Summary The proposed Cloud and AI Development Act (CADA) does not explicitly name the European Union Public Licence (EUPL) in its text, but it legally recognises it as a valid "open source licence" under the definition in Article 2(25). As proposed, CADA encourages Union entities and public sector bodies to prioritise open-source solutions, including those licensed under the EUPL, to reduce vendor lock-in and strengthen technological sovereignty. Public bodies sharing software developed under their own intellectual property rights must do so via catalogues connected to the EU Open Source Solutions Catalogue, making the EUPL a highly relevant instrument for compliant reuse.
Detail
The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A central pillar of this framework is the promotion of open-source technologies to enhance technological sovereignty, security, and interoperability. While the regulation does not single out the EUPL by name, it creates a legal environment where the EUPL is fully recognised and actively encouraged for public sector use.
The Legal Definition: Article 2(25) and the Interoperable Europe Act
The legal basis for recognising the EUPL lies in Article 2(25) of the proposal. This article defines an "open source licence" by referencing the definition in Article 2, point (12), of Regulation (EU) 2024/903 (the Interoperable Europe Act). The Interoperable Europe Act defines an open source licence as a licence that "grants the right to use, study, modify and redistribute the software, and to share the modified versions, without discrimination against persons or fields of endeavour."
The EUPL, published by the European Commission, is a well-established open-source licence that meets these criteria. It is specifically designed to be compatible with EU law and fundamental rights, making it the natural default for public sector software. Therefore, any software licensed under the EUPL falls squarely within the scope of "open source" as defined by CADA. The proposal's reliance on the Interoperable Europe Act ensures that the definition remains dynamic and aligned with the broader EU digital strategy, rather than being frozen to a static list of licences.
The "Open Source First" Mandate
CADA explicitly mandates the promotion of open-source solutions within the public sector. Article 41 requires the Union and Member States to take necessary measures to encourage Union entities and public sector bodies to "use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack."
This provision establishes an "open source first" preference, taking into account functionalities, security, total cost, and other objective criteria. The EUPL is particularly relevant here as it is designed specifically for public sector software, ensuring compatibility with EU legal frameworks and fundamental rights. By encouraging the use of the EUPL, CADA aims to foster a common European ecosystem where public sector code can be freely shared and improved across borders, reducing the fragmentation of national digital solutions.
Sharing and Reuse Obligations: The EU OSS Catalogue
For public bodies that develop or commission software, CADA introduces specific obligations regarding reuse. Article 42 states that when a Union entity or public sector body makes software to which it holds intellectual property rights available for reuse under an open-source licence, it must do so using a catalogue or repository connected to the EU Open Source Solutions Catalogue (referred to as the "EU OSS Catalogue").
Article 43 further details that this catalogue will be maintained by the Commission and hosted on the Interoperable Europe portal. This creates a direct operational link for compliance officers: if a public authority develops software and chooses to release it under the EUPL, it cannot simply host it on an internal server or a disconnected GitHub repository. It must be listed in a repository connected to the central EU OSS Catalogue to ensure discoverability and reuse across the Union. This mechanism aims to maximise the value of public expenditure and reduce duplication, ensuring that software developed with public funds contributes to the broader European digital infrastructure.
Governance and the OSPO Network
To support the implementation of these open-source obligations, Article 44 establishes a network of Open Source Programme Offices (OSPO Network). This network facilitates cooperation between Member States and the Commission, promoting the sharing and reuse of open-source software. The OSPO Network will discuss common technical, legal, and organisational challenges, including licensing issues. For in-house counsel, engaging with or establishing an OSPO may become a strategic priority to manage the legal complexities of open-source compliance, including the specific terms of the EUPL and its compatibility with other licences.
What this means for you
For in-house counsel and compliance officers in the public sector, the proposed CADA introduces several actionable obligations and strategic considerations regarding the use of the EUPL and open-source software generally.
- Licence Selection Strategy: When procuring or developing cloud and AI solutions, you should prioritise open-source licences that are compatible with the EUPL. The EUPL is advantageous because it is designed to be copyleft, ensuring that derivative works remain open, while also being compatible with other major licences like the GPL. Given CADA's encouragement of open-source reuse, selecting the EUPL for internally developed software aligns with regulatory expectations and facilitates cross-border sharing within the EuroCloud Federation or other public sector networks.
- Catalogue Compliance: If your organisation develops software and intends to make it available for reuse, you must ensure it is published in a catalogue connected to the EU OSS Catalogue (Article 42). This is not optional if you hold the IP rights and choose to release it under an open-source licence. Failure to connect to the central catalogue may hinder the software's visibility and contravene the spirit of the reuse obligation.
- Risk Assessment and Security: While CADA promotes open source, it also emphasises security and sovereignty. Article 41 notes that the choice of open-source components should consider security and total cost. Compliance officers must ensure that the specific version of the EUPL and the underlying code meet the cybersecurity standards required for the specific Union assurance level of the service. Open source does not automatically equate to sovereign assurance; additional audits may be required for higher assurance levels (Articles 20–21).
- OSPO Engagement: Consider establishing or joining an Open Source Programme Office (OSPO) as envisaged in Article 44. The OSPO Network will be a key resource for guidance on licensing compliance, legal challenges, and best practices. Proactive engagement can help your organisation navigate the technical and legal nuances of open-source integration in AI and cloud stacks.
- Documentation and Transparency: Ensure that all software released under the EUPL includes clear documentation of its licence status, provenance, and any dependencies. This transparency is crucial for downstream users and for demonstrating compliance with CADA's broader goals of interoperability and security.
Common misconceptions
Misconception 1: CADA mandates the exclusive use of the EUPL. CADA does not mandate the EUPL specifically. It encourages the use of any open-source licence that meets the definition in Article 2(25). However, the EUPL is often the default choice for EU public bodies due to its legal compatibility with EU law and its design for public sector reuse. Other licences, such as MIT, Apache 2.0, or GPL, are also valid under CADA, provided they meet the open-source definition.
Misconception 2: Using open-source software exempts providers from sovereignty audits. No. CADA's sovereignty framework (Articles 16–24) applies regardless of the software licence. Even if a cloud service is built entirely on open-source components licensed under the EUPL, the service provider must still undergo the appropriate conformity assessment or audit to achieve a Union assurance level. Open source contributes to transparency and auditability, but it does not automatically grant sovereignty recognition.
Misconception 3: The EUPL is only for software developed by the EU Commission. The EUPL is available for use by any public sector body, including Member State authorities, local governments, and private entities developing software for public sector use. CADA explicitly encourages public sector bodies to use open-source licences for their developed software, making the EUPL a practical tool for national and local authorities as well as EU institutions.
Misconception 4: Sharing software under the EUPL is optional if not commercially valuable. CADA focuses on the reuse of software developed by or for public sector bodies to maximise public value. While the regulation does not force every piece of internal software to be open-sourced, it creates a strong framework for reuse when IP rights are held by the public body. If a public body chooses to release software under an open-source licence, it must follow the catalogue connection rules. The trend is towards greater openness, and internal policies may increasingly require EUPL licensing for publicly funded developments.
Related
- What templates or guidance can public bodies expect from the OSPO Network under CADA?
- CADA Open Source: Practical First Steps for Public Bodies
- What is a public sector body for CADA open source purposes?
- CADA Article 42: What happens if a public body shares open source software outside the EU OSS Catalogue?
- CADA Article 42: What 'Software Developed By or For' a Public Body Means
This is general information about a draft EU regulation, not legal advice.