Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies at local, regional, or national levels, as well as Union entities, are encouraged to establish an Open Source Programme Office (OSPO) to join a new EU-wide network. Article 44(2) of the proposal explicitly states that established OSPOs "may request from the Commission to join the OSPO Network." Once joined, the network serves as a coordination hub to facilitate the exchange of best practices on licensing, security, maintenance, and procurement of open-source software. Membership is voluntary, but the network plays a critical role in helping public bodies comply with CADA's broader open-source obligations, such as the requirement to share software via the EU Open Source Solutions Catalogue.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive framework to strengthen the EU's digital sovereignty by promoting open standards and open-source software (OSS). A key mechanism for achieving this is the establishment of a Network of Open Source Programme Offices (OSPO Network). This section details the legal requirements for establishing an OSPO, the process for joining the network, and the specific operational tasks the network is mandated to perform.

The Legal Basis: Article 44 of CADA

The governance and operation of the OSPO Network are defined in Article 44 of the CADA proposal. This article is situated within Title IV (Autonomy), Chapter V (Open Source), which also includes provisions on promoting open-source solutions (Article 41), sharing and reusing software (Article 42), and the establishment of the EU Open Source Solutions Catalogue (Article 43).

1. Establishing an OSPO and Requesting Membership

The first step for any public sector body wishing to participate is the internal establishment of an OSPO. Article 44(2) sets out the eligibility criteria for joining the network:

"Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network."

This provision clarifies two critical points:

  • Scope of Eligibility: The network is open to OSPOs from all levels of public administration within Member States (local, regional, national) as well as Union entities (EU institutions, bodies, offices, and agencies).
  • Voluntary Request: Membership is not automatic upon establishment. The text uses the phrase "may request," indicating that the public body must actively submit a formal request to the European Commission to join. The Commission is then responsible for managing these requests and maintaining the network.

2. The Mandated Tasks of the OSPO Network

Once established and joined, the OSPO Network is not merely a discussion forum; it has specific, legally defined tasks under Article 44(3). These tasks are designed to address the practical challenges public bodies face when adopting open-source software. The article lists the following core functions:

  • Facilitating Exchange (Article 44(3)(a)): The network must facilitate the exchange of information, experience, and best practices between Member States and the Commission. Crucially, this exchange must cover "common technical, legal and organisational challenges, including those related to licensing, security, maintenance and procurement of open-source software."

    • Licensing: Addressing complexities in license compatibility, compliance, and legal risk.
    • Security: Sharing methodologies for vulnerability management and secure integration of OSS.
    • Maintenance: Discussing strategies for long-term project sustainability and avoiding vendor lock-in.
    • Procurement: Aligning public procurement practices to favor open-source solutions.

  • Promoting Reuse (Article 44(3)(b)): The network is tasked with actively promoting the sharing and reuse of open-source software by public sector bodies. This aligns with the broader CADA objective of reducing duplication and fostering a collaborative digital ecosystem.

  • Developing Guidance (Article 44(3)(c)): The network will contribute to the development of guidance, templates, or recommendations on the sharing and reuse of open-source software. The proposal explicitly notes that this contribution is made "on a voluntary and non-binding basis." This ensures that while the network provides valuable harmonization, it does not impose new binding legal obligations beyond the regulation itself.

  • Collaborating on Projects (Article 44(3)(d)): The network will collaborate on and exchange open-source projects of common interest to Union entities and public sector bodies, fostering joint development efforts.

3. Governance and Meeting Frequency

To ensure the network remains active and effective, Article 44(5) mandates a specific governance rhythm. It states:

"The Commission shall convene and chair a meeting of the members of the OSPO Network at least twice a year. The meetings of the OSPO Network may be organised online."

This provision ensures that the Commission maintains oversight and that members have regular opportunities to engage. The allowance for online meetings ensures accessibility for OSPOs across all Member States, regardless of geographic location.

Context: The Broader Open-Source Ecosystem

The OSPO Network operates as the human and organizational backbone for CADA's technical and legal requirements.

  • Article 41 encourages public bodies to use open standards and components released under an open-source license when building their cloud and AI ecosystems.
  • Article 42 requires that when Union entities or public bodies make software available for reuse under an open-source license, they must do so via a catalogue connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue).
  • Article 43 establishes this central catalogue, hosted on the Interoperable Europe portal.

The OSPO Network supports these articles by providing the expertise needed to navigate the "licensing, security, maintenance and procurement" challenges mentioned in Article 44(3). Without the network's coordination, public bodies might struggle to comply with the reuse and cataloguing requirements of Articles 42 and 43.

What this means for you

For public sector IT directors, legal counsel, and procurement officers, the proposed CADA framework introduces a structured pathway for open-source adoption. Here is how to prepare your organization for the OSPO Network:

1. Formalize Your Internal OSPO

Before you can request membership, your organization must have a designated Open Source Programme Office.

  • Action: If you do not have a dedicated OSPO, establish one. This does not necessarily require a new department; it can be a designated team or role within existing IT governance, legal, or digital transformation units.
  • Requirement: Ensure this office has a clear mandate to handle open-source strategy, policy, and compliance. Article 44(2) implies that only "established" offices can request to join.

2. Submit a Formal Request to the Commission

Once your OSPO is operational, you must initiate the membership process.

  • Action: Prepare a formal request to the European Commission. While the proposal does not specify the exact format, you should document your OSPO's structure, its mandate, and its readiness to engage in the network's tasks.
  • Focus: Highlight your organization's commitment to the network's core areas: licensing, security, maintenance, and procurement.

3. Prepare for Active Participation

Joining the network is an active commitment, not a passive status. Under Article 44(3), your OSPO will be expected to:

  • Share Expertise: Contribute to discussions on licensing risks, security audits, and maintenance strategies.
  • Collaborate: Engage in joint projects of common interest with other public bodies.
  • Develop Guidance: Participate in the voluntary development of templates and recommendations for software reuse.
  • Attend Meetings: Be prepared to attend the biannual meetings convened and chaired by the Commission (Article 44(5)).

4. Align with the EU OSS Catalogue

Your OSPO should also be the point of contact for ensuring your organization's software is listed in the EU Open Source Solutions Catalogue (Article 43). The network will likely provide guidance on how to effectively use this catalogue to discover reusable software and publish your own contributions.

Common misconceptions

"Joining the OSPO Network is mandatory for all public sector bodies." No. While CADA encourages the use of open-source solutions (Article 41) and mandates the sharing of software via the EU OSS Catalogue (Article 42), joining the OSPO Network itself is voluntary. Article 44(2) states that OSPOs "may request" to join. However, the network is the primary mechanism for receiving the guidance and support needed to comply with the broader open-source obligations effectively.

"Any IT department can join the network." Not automatically. Article 44(2) specifies that "Open Source Programme Offices established by public sector bodies... may request" to join. This implies a formal establishment of an OSPO function is a prerequisite. A general IT department without a specific open-source mandate or structure may not meet the criteria for membership until an OSPO is formally designated.

"The OSPO Network will create binding laws on open-source licensing." Incorrect. The guidance developed by the network is explicitly non-binding. Article 44(3)(c) states that the network contributes "on a voluntary and non-binding basis, to the development of guidance, templates or recommendations." These outputs will be influential best practices but do not carry the force of law.

"The OSPO Network replaces national open-source strategies." No. The network is designed to complement national efforts. Article 44(3)(a) focuses on "facilitating the exchange of information, experience and best practices between Member States and the Commission." It is a collaborative layer intended to harmonize and share knowledge, not to supersede national governance structures.

Related

This is general information about a draft EU regulation, not legal advice.