Does the Interoperable Europe Act mandate interoperability for CADA cloud services?

Summary The proposed Cloud and AI Development Act (CADA) does not mandate that commercial cloud computing services themselves undergo interoperability assessments under the Interoperable Europe Act (IEA). Instead, CADA establishes a sovereignty framework (Article 16) focused on data control and operational autonomy, distinct from the IEA's technical interoperability goals.

However, CADA's own digital infrastructure—specifically the EU Open Source Solutions Catalogue and the central repository of recognised cloud services—is explicitly designed to align with the IEA. The EU OSS Catalogue, established under Article 43, is mandated to be hosted on the Interoperable Europe portal, thereby directly implementing the IEA's requirement for sharing interoperability solutions. For other CADA platforms, such as the central repository and the EuroCloud Federation platform, the need for a formal IEA interoperability assessment "will be evaluated once the operational details... become available," as noted in the proposal's digital dimensions analysis. Compliance officers must distinguish between the sovereignty obligations of cloud providers and the interoperability obligations of the public platforms CADA creates.

Detail

The Distinct Mandates: Sovereignty vs. Interoperability

To understand the interaction between CADA and the Interoperable Europe Act (Regulation (EU) 2024/903), one must first distinguish their primary objectives. The IEA establishes a framework to ensure that digital public services developed with public funding are interoperable, specifically mandating interoperability assessments for services that are trans-European in nature or have significant cross-border impacts. Article 4 of the IEA specifically mandates the sharing and reuse of interoperability solutions between Union entities and public sector bodies.

CADA, as proposed in COM(2026) 502 final, addresses a different gap: the lack of a harmonised Union framework for cloud sovereignty. Article 16(1) establishes a Union cloud computing sovereignty framework comprising four assurance levels. These levels focus on criteria such as Union establishment, location of infrastructure, absence of third-country control, and cybersecurity standards. They do not, in themselves, impose technical interoperability requirements on the commercial cloud services provided to the public sector.

The relationship is therefore one of structural alignment rather than direct mandate. CADA builds the sovereign infrastructure; the IEA ensures that the public platforms managing that infrastructure are interoperable.

CADA's Digital Solutions and IEA Alignment

CADA proposes three key digital components that interact with the IEA framework. The level of alignment varies from "already implemented" to "pending operational definition."

1. The EU Open Source Solutions Catalogue (Article 43)

This is the most direct intersection between the two acts. Article 43(1) mandates the Commission to provide and maintain an EU Open Source Solutions Catalogue (EU OSS Catalogue) as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies.

Crucially, Article 43(2) explicitly states:

"The EU OSS Catalogue shall be hosted on the Interoperable Europe portal referred to in Article 8 of Regulation (EU) 2024/903 and shall be accessible electronically free of charge."

This provision does not merely align with the IEA; it operationalises it. By hosting the catalogue on the Interoperable Europe portal, CADA ensures that the EU OSS Catalogue is inherently subject to the IEA's ecosystem. The CADA digital dimensions assessment confirms this, noting that the EU OSS Catalogue "delivers upon" the requirement of Article 4 of the Interoperable Europe Act. Consequently, for the specific purpose of software reuse and sharing, CADA is not just compatible with the IEA; it is a direct implementation mechanism.

2. The Central Repository of Recognised Cloud Services (Article 22)

Article 22(1) requires the Commission to establish and maintain a dedicated repository of cloud computing services that have been recognised as offering Union assurance levels 1-4. This repository will be publicly available and regularly updated.

Unlike the EU OSS Catalogue, the CADA text does not explicitly mandate that this repository be hosted on the Interoperable Europe portal. However, the proposal's digital dimensions assessment indicates that the need for an interoperability assessment under the IEA for this repository "will be evaluated once the operational details for the repository of recognised cloud computing services become available."

This suggests a conditional status. The repository is a trans-European digital public service by design. If the Commission determines that the repository meets the definition of a trans-European digital public service under the IEA, it would likely trigger the requirement for an interoperability assessment. Until the operational details are finalised and the assessment is triggered, the repository operates under CADA's sovereignty rules, with IEA compliance pending a future evaluation.

3. The EuroCloud Federation Platform (Article 34)

Article 34(3) mandates the Commission to establish a platform for the EuroCloud Federation, providing a catalogue of available services and a service platform for the exchange and orchestration of computing resources.

Similar to the central repository, the CADA digital dimensions assessment notes that the interoperability assessment for the EuroCloud platform "will be specified by the Commission at a later stage." The platform is intended to facilitate cross-border sharing of public sector cloud capacity. Once the technical and operational specifications are defined, the Commission will evaluate whether the platform constitutes a trans-European digital public service requiring an IEA assessment.

Does CADA Mandate Interoperability for Cloud Services Themselves?

No. CADA Article 16(1) establishes a Union cloud computing sovereignty framework. The criteria in Annex II focus on:

• Union establishment and location: Ensuring the provider and infrastructure are in the Union (Annex II, Sections 1.1(a)-(c), 2.1(a)-(b)).
• Cybersecurity: Requiring certification at "substantial" (Levels 2 & 3) or "high" (Level 4) assurance levels (Annex II, Sections 2.1(e), 3.1(e), 4.1(e)).
• Absence of third-country control: Preventing extraterritorial access or disruption (Annex II, Sections 2.1(g), 3.1(g), 4.1(g)).

While Article 41 encourages Union entities and public sector bodies to use open standards and open source components, and Article 42 requires software reuse to be connected to the EU OSS Catalogue, CADA does not impose a direct interoperability assessment obligation on private cloud computing service providers under the IEA. The interoperability requirements apply to the public sector platforms built by the Commission (the Catalogue, the Repository, the Federation), not to the commercial cloud services themselves. A cloud provider can be recognised at Union assurance level 4 without having undergone an IEA interoperability assessment, provided it meets the sovereignty criteria in Annex II.

Deadlines and Implementation

• CADA Entry into Application: One year after entry into force (Article 48).
• EU OSS Catalogue: Must be established and hosted on the Interoperable Europe portal immediately upon the regulation's application, as per Article 43.
• Interoperability Assessments: For the central repository (Article 22) and EuroCloud platform (Article 34), assessments are contingent. They will be triggered once the Commission defines the operational details and determines if the services qualify as trans-European digital public services under the IEA.

What this means for you

For In-House Counsel and Compliance Officers

1. Monitor Platform Designations: Track whether the Commission designates the CADA central repository (Article 22) or the EuroCloud platform (Article 34) as trans-European digital public services. If so, they will be subject to IEA interoperability assessments. This affects how public sector bodies interact with these platforms and the data they exchange.
2. Leverage the EU OSS Catalogue: Ensure that any software developed by or for your Union entity or public sector body is made available for reuse via a catalogue connected to the EU OSS Catalogue (Article 42). This fulfills both CADA's reuse obligation and the IEA's Article 4 mandate for sharing interoperability solutions.
3. Distinguish Sovereignty from Interoperability: Do not conflate CADA's sovereignty assurance levels with IEA interoperability requirements. A cloud service can be Union assurance level 4 (highest sovereignty) without undergoing an IEA interoperability assessment, as the assessment applies to the public platforms, not the commercial services.
4. Prepare for Secondary Legislation: The Commission will adopt implementing acts to specify the technical, operational, and organisational measures for the EuroCloud Federation (Article 35(6)) and the central repository. These acts will clarify any IEA assessment requirements and the specific technical standards to be applied.

Key Actions

• Audit Software Reuse: Verify that your organisation's software reuse processes align with Article 42 of CADA and Article 4 of the IEA. Ensure your repositories are connected to the EU OSS Catalogue.
• Engage with the OSPO Network: Join the network of Open Source Programme Offices (Article 44) to stay updated on best practices for interoperable software sharing and to participate in the development of guidance on interoperability.
• Review Procurement Criteria: When procuring cloud services, use the Union assurance levels (Article 30) as the primary compliance metric. Do not request IEA interoperability certifications for the cloud service itself unless the service is part of a specific trans-European public platform.

Common misconceptions

Misconception 1: CADA requires all cloud services to pass an IEA interoperability assessment.

• Reality: CADA requires cloud services to meet sovereignty criteria (Article 16). The IEA interoperability assessments apply to the public digital platforms built by the Commission (e.g., the EU OSS Catalogue, the central repository), not to private cloud providers.

Misconception 2: The EU OSS Catalogue is a new, standalone system.

• Reality: CADA Article 43(2) explicitly mandates that the EU OSS Catalogue be hosted on the existing Interoperable Europe portal, directly implementing the IEA's Article 4 requirement for shared interoperability solutions.

Misconception 3: Interoperability is the same as sovereignty.

• Reality: Sovereignty (CADA) focuses on data control, operational autonomy, and protection from third-country access. Interoperability (IEA) focuses on technical compatibility and reuse of digital public services. A service can be sovereign without being interoperable under the IEA, and vice versa.

Related

• CADA and the Interoperable Europe Act: How the EU OSS Catalogue Connects
• CADA & Interoperable Europe Act: How the EuroCloud Federation works
• CADA Repositories & Interoperable Europe: Do they need an assessment?
• Where is the CADA EU Open Source Catalogue hosted? Interoperable Europe portal
• EuroCloud Federation & Interoperable Europe: How CADA Links Infrastructure and Software

This is general information about a draft EU regulation, not legal advice.