for shared services must be limited to cost recovery and cannot constitute a pecuniary interest under public procurement rules.
   • Risk Assessment: Under Article 29, Member States and Union entities must conduct risk assessments to determine the appropriate Union Assurance Level (UAL) for their public sector activities. While Article 35 does not explicitly cross-reference Article 29 for the act of sharing, the general sovereignty framework (Title IV) and the requirement for "secure and resilient provision" imply that shared services must align with the UALs determined for the relevant activities.
   • Technical Measures: The Commission is empowered to adopt implementing acts to specify the technical, operational and organisational measures for sharing under Article 35(6), not Article 34(4).

2. IEA Compliance (Interoperability):

   • Public authorities must ensure that any cloud service shared or consumed via the EuroCloud Federation undergoes the necessary interoperability assessments under the IEA.
   • They must reuse existing interoperability solutions from the European Interoperability Repository, as mandated by the IEA, to avoid reinventing the wheel and ensure consistency.
   • Article 43(2) of CADA mandates that the EU Open Source Solutions Catalogue be hosted on the Interoperable Europe portal, creating a direct technical link between the two legislative frameworks.

Penalties and Enforcement

Non-compliance with CADA's sovereignty and security requirements (e.g., failing to meet Union Assurance Levels or violating EuroCloud Federation rules) can lead to penalties under Article 24. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." While CADA does not specify exact fine amounts for EuroCloud Federation violations, it empowers national competent authorities to impose fines and order cessation of infringements.

Non-compliance with the IEA's interoperability obligations is enforced at the national level, with potential penalties varying by Member State. However, the IEA establishes a clear framework for monitoring and enforcement, ensuring that public authorities cannot opt out of interoperability requirements even when participating in sovereign cloud initiatives like the EuroCloud Federation.

What this means for you

For in-house counsel and compliance officers in public sector bodies or large private entities providing services to the public sector, the interaction between CADA and the IEA requires a holistic compliance strategy:

1. Dual Compliance Checklists: Develop compliance checklists that address both CADA's sovereignty criteria (Union Assurance Levels, data localisation, personnel screening) and the IEA's interoperability requirements (technical, semantic, organisational).
2. EuroCloud Federation Readiness: If your organisation intends to join the EuroCloud Federation, ensure that your cloud infrastructure meets the strict ownership and control requirements of Article 35. Verify that your services are compatible with the interoperability standards mandated by the IEA.
3. Procurement Strategy: When procuring cloud services for cross-border public projects, use the EuroCloud Federation as a potential source of sovereign capacity, but ensure that the contracts include clauses mandating compliance with both CADA's security standards and the IEA's interoperability rules.
4. Risk Assessment Integration: Integrate the risk assessments required by Article 29 of CADA with the interoperability impact assessments required by the IEA. This ensures that security and interoperability risks are managed in a coordinated manner.
5. Monitoring and Reporting: Be prepared to report on your participation in the EuroCloud Federation and your compliance with interoperability standards to national competent authorities. The Commission will monitor the implementation of both acts, and non-compliance could result in financial penalties or exclusion from cross-border public procurement opportunities.

Common misconceptions

• Misconception 1: CADA replaces the Interoperable Europe Act.
  • Reality: CADA and the IEA are distinct but complementary. CADA focuses on the sovereignty, security, and supply of cloud infrastructure. The IEA focuses on the technical and semantic interoperability of digital services. You need both to achieve a sovereign and interoperable public cloud.
• Misconception 2: The EuroCloud Federation is mandatory for all public cloud procurement.
  • Reality: Participation in the EuroCloud Federation is voluntary under Article 34(1). However, public authorities are encouraged to use it to share capacity and reduce dependencies. They are not forced to join, but they must comply with CADA's broader sovereignty requirements when procuring cloud services for critical public functions.
• Misconception 3: Interoperability is only a technical issue.
  • Reality: Under the IEA, interoperability includes organisational and legal aspects. The EuroCloud Federation's governance structure, fee mechanisms, and data sharing agreements must all be designed to ensure organisational interoperability, not just technical compatibility.
• Misconception 4: Private providers can directly join the EuroCloud Federation.
  • Reality: Article 34(1) states that the EuroCloud Federation is open to "Union entities and public sector bodies" on a voluntary basis. Private providers cannot directly participate as members. However, they can provide services to public sector bodies that are members, provided those services meet the strict sovereignty and interoperability criteria.
• Misconception 5: Article 34(4) defines the technical measures for the Federation.
  • Reality: Article 34(4) empowers the Commission to specify the procedure to participate and the template for requests. The power to specify the technical, operational and organisational measures for sharing services lies with Article 35(6).

Related

• EuroCloud Federation & Interoperable Europe: How CADA Links Infrastructure and Software
• CADA and the Interoperable Europe Act: How the EU OSS Catalogue Connects
• Does the Interoperable Europe Act mandate interoperability for CADA cloud services?
• CADA Repositories & Interoperable Europe: Do they need an assessment?
• Where is the CADA EU Open Source Catalogue hosted? Interoperable Europe portal

This is general information about a draft EU regulation, not legal advice.