Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies wishing to share data centre or cloud computing services within the EuroCloud Federation must first demonstrate strict compliance with Article 35 to the European Commission. As proposed, you must prove that the "sharing entity" owns the underlying hardware (either directly or via a controlled intermediate legal entity) and that it exercises decisive influence over any such intermediate entity. Additionally, you must document appropriate technical, operational, and organisational measures to ensure secure and resilient service provision. Once you submit evidence satisfying these conditions, Article 35(4) obliges the Commission to assess the information and, if the conditions are met, allow the sharing to proceed. This is a mandatory compliance check, not a discretionary approval process.

Detail

The EuroCloud Federation, established under Article 34 of the proposed CADA, is designed to facilitate the voluntary sharing of public-sector data centre and cloud computing services between Union entities and public sector bodies. However, to prevent market distortion and ensure the security of shared infrastructure, Article 35 imposes rigorous pre-conditions on any member acting as a "sharing entity."

Before any service can be shared, the sharing entity must submit a formal demonstration to the Commission proving it meets the criteria set out in Article 35(1) through Article 35(4). This process ensures that the Federation remains a public-sector instrument and does not inadvertently become a vehicle for private commercial advantage.

1. Proving Hardware Ownership (Article 35(1))

The foundational requirement for sharing is ownership of the physical infrastructure. Article 35(1) states that a member may share services only where the sharing entity "directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available and provides the service that is made available to the using entity."

This creates two distinct pathways for compliance, each requiring specific evidence:

  • Direct Ownership: The public-sector body itself holds the title to the servers, storage arrays, and networking equipment. To demonstrate this, you must provide asset registers, procurement contracts, and proof of title showing the entity's direct legal ownership of the infrastructure used to deliver the service.
  • Indirect Ownership via an Intermediate Legal Entity: Many public bodies operate through dedicated legal entities (e.g., national cloud companies or joint ventures). In this scenario, the sharing entity does not own the hardware directly but owns the entity that does. Article 35(1) explicitly permits this, provided the sharing entity "indirectly through an intermediate legal entity, owns the hardware."

2. Demonstrating Control of an Intermediate Entity

If you rely on an intermediate legal entity to own the hardware, you must prove that the sharing entity exercises control over that entity. While Article 35(1) mandates this control, the specific cumulative conditions defining "control" are detailed in Recital 71 of the proposal. To satisfy the Commission, you must demonstrate that all three of the following conditions are met simultaneously:

  1. Decisive Influence: The sharing entity must exercise a "decisive influence over both strategic objectives and significant decisions of the intermediate legal entity." Evidence for this typically includes board composition documents, voting rights agreements, or management charters that grant the public-sector body veto power or final decision-making authority over key strategic and operational matters.
  2. No Direct Private Capital: There must be "no direct private capital participation in that intermediate legal entity." This condition ensures the entity remains a public-sector instrument rather than a private commercial operator, thereby preventing the distortion of competition with private cloud providers. You must provide capital structure documents, shareholder registers, and audited financial statements proving the absence of private equity or private investment.
  3. Predominantly Public Tasks: "More than 80% of the activities of the intermediate legal entity must be carried out in the performance of tasks entrusted to it by the sharing entity." This ensures the entity's primary purpose is serving the public-sector body's needs, rather than engaging in broad commercial activities on the open market. You must provide activity reports and revenue breakdowns demonstrating that the vast majority of the entity's work is derived from the public mandate.

3. Ensuring Secure and Resilient Provision (Article 35(2))

Ownership and control are necessary but not sufficient. Article 35(2) requires the sharing entity to put in place "appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

When demonstrating compliance, you must provide evidence of a comprehensive security framework, including:

  • Risk Analysis Policies: Documented policies on risk analysis and information system security.
  • Access Control: Robust policies on access control, including identity and access management (IAM) procedures.
  • Incident Handling and Business Continuity: Plans for incident response and business continuity to ensure service resilience.
  • Interoperability and Connectivity: Policies supporting the interoperability and connectivity of the shared services with the EuroCloud Federation platform.

These measures must be sufficient to guarantee that the shared services are secure, reliable, and compliant with Union law, including data protection and cybersecurity standards.

4. The Commission's Assessment and Authorization (Article 35(3) & (4))

The procedural mechanism for authorization is defined in Article 35(3) and Article 35(4).

Article 35(3) establishes the obligation: "Prior to sharing data centre services and cloud computing services within the EuroCloud Federation, the sharing entity shall demonstrate to the Commission that it fulfils the conditions set out in paragraphs 1 and 2." This requires a formal submission of evidence regarding hardware ownership, control structures, and security measures.

Article 35(4) defines the Commission's duty: "The Commission shall assess the information provided by the sharing entity and allow the sharing entity to share data centre services and cloud computing services within the EuroCloud Federation where the conditions laid down in paragraphs 1 and 2 are fulfilled."

This language is critical. It establishes that the Commission's role is a compliance verification, not a discretionary approval. If the sharing entity has met the statutory conditions, the Commission is legally obligated to allow the sharing. This provides legal certainty for public-sector bodies that have invested in sovereign infrastructure and wish to participate in the Federation.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the practical implication is that participation in the EuroCloud Federation is not automatic upon joining. You must undergo a rigorous pre-sharing verification process.

  1. Conduct an Infrastructure Audit: Before applying to share services, conduct a thorough internal audit of your hardware assets. If you utilize an intermediate entity, immediately review its corporate governance to ensure it meets the "control" criteria: decisive influence, zero private capital, and >80% public task allocation.
  2. Document Security Measures: Prepare comprehensive documentation of your technical, operational, and organizational security policies. This documentation should align with EU cybersecurity standards (such as the European Cybersecurity Certification Scheme for Cloud Services, once finalized) and explicitly demonstrate resilience against disruptions.
  3. Prepare a Formal Submission Dossier: Compile a comprehensive dossier for the Commission. This must include:
    • Proof of hardware ownership (direct or indirect).
    • Corporate governance documents proving control over any intermediate entity (articles of association, shareholder agreements, activity reports).
    • Detailed security documentation (risk policies, access controls, incident plans).
  4. Plan for Compliance Costs: While the sharing mechanism itself is based on cost recovery (see Article 35(5)), the administrative burden of demonstrating compliance to the Commission will require significant legal and technical resources. Ensure your budget accounts for this upfront investment in preparation and documentation.

Common misconceptions

"Any public cloud provider can join EuroCloud." Incorrect. The EuroCloud Federation is strictly for public-sector bodies (Union entities and public sector bodies). Private entities cannot directly participate. Furthermore, even public bodies must prove they own the hardware they are sharing, either directly or through a strictly controlled intermediate entity.

"The Commission can arbitrarily deny sharing requests." Incorrect. Under Article 35(4), the Commission must allow sharing if the conditions are fulfilled. The assessment is a compliance verification, not a discretionary approval process. If you meet the criteria, the Commission is obligated to authorize the sharing.

"Intermediate entities can have private investors." Incorrect. Recital 71 explicitly states that there should be "no direct private capital participation in that intermediate legal entity." This is a hard constraint to prevent the public sector from using the Federation to outsource to private companies under the guise of public cooperation.

"Sharing services is free." While the sharing is not a commercial transaction intended for profit, Article 35(5) allows the sharing entity to charge a fee. However, this fee is strictly limited to the costs incurred in relation to the sharing of the service (e.g., resource allocation, integration, compliance management). It is not "free" in terms of operational cost, but it is not a profit-generating activity.

Related

This is general information about a draft EU regulation, not legal advice.