Does CADA's open source chapter apply to AI models and tools?

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose direct, binding compliance obligations on private providers of AI models or tools to release their code as open source. Instead, Article 41 of the proposal obliges the Union and Member States to encourage Union entities and public sector bodies to prioritize open standards and components released under an open source licence when building their "cloud and AI ecosystem or stack." The regulation targets public procurement and internal public sector development practices rather than regulating the private AI software supply chain. For AI developers, this creates a significant demand-side incentive for open-source models but does not introduce new regulatory burdens for the creation or distribution of those models.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), introduces a dedicated chapter on open source (Title IV, Chapter V, Articles 41–44). While the legislative text is dense, the practical impact on AI developers and model providers is often misunderstood. It is critical to distinguish between obligations placed on users of technology (public authorities) and obligations placed on providers of technology (AI model developers).

Article 41: The "Open Source First" Principle for Public Bodies

Article 41 of the CADA proposal establishes a policy directive rather than a direct prohibition or mandatory standard for private developers. The article states:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This provision applies specifically to Union entities (EU institutions, bodies, offices, and agencies) and public sector bodies. It does not apply to private enterprises, SMEs, or independent AI researchers. The language used—"shall take the necessary measures to encourage"—indicates that the legal obligation falls on the governments and EU institutions to create an environment that favors open source, not on the developers to conform to specific open-source mandates.

The phrase "cloud and AI ecosystem or stack" is the operational scope of this article. In the context of CADA, this refers to the entire technology infrastructure used by public bodies, ranging from the underlying cloud infrastructure and data centers to the middleware, software applications, and the AI models deployed within them.

Scope: AI Models as Components of the Stack

For AI models specifically, Article 41 means that when a public authority selects an AI solution, they are encouraged to evaluate open-source models (such as those released under permissive licenses like Apache 2.0, MIT, or copyleft licenses like GPL) against proprietary alternatives. The evaluation must consider:

• Functionalities: Technical capability, performance, and suitability for the specific public sector use case.
• Security: The ability to audit the code, manage vulnerabilities, and ensure transparency.
• Total Cost: Including licensing fees, support costs, and the long-term risks of vendor lock-in.
• Other duly justified objective criteria: Such as interoperability, sustainability, and alignment with EU strategic autonomy.

Crucially, Article 41 does not mandate that public bodies must choose open source in every instance. If a proprietary model demonstrably offers superior security, cost-efficiency, or functionality, it can still be selected. However, the default preference is shifted toward open-source components to foster a competitive, diverse market and reduce dependency on non-European hyperscalers.

Relation to AI Reuse Goals in Recitals

The recitals of the CADA proposal provide essential context for Article 41, clarifying the strategic intent behind these provisions and linking them to the broader Cloud and AI Leadership Initiatives (Title II).

Recital 15 states that the Cloud and AI Leadership Initiatives should "promote the development of technologies relying on open standards, open specifications and open source and foster the development of innovative, competitive and resilient cloud and AI technologies." It further notes that the initiative should "foster the work on open standards and specifications and the creation of open-source software foundations supporting the design, development and maintenance of open-source components."

Furthermore, Recital 81 emphasizes the role of open source in ensuring "transparency, security and efficiency in the use of digital technologies by the public sector." It highlights that access to source code "enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in."

These recitals confirm that the EU views open-source AI models and tools as a strategic asset for reducing dependency on third-country providers. The goal is to create a "flywheel" of innovation where public investment supports open-source AI, which in turn strengthens the European AI ecosystem. Article 42 complements this by requiring Union entities and public sector bodies that voluntarily make software available for reuse to do so via a catalogue connected to the EU Open Source Solutions Catalogue (Article 43), further institutionalizing the reuse of public-sector-developed AI tools.

Distinction from the AI Act

It is crucial to distinguish CADA's open-source provisions from the EU AI Act (Regulation (EU) 2024/1689). The AI Act regulates AI systems based on risk levels (prohibited, high-risk, limited risk, minimal risk). Under the AI Act, providers of general-purpose AI models have specific transparency obligations (Article 53), including drawing up technical documentation and making a summary of training content publicly available. However, the AI Act provides exemptions for models released under free and open-source licenses, provided their parameters, architecture, and usage information are publicly available (Article 53(2)).

CADA complements this by creating a market mechanism. While the AI Act sets the safety and transparency baseline, Article 41 creates a procurement preference that incentivizes the adoption of those open-source models by the public sector. CADA does not alter the AI Act's risk-based obligations; it simply influences who buys and uses these models and under what conditions.

Impact on AI Model Providers and Developers

For CTOs and architects evaluating the practical impact of CADA, the key takeaway is that CADA does not regulate the creation of AI models. There are no new requirements for AI developers to:

• Release their models as open source.
• Adopt specific open-source licenses.
• Participate in open-source software foundations.

Instead, CADA shapes the market demand. By encouraging public sector bodies to prioritize open-source components, CADA aims to increase the commercial viability and adoption of open-source AI models. This benefits developers who already operate in the open-source space by expanding their potential customer base in the public sector. Conversely, proprietary AI vendors may face increased competition in public procurement tenders, as evaluators will be guided to consider open-source alternatives more seriously.

What this means for you

For CTOs, architects, and SMEs operating in the EU cloud and AI market, the implications of Article 41 are strategic rather than compliance-heavy.

1. For Open-Source AI Providers: This is a positive signal. The EU is structurally incentivizing public bodies to consider your solutions. Ensure your models are well-documented, secure, and compliant with the AI Act's transparency requirements for open-source models. Highlighting your model's alignment with EU sovereignty goals (e.g., data residency, auditability) will be a competitive advantage in public tenders.
2. For Proprietary AI Vendors: You are not banned from the public sector, but the playing field is shifting. You must be prepared to demonstrate clear, objective value over open-source alternatives in terms of security, total cost of ownership, and functionality. Vendor lock-in risks will be scrutinized more heavily.
3. For Public Sector IT Leaders: You are not legally forced to buy open source, but you are expected to justify decisions that favor proprietary solutions. Procurement processes will need to include rigorous evaluations of open-source options, considering long-term sustainability and security auditability.
4. For SMEs and Startups: CADA aims to support smaller EU-based providers. By reducing dependency on large hyperscalers and promoting open-source stacks, the regulation seeks to create opportunities for niche, innovative AI solutions. Engaging with the proposed "Experience and Acceleration Centres for AI" (Article 5) can help connect your solutions with public sector buyers.

Common misconceptions

• Misconception: "CADA requires all AI models to be open source."
  • Fact: CADA does not mandate open source for any private company or developer. It only encourages public bodies to prefer open source when building their own ecosystems. Proprietary models remain fully legal and viable.
• Misconception: "Article 41 applies to all businesses using AI."
  • Fact: Article 41 explicitly targets "Union entities and public sector bodies." Private companies are not subject to this specific encouragement mandate, though they may be influenced by the broader market trends it creates.
• Misconception: "Open-source AI models are exempt from the AI Act under CADA."
  • Fact: CADA does not change AI Act obligations. The AI Act already provides specific exemptions for certain open-source general-purpose AI models. CADA simply adds a procurement preference on top of the existing regulatory framework.
• Misconception: "Public bodies must reject all proprietary AI."
  • Fact: Article 41 allows for "duly justified objective criteria." If a proprietary solution is demonstrably superior in security or cost, it can still be selected. The goal is balanced evaluation, not ideological purity.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• CADA Open Source Chapter: Articles 41–44 Explained
• What does CADA's open source chapter mean for public-sector buyers?
• CADA Open Source Chapter: Linking Article 41 to the EU Open Source Strategy
• CADA Open Source: How it aligns with the Apply AI Strategy and Digital Decade
• How does CADA open source affect open source software providers' business models?

This is general information about a draft EU regulation, not legal advice.