Summary The Network of Open Source Programme Offices (OSPO Network) established under the proposed Cloud and AI Development Act (CADA) does not produce binding rules. As explicitly stated in Article 44(3)(c) of the proposal, the Network contributes to the development of guidance, templates, or recommendations on a "voluntary and non-binding basis." It functions as a coordination and exchange mechanism for Open Source Programme Offices across the EU, not as a regulatory body with enforcement powers or the authority to issue legally mandatory standards. While the Network supports the implementation of CADA's open-source obligations, its outputs carry no direct legal force.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on open-source software to reduce vendor lock-in and enhance technological sovereignty. A central pillar of this open-source strategy is the establishment of a network of Open Source Programme Offices (OSPOs). However, a precise legal distinction must be drawn between the binding obligations imposed on public sector bodies by the Regulation and the nature of the support provided by the OSPO Network itself.
The Legal Nature of the OSPO Network
Article 44 of the CADA proposal establishes the "Network of Open Source Programme Offices." The primary statutory purpose of this Network, as defined in Article 44(1), is to "facilitate cooperation on the implementation of the obligations under this Chapter." It brings together OSPOs established by public sector bodies at local, regional, or national levels in Member States, as well as those established by Union entities.
The specific tasks of the Network are exhaustively listed in Article 44(3). These include:
- Facilitating the exchange of information, experience, and best practices regarding technical, legal, and organisational challenges (Article 44(3)(a)).
- Promoting the sharing and reuse of open-source software by public sector bodies (Article 44(3)(b)).
- Collaborating on and exchanging open-source projects of common interest (Article 44(3)(d)).
Crucially, Article 44(3)(c) defines the Network's role in standardisation and guidance. It states that the Network shall be:
"contributing, on a voluntary and non-binding basis, to the development of guidance, templates or recommendations on the sharing and reuse of open-source software."
This phrasing is legally definitive. The Network's outputsβwhether they take the form of guidance documents, standard operational templates, or strategic recommendationsβare explicitly characterised as non-binding. They do not create mandatory compliance obligations for public sector bodies, Union entities, or private providers. They are designed to be supportive tools that assist entities in meeting their existing statutory obligations under CADA or national law, but they do not constitute the law itself.
Distinction Between Network Outputs and Binding Obligations
While the OSPO Network's outputs are voluntary, the broader CADA framework does impose binding obligations on Union entities and public sector bodies. It is vital to distinguish the source of the obligation from the source of the guidance.
- Binding Obligations: Article 41 obliges the Union and Member States to take necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence. Article 42 mandates that when Union entities or public sector bodies make software available for reuse under an open-source licence, they must do so using a catalogue or repository connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue).
- Non-Binding Support: The OSPO Network exists to help entities comply with these binding articles by sharing best practices, reducing friction in adoption, and providing technical assistance. However, the Network itself cannot amend, override, or replace these statutory obligations. It cannot issue a "template" that, once adopted, automatically satisfies a legal requirement if the underlying legal criteria of Article 41 or 42 are not met.
Governance and the Commission's Role
The OSPO Network is supported and coordinated by the European Commission, as stipulated in Article 44(4). The Commission is tasked with convening and chairing meetings of the OSPO Network members at least twice a year (Article 44(5)).
While the Commission plays an active role in facilitating the Network, this coordination role does not transform the Network's voluntary outputs into delegated or implementing acts. The Commission retains separate powers to adopt delegated acts (under Article 45) or implementing acts (under Article 46), which are binding legislative instruments. The OSPO Network's recommendations remain distinct from these instruments. The Network serves as a forum for peer-to-peer exchange and collective intelligence, not as a legislative or quasi-judicial body.
What this means for you
For in-house counsel, compliance officers, and public procurement specialists, understanding the non-binding nature of the OSPO Network is essential for accurate risk management and strategic planning.
1. Voluntary Adoption of Best Practices
You are not legally required to follow the guidance, templates, or recommendations produced by the OSPO Network. However, because these materials will likely reflect the "state of the art" and the collective best practices of EU public authorities, ignoring them could carry operational and reputational risks. If a dispute arises regarding whether an entity has met its general obligation to encourage open-source use (under Article 41), adherence to OSPO Network recommendations could serve as strong evidence of good faith and due diligence. Conversely, a failure to consider such guidance might be viewed as a lack of reasonable effort in complying with the spirit of the Regulation.
2. Distinction Between Compliance and Coordination
Do not mistake participation in the OSPO Network for compliance with CADA's core mandates. Your entity must still independently ensure compliance with Article 42 (catalogue connection) and any national measures implementing Article 41. The OSPO Network provides a forum for how to achieve these goals efficiently, but it does not relieve you of the responsibility to achieve them. The Network's guidance is a "how-to" resource, not a "compliance shield."
3. No Enforcement Power
The OSPO Network has no enforcement powers. It cannot impose fines, issue cease-and-desist orders, or penalize non-compliance with its recommendations. Enforcement of CADA's binding provisions remains with national competent authorities and, where applicable, the Commission. If your organization chooses not to adopt a specific template from the OSPO Network, you will not face regulatory sanctions solely for that choice. Sanctions would only arise from a breach of the binding articles themselves (e.g., failing to connect to the EU OSS Catalogue), not from failing to follow the Network's advice.
4. Strategic Influence and Future Regulation
While the Network's outputs are non-binding, they may influence future regulatory developments. The Commission monitors the Network's activities (Article 44(4)). Consensus-driven recommendations from the Network could inform future delegated acts or guidelines issued by the Commission, which may carry more weight or become binding. Compliance officers should monitor OSPO Network outputs not as mandatory rules today, but as early indicators of emerging expectations and standardised approaches within the EU public sector tomorrow.
Common misconceptions
Misconception 1: The OSPO Network can issue mandatory standards. Correction: No. Article 44(3)(c) explicitly limits the Network's contributions to a "voluntary and non-binding basis." It cannot create legally binding standards. Mandatory standards in the EU context are typically developed through European standardisation organisations (CEN, CENELEC, ETSI) or via EU harmonised standards, which is a separate process from the OSPO Network.
Misconception 2: Participation in the OSPO Network is mandatory for all public sector bodies. Correction: Article 44(2) states that OSPOs "may request from the Commission to join the OSPO Network." Participation is voluntary. While Member States are encouraged to establish OSPOs to facilitate the implementation of CADA's open-source chapter, joining the EU-wide Network is not a statutory obligation for every individual public body.
Misconception 3: The OSPO Network replaces national regulatory oversight. Correction: The OSPO Network is a peer-to-peer exchange and coordination body. It does not replace the supervisory roles of national competent authorities, data protection authorities, or cybersecurity authorities. It focuses on technical, legal, and organisational challenges related to open-source software (Article 44(3)(a)), but it has no jurisdiction over enforcement or legal adjudication.
Misconception 4: Templates from the OSPO Network guarantee legal compliance. Correction: Because the Network's outputs are non-binding, using its templates does not provide a "safe harbour" or automatic presumption of compliance with CADA or other EU laws (such as the GDPR or the AI Act). Entities must still conduct their own legal assessments to ensure that the use of specific open-source licences or software components meets all applicable legal requirements. The Network's guidance is advisory, not determinative.
Official sources
Related
- What templates or guidance can public bodies expect from the OSPO Network under CADA?
- CADA Open Source Assessment: Obligations, OSPO Network & Reuse Rules
- Why does CADA create an OSPO Network? (Recital 84 explained)
- Who establishes the OSPO Network under CADA?
- Who coordinates the CADA OSPO Network? Commission's role explained
This is general information about a draft EU regulation, not legal advice.