Does CADA require sharing software with the public or only other public bodies?

Summary Under the proposed Cloud and AI Development Act (CADA), Union entities and public sector bodies are not automatically required to release all software they develop to the general public. However, the proposal establishes a strict "if-then" mechanism: if an entity voluntarily decides to make software available for reuse under an open source licence, Article 42 mandates that this software must be hosted in a catalogue connected to the EU Open Source Solutions Catalogue. Because the EU OSS Catalogue is required to be accessible electronically free of charge (Article 43(2)) and open source licences inherently grant rights to anyone (not just public bodies), the practical result is that such software becomes publicly available. The legal trigger is the decision to open-source, not a blanket obligation to disclose all code.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a targeted framework to foster technological sovereignty and reduce vendor lock-in by promoting the reuse of software within the European public sector. The specific rules governing who can access this software are located in Title IV, Chapter V (Open source), specifically Articles 42 and 43.

The Conditional Obligation: Voluntary Release Triggers Article 42

The core of the sharing mechanism is found in Article 42. This article does not impose a mandatory "open-source everything" rule on Union entities or public sector bodies. Instead, it creates a procedural obligation that activates only upon a specific decision.

The text of Article 42 states:

"When making software to which they hold intellectual property rights available for reuse under an open source licence, a Union entity or public sector body shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue referred to in Article 43."

This phrasing confirms that the obligation is conditional. An entity retains the discretion to keep software proprietary if it chooses not to release it under an open source licence. However, once the entity makes the policy decision to release software under an open source licence, it loses the ability to host that software in an isolated, internal, or private repository. It must instead integrate it into the federated ecosystem managed by the Commission.

This approach is reinforced by Recital 83 of the explanatory memorandum, which notes that "an increasing number of Union entities and public-sector bodies are sharing software developed by or for them and making it available for reuse under an open-source licence." The proposal aims to ensure that when this happens, the software is not siloed but is instead "connected to, and made accessible through" a central hub to "maximise the value of public expenditure, reduce duplication costs and foster innovation across the Union."

Public Accessibility: The Role of the EU OSS Catalogue

The critical question of who can access the software is answered by Article 43, which establishes the EU Open Source Solutions Catalogue (EU OSS Catalogue). This catalogue serves as the centralised gateway for all software shared under CADA.

Article 43(2) explicitly defines the accessibility of this hub:

"The EU OSS Catalogue shall be hosted on the Interoperable Europe portal referred to in Article 8 of Regulation (EU) 2024/903 and shall be accessible electronically free of charge."

Because the catalogue is publicly accessible without cost, any software uploaded to it is effectively available to the general public, not restricted to other government bodies. This aligns with the fundamental nature of open source licences. As defined in Article 2(25) (referencing Regulation (EU) 2024/903), an open source licence grants permissions to use, study, change, and distribute the software. These rights are not limited to public sector entities; they extend to anyone who accepts the licence terms.

Therefore, while the obligation to share is triggered only by the public body's voluntary decision, the consequence of that decision is public availability. The combination of the open source licence (granting rights to anyone) and the public nature of the catalogue (accessible free of charge) ensures that the software reaches the widest possible audience, including private companies, researchers, and individual developers.

Federated Connectivity and Interoperability

Article 43(3) further clarifies the technical implementation. It empowers the Commission to decide on requests from Union entities or public sector bodies that already maintain their own catalogues or repositories to have them "connected to and made accessible through the EU OSS Catalogue."

This creates a federated model rather than a single, monolithic database. Public bodies can maintain their own infrastructure and workflows, provided they ensure interoperability with the central EU OSS Catalogue. This ensures that software is discoverable by the broader community, fulfilling the proposal's goal of fostering innovation and reducing duplication across the Union.

Distinction from Private Sector Obligations

It is essential to distinguish the obligations of public sector bodies from those of private companies. The sharing and reuse mandates in Articles 42 and 43 apply strictly to:

• Union entities (institutions, bodies, offices, and agencies); and
• Public sector bodies (as defined in Directive (EU) 2019/1024).

Private companies are not subject to these specific sharing mandates under CADA. They are not required to release their software under an open source licence, nor are they required to connect their repositories to the EU OSS Catalogue. However, private companies are free to reuse software listed in the catalogue, as the open source licences grant them the right to do so.

What this means for you

For in-house counsel, compliance officers, and IT directors within EU institutions or Member State public sector bodies, the proposed CADA framework requires a shift in software governance strategy:

1. Audit Your IP Portfolio: Identify software developed internally or commissioned for which your entity holds intellectual property rights. Determine which assets are candidates for reuse.
2. Define Your Open-Source Policy: Since the obligation is triggered by the decision to release, your entity must have a clear policy defining when software should be released under an open source licence. Consider factors such as security clearance, commercial sensitivity, and strategic value.
3. Ensure Catalogue Connectivity: If you decide to release software, you cannot simply host it on a private GitHub account or an internal server without linkage. You must either upload directly to the EU OSS Catalogue or connect your existing repository to it as per Article 43(3). This ensures the software is discoverable and accessible free of charge to the public.
4. Prepare for Metadata Standards: While Articles 42 and 43 are brief, the effective operation of the catalogue will likely require standardized metadata (e.g., licence type, version, documentation) to ensure interoperability. Monitor for forthcoming implementing acts that may detail these technical requirements.
5. Clarify Internal Governance: Establish clear internal procedures for the decision-making process. Since the legal trigger is the voluntary choice to open-source, your governance framework must define the criteria for this choice to ensure compliance with the "public interest" goals outlined in the Recitals.

Common misconceptions

• Misconception: "CADA forces us to open-source all our software."
  • Correction: No. Article 42 applies only when an entity decides to make software available for reuse under an open source licence. There is no mandatory requirement to release all internally developed software. Entities retain the right to keep software proprietary if they choose not to release it under an open source licence.
• Misconception: "Shared software is only for other government bodies."
  • Correction: No. Because the software is released under an open source licence (which grants rights to anyone) and hosted on a catalogue that is accessible electronically free of charge (Article 43(2)), it is available to the general public, including private companies and researchers.
• Misconception: "Private companies must share their software under CADA."
  • Correction: No. The obligations in Articles 42 and 43 apply exclusively to Union entities and public sector bodies. Private companies are not required to share their software, though they are free to reuse software from the catalogue.
• Misconception: "We can host open-source code on our own private server."
  • Correction: No. If you choose to release software under an open source licence, Article 42 mandates that you must do so using a catalogue connected to the EU OSS Catalogue. Isolated hosting would violate the proposal's requirement for connectivity and public accessibility.

Related

• Does CADA require public bodies to use open source software?
• Is sharing public-sector software mandatory under CADA?
• Does CADA's reuse rule apply to software a public body only licenses, not owns?
• Why does CADA require sharing through a connected catalogue?
• What templates or guidance can public bodies expect from the OSPO Network under CADA?

This is general information about a draft EU regulation, not legal advice.