Summary As proposed, the Cloud and AI Development Act (CADA) applies its open-source obligations to both EU institutions and national public bodies. Article 41 explicitly requires the Union and Member States to encourage "Union entities and public sector bodies" to use open-source solutions. Furthermore, Article 42 mandates that when these entities share software, they must do so via a catalogue connected to the EU OSS Catalogue, and Article 44 allows Open Source Programme Offices (OSPOs) from both Union entities and Member States to join the OSPO Network. The framework is unified, not bifurcated.

Detail

Under the proposed Cloud and AI Development Act (CADA), the promotion and reuse of open-source software are not limited to national governments. The regulation establishes a single, harmonised framework that binds both European Union institutions and national public authorities. This approach ensures that the EU's digital sovereignty and innovation goals are pursued consistently across the entire public sector stack, from the European Commission down to local municipalities.

The Unified Scope: Article 41

Article 41 of the proposal sets out the core obligation to promote open-source solutions. It states that "The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack."

The scope is explicitly dual:

  • Union entities: Defined in Article 2(7) as the Union institutions, bodies, offices, and agencies (e.g., the European Commission, the European Parliament, the European Central Bank, and EU agencies).
  • Public sector bodies: Defined in Article 2(6) by reference to Directive (EU) 2019/1024, covering national, regional, and local government bodies across the Member States.

Therefore, the "open-source first" consideration is not a recommendation for national bodies alone. In-house counsel and compliance officers at EU institutions face the same strategic direction as their national counterparts: they must prioritize open-source solutions when building their cloud and AI ecosystems. This prioritization must be balanced against "functionalities, including security, total cost, and other relevant, duly justified objective criteria," as stated in Article 41.

Centralised Visibility: Article 42

Article 42 imposes a specific procedural obligation on both Union entities and public sector bodies regarding software reuse. The text mandates: "When making software to which they hold intellectual property rights available for reuse under an open source licence, a Union entity or public sector body shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue referred to in Article 43."

This creates a centralized visibility requirement that applies uniformly:

  1. No Silos: A Union entity cannot simply host open-source code on an internal, disconnected server if it wishes to comply with the regulation's interoperability goals.
  2. The EU OSS Catalogue: The software must be discoverable via the EU Open Source Solutions Catalogue, which is hosted on the Interoperable Europe portal (Article 43).
  3. Connection Requirement: The obligation is not necessarily to host the code on the EU portal, but to ensure that the entity's own catalogue or repository is connected to it. This ensures a single point of discovery for all public-sector open-source software across the Union.

Governance and Coordination: Article 44

To support the implementation of these obligations, Article 44 establishes a Network of Open Source Programme Offices (OSPO Network). The scope of participation is explicitly inclusive of the Union level.

Article 44(2) states: "Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network."

This confirms that the governance and coordination mechanisms for open source are designed to operate across the entire EU public sector. The network's tasks (Article 44(3)) include facilitating the exchange of information, promoting sharing and reuse, and contributing to guidance on licensing and security. By allowing Union entities to join, the proposal ensures that the Commission and EU agencies can both contribute to and benefit from the collective expertise of the network, fostering a truly European approach to open-source governance.

What this means for you

For in-house counsel, compliance officers, and IT strategists at EU institutions, CADA introduces specific compliance checkpoints and strategic shifts that mirror those for national bodies:

  1. Procurement and Development Strategy: You must ensure that your institution's digital transformation projects evaluate open-source options against proprietary ones. Article 41 requires considering security, total cost of ownership, and functionality. Compliance officers should update procurement guidelines to reflect this "open-source first" consideration, ensuring that decisions to use proprietary software are objectively justified by the criteria listed in the article.
  2. Software Asset Management: If your institution develops software or holds intellectual property rights to existing code, you must assess whether it can be released under an open-source licence. If it is released, Article 42 requires listing it in a repository connected to the EU OSS Catalogue. This requires coordination with your IT security and legal teams to ensure that releasing code does not expose sensitive data or trade secrets, while still meeting the visibility requirement.
  3. Participation in the OSPO Network: Article 44(2) allows Union entities to join the OSPO Network. Compliance officers should consider establishing or designating an OSPO within their institution to facilitate this membership. Participation provides access to best practices, templates, and guidance on licensing and security, which can reduce the administrative burden of open-source compliance.
  4. Alignment with National Bodies: Because the rules apply to both Union and national levels, EU institutions should coordinate with Member State OSPOs. The OSPO Network (Article 44) is designed for this cross-border and cross-level exchange of information, helping to harmonize approaches to licensing, maintenance, and security.

Common misconceptions

"Open source is optional for EU institutions." While CADA does not mandate that all software must be open source, Article 41 creates a strong presumption in favor of it. Institutions must take "necessary measures to encourage" its use. Ignoring open-source options without objective justification (e.g., superior security or cost-efficiency of a proprietary solution) may be viewed as non-compliant with the regulation's objectives.

"The EU OSS Catalogue is only for national governments." Article 42 explicitly includes "Union entity" alongside "public sector body." EU institutions are equally bound by the requirement to connect their open-source repositories to the central EU OSS Catalogue. The goal is a unified European ecosystem, not a fragmented one.

"OSPOs are only for Member States." Article 44(2) clearly states that OSPOs established by Union entities may join the network. The governance structure is designed to be inclusive of all public sector actors within the EU framework, ensuring that the Commission and EU agencies are active participants in the open-source community.

"CADA only applies to cloud infrastructure, not software reuse." While CADA's primary focus is on cloud sovereignty and data-centre capacity, Title IV, Chapter V (Articles 41–44) specifically addresses the software layer. It mandates that the public sector (both Union and national) actively promotes open-source solutions to reduce vendor lock-in and strengthen technological autonomy.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.