Summary Joining the EuroCloud Federation is voluntary, but as proposed in the Cloud and AI Development Act (CADA), it creates binding legal obligations for participating public bodies. Members must pay administration fees, comply with strict security and technical standards if they share capacity, and adhere to governance rules set by the Commission. While the act of joining is a request-based choice, the operational duties—particularly for entities sharing infrastructure—are mandatory conditions of participation.

Detail

Under the proposed Cloud and AI Development Act (CADA), the EuroCloud Federation is established as a mechanism to facilitate the sharing of data centre and cloud computing services between Union entities and public sector bodies. While participation is not mandatory, joining triggers specific legal duties regarding governance, finance, and operational security.

Voluntary Participation and Governance

Article 34(1) of the proposal establishes that the EuroCloud Federation is "open for the participation of Union entities and public sector bodies on a voluntary basis." Public bodies do not join automatically; they must actively "request the Commission to join the EuroCloud Federation." Once admitted, members are subject to the governance framework established by the Commission, which includes a dedicated platform for exchanging and orchestrating resources.

The Commission is empowered to adopt implementing acts to specify the procedure to participate and the template concerning the content of the request. This ensures a standardized entry process, but the initial decision to apply remains at the discretion of the public body.

Financial Obligations: Fees and Reimbursement

Participation is not free. Article 36(1) stipulates that the costs arising from the Commission's activities under this chapter, such as assessing membership requests and maintaining the platform, "shall be jointly financed by the members of the EuroCloud Federation through fees levied by the Commission."

These fees are designed to be cost-recovery mechanisms rather than profit-generating instruments. The proposal specifies that revenues generated from these fees constitute "internal assigned revenues," meaning they are ring-fenced to cover the specific costs of the Federation. If initial establishment costs are initially borne by the general budget of the Union, Article 36(2) requires that they "shall be reimbursed by the EuroCloud members over a period not exceeding three years from the date on which the costs were borne by the Union."

The Commission is required to adopt implementing acts laying down detailed rules for determining the estimated costs, the individual amount of the fees, and the manner and conditions under which the fees are to be paid. Failure to pay these levied fees would constitute a breach of the membership agreement and the Regulation's financial provisions.

Operational and Security Duties for Sharing Entities

The most significant legal obligations arise for members who wish to share their existing cloud or data centre capacity with other federation members. Article 35 imposes strict conditions on the "sharing entity" (the provider of the capacity) and the "using entity" (the beneficiary).

A sharing entity must demonstrate to the Commission that it fulfils specific conditions before it can share services. Crucially, Article 35(2) requires the sharing entity to "put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

While Article 35(2) sets the general obligation, the specific nature of these measures is elaborated in Recital 72 of the proposal, which states that these measures should include, in particular, "policies on risk analysis and information system security, including access control policies, policies on incident handling and business continuity and policies supporting interoperability and connectivity."

If a public body joins the Federation but fails to implement these measures when sharing capacity, it risks non-compliance with the sovereignty and security standards required for public sector cloud services. The Commission must assess the information provided by the sharing entity and only "allow the sharing entity to share data centre services and cloud computing services within the EuroCloud Federation where the conditions laid down in paragraphs 1 and 2 are fulfilled."

Furthermore, any fees charged by the sharing entity to the using entity must be strictly limited to the additional costs incurred (e.g., isolating resources, managing access, ensuring compliance) and cannot constitute a "pecuniary interest" within the meaning of public procurement directives. Article 35(5) explicitly states that such fees "shall not constitute a pecuniary interest within the meaning of Article 2 of Directive 2014/24/EU and Regulation (EU, Euratom) 2024/2509."

Liability and Compliance

While CADA does not detail specific criminal penalties for Federation membership breaches in the same way it does for high-risk AI systems, the framework relies on administrative enforcement. The Commission assesses whether a sharing entity fulfils the conditions of Article 35. If a member fails to maintain the required security standards or misuses the Federation for commercial purposes, the Commission can refuse or withdraw the authorization to share services. This could effectively suspend the member's ability to participate in the core benefits of the Federation.

Additionally, the sharing of services within the Federation is anchored in public-sector cooperation governed solely by considerations of public interest. It must not entail any form of consideration in exchange for another, except for the strictly cost-recovery fees described above.

What this means for you

For in-house counsel and compliance officers, joining the EuroCloud Federation is a strategic decision that requires careful legal and financial planning.

  • Budgetary Planning: You must account for annual administration fees levied by the Commission. These are not optional; they are a condition of membership under Article 36. Ensure your department's budget includes line items for these recurring costs, as well as potential reimbursement of initial setup costs if the EU budget front-loads the investment.
  • Security Audits: If your body intends to share idle capacity with other members, you must undergo a rigorous assessment. You will need to document and prove that your technical, operational, and organizational measures meet the high standards of Article 35. This likely requires a gap analysis of your current cybersecurity posture against EU best practices, specifically focusing on risk analysis, access control, and incident handling policies.
  • Contractual Clarity: When sharing services, ensure that any charges to other members are strictly cost-based. Mispricing these services could inadvertently create a "pecuniary interest," potentially violating the exemption from public procurement rules and exposing your body to legal challenges. The fee must be limited to the costs incurred for sharing the capacity, not for the service itself.
  • Governance Engagement: As a member, you will be part of a governance structure overseen by the Commission. Stay informed about implementing acts that may specify detailed technical requirements for the Federation's platform and security protocols, as the Commission has the power to adopt these acts to specify technical, operational, and organisational measures.

Common misconceptions

  • "Membership is mandatory for all public cloud users." Incorrect. Article 34(1) explicitly states participation is voluntary. However, while not mandatory, it may be strategically encouraged to reduce dependencies on third-country providers and leverage collective buying power.
  • "Sharing services within the Federation is free of charge." Partially incorrect. While the administration of the Federation is funded by member fees, the sharing of specific computing resources between members is not necessarily free. Article 35(5) allows a sharing entity to charge a fee, but it must be strictly limited to the actual costs incurred for sharing that specific capacity. It cannot be a profit-making activity.
  • "Joining the Federation exempts me from all other cloud sovereignty rules." Incorrect. The EuroCloud Federation is one mechanism within the broader CADA sovereignty framework. Members must still adhere to the Union assurance levels and risk assessments applicable to their specific public order functions, as outlined in other parts of the Regulation. The Federation does not override the requirement for Union assurance levels for public procurement.

Related

This is general information about a draft EU regulation, not legal advice.