How can a public body share spare capacity via EuroCloud?

Summary Under the proposed Cloud and AI Development Act (CADA), public bodies can share spare data centre and cloud computing capacity through the EuroCloud Federation, a voluntary network established to optimise public-sector resources. To participate, a public body (the "sharing entity") must own the hardware providing the service, either directly or through a controlled public intermediate entity. Before sharing begins, the entity must demonstrate to the European Commission that it has implemented robust technical, operational, and organisational security measures. While the sharing is based on public interest rather than commercial exchange, the sharing entity may charge the receiving entity ("using entity") a fee, but this fee is strictly limited to recovering the additional costs incurred (e.g., for resource isolation or access management). Crucially, because these fees are cost-recovery only, the arrangement does not constitute a public contract and is exempt from standard EU public procurement rules.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, introduces the EuroCloud Federation as a mechanism to facilitate the sharing of secure and resilient public-sector data centre services and cloud computing services. This initiative aims to reduce waste, improve resource utilisation, and strengthen the Union's strategic autonomy by leveraging existing public infrastructure. The framework is governed by Title IV, Chapter III of the proposal, specifically Articles 34 and 35.

1. Voluntary Participation and Access

Participation in the EuroCloud Federation is not mandatory. Article 34(1) states that the Federation is open for the participation of Union entities and public sector bodies on a voluntary basis. To join, these entities may request the Commission to join the Federation.

Once admitted, members gain access to a platform established by the Commission. This platform provides:

• A catalogue containing information on available public sector data centre services and cloud computing services.
• A service platform for the exchange and orchestration of computing, storage, and network resources.

2. The Ownership Requirement: A Core Condition

The most critical constraint for sharing capacity is ownership. Article 35(1) establishes that a member of the Federation (the "sharing entity") may share services with another member (the "using entity") only where the sharing entity directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available.

If the hardware is owned indirectly through an intermediate legal entity, the sharing entity must exercise control over that entity. The proposal defines this control through three cumulative conditions:

1. The sharing entity must exercise decisive influence over both the strategic objectives and significant decisions of the intermediate entity.
2. There must be no direct private capital participation in that intermediate entity.
3. More than 80% of the activities of the intermediate entity must be carried out in the performance of tasks entrusted to it by the sharing entity.

This strict definition ensures that the sharing mechanism remains within the public sector sphere and prevents the distortion of competition with private economic operators. A public body cannot share capacity if it merely leases it from a private provider; it must own the underlying hardware.

3. Security and Organisational Obligations

Before any sharing can take place, the sharing entity must ensure the provision of services is effective, secure, and resilient. Article 35(2) mandates that the sharing entity put in place appropriate technical, operational, and organisational measures. These measures must specifically include:

• Policies on risk analysis and information system security, including access control policies.
• Policies on incident handling and business continuity.
• Policies supporting interoperability and connectivity.

4. Commission Assessment and Approval

The process is not automatic upon joining the Federation. Article 35(3) requires that prior to sharing data centre services and cloud computing services, the sharing entity must demonstrate to the Commission that it fulfils the conditions set out in Article 35(1) (ownership/control) and Article 35(2) (security measures).

The Commission then assesses the information provided. Article 35(4) states that the Commission shall allow the sharing entity to share services within the Federation where the conditions laid down in paragraphs 1 and 2 are fulfilled. Only after this assessment and allowance can the exchange of capacity proceed.

5. Cost-Recovery Fees and Procurement Exemption

The sharing of services within the EuroCloud Federation is anchored in public-sector cooperation and should not entail any form of consideration in exchange for another. However, Article 35(5) explicitly allows the sharing entity to charge a fee to the using entity.

This fee is strictly limited to the costs that the sharing entity incurs in relation to the sharing of the service. The proposal clarifies that these costs are limited to the additional costs incurred in the sharing of capacity, including:

• Allocating and isolating resources.
• Managing access.
• Enabling the integration and interoperability of resources.
• Ensuring compliance with applicable Union law requirements.
• Managing the sharing relationship.

Crucially, the proposal states that these fees shall not be deemed as a consideration for the provision of a service and shall not constitute a pecuniary interest or public contract within the meaning of Directive 2014/24/EU. Consequently, the sharing of services within the EuroCloud Federation does not fall under Union public procurement rules, provided the conditions of Article 35 are met. This exemption allows public bodies to share capacity without triggering the full complexity of tender procedures for each transaction.

What this means for you

For public-sector IT directors, procurement officers, and asset managers, the EuroCloud Federation offers a strategic tool to optimise infrastructure investment, but it requires strict adherence to ownership and cost rules.

• Verify Hardware Ownership First: Before attempting to share, conduct a legal audit of your assets. If your data centre or cloud infrastructure is leased from a commercial provider (e.g., a hyperscaler), you cannot share it via the EuroCloud Federation. You must own the hardware, either directly or via a public subsidiary that meets the strict control criteria (no private capital, >80% public tasks).
• Prepare for Commission Scrutiny: Do not assume that joining the Federation grants immediate sharing rights. You must prepare a comprehensive dossier demonstrating your compliance with ownership rules and your security policies (risk analysis, incident handling, access control) to satisfy the Commission's assessment under Article 35(3).
• Implement Strict Cost Accounting: If you share capacity, you can charge a fee, but it must be cost-recovery only. You cannot generate profit. You must be able to isolate and document the additional costs incurred specifically for the sharing activity (e.g., the cost of creating a new isolated network segment for the partner). General overheads or existing infrastructure costs cannot be passed on as a fee.
• Leverage the Procurement Exemption: Once approved, you can share capacity with other Federation members without running a new public tender for each partner. This significantly reduces administrative burden and accelerates the deployment of shared resources across the EU.
• Ensure Security Readiness: Your security posture must be robust. The Commission will not approve sharing if your policies on incident handling or access control are insufficient. Ensure your technical measures align with the requirements of Article 35(2) before applying.

Common misconceptions

"We can share any cloud service we use, even if we lease it from a private provider." No. Article 35(1) is explicit: the sharing entity must own the hardware. If you are a tenant of a private cloud provider, you do not own the underlying infrastructure and therefore cannot share it via the EuroCloud Federation. The hardware must be owned directly or by a controlled public intermediate entity.

"We can charge market rates for our spare capacity to generate revenue." No. Article 35(5) limits fees strictly to the additional costs incurred for sharing (e.g., isolation, access management). The arrangement is for cost recovery, not profit generation. Charging market rates would constitute a commercial transaction, which would trigger public procurement rules and violate the cost-recovery principle.

"We can start sharing immediately after joining the Federation." No. Article 35(3) and Article 35(4) require a specific demonstration of compliance to the Commission and a subsequent assessment and allowance before any sharing can commence. Joining the Federation is a prerequisite, but not a sufficient condition for sharing.

"This is a procurement process, so we need to follow standard public tender rules for each new partner." No. Because the fees are limited to cost recovery and do not constitute a pecuniary interest, the sharing of services within the EuroCloud Federation does not fall under Union public procurement rules, provided the conditions of Article 35 are met. This is a key benefit of the mechanism.

Related

• CADA: Should a public body share capacity or procure via the Commission?
• Can a public body both share and use services in the EuroCloud Federation?
• Can a non-Member State public body join the EuroCloud Federation?
• What counts as a public sector body for EuroCloud Federation membership under CADA?
• EuroCloud Federation benefits: cost recovery, spare capacity & sovereign pooling

This is general information about a draft EU regulation, not legal advice.