Summary Under the proposed Cloud and AI Development Act (CADA), the obligation to promote open source is unified in principle but differentiated in execution. Article 41 imposes a direct duty on Union entities to encourage and facilitate the use of open source solutions, while requiring Member States to "take the necessary measures" to ensure their public sector bodies comply. This creates a shared substantive goalβ€”reducing vendor lock-in and strengthening sovereigntyβ€”but distinct administrative paths. Crucially, Article 44(2) establishes a shared coordination mechanism: Open Source Programme Offices (OSPOs) established by both Union entities and public sector bodies at local, regional, or national levels in Member States may request to join the EU-wide OSPO Network.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, treats open source not merely as a technical preference but as a strategic lever for technological sovereignty. The legislative framework distinguishes between the direct legal personality of Union entities and the sovereign legislative power of Member States, resulting in a "shared but differentiated" compliance architecture.

The Core Obligation: Article 41

Article 41 sets the substantive standard for the entire European public sector. It states:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This provision creates a bifurcated legal obligation based on the addressee:

  1. Direct Binding of Union Entities: For Union entities (institutions, bodies, offices, and agencies), the Regulation applies directly. They are the immediate addressees of the duty to "encourage and facilitate" open source. As proposed, Union entities must integrate this principle into their internal procurement policies, software development lifecycles, and cloud stack architectures. The obligation is not an absolute mandate to prefer open source in every instance; rather, it requires a structured evaluation where open source is the default consideration unless "duly justified objective criteria" (such as security, functionality, or total cost of ownership) dictate otherwise.

  2. The "Necessary Measures" Duty for Member States: For Member States, the obligation is framed as a duty to act legislatively or administratively. The text requires Member States to "take the necessary measures" to ensure that public sector bodies under their jurisdiction comply. This implies that Member States must:

    • Enact national laws or regulations if existing frameworks do not cover the requirement.
    • Update public procurement guidelines to mandate the assessment of open source alternatives.
    • Issue binding administrative directives to regional and local authorities.
    • Ensure that the "encouragement" of open source is systemic across all levels of national public administration, from central ministries to local municipalities.

The criteria for compliance remain consistent across both groups: functionality, security, and total cost. This ensures that the push for sovereignty does not compromise operational efficiency or force the adoption of inferior technology.

Coordination and Support: Article 44 and the OSPO Network

To prevent fragmentation and ensure consistent implementation, CADA establishes a centralized coordination mechanism under Article 44. This network of Open Source Programme Offices (OSPOs) serves as the operational bridge between the Union and Member States.

Article 44(2) explicitly defines the scope of participation, ensuring that the network is inclusive of both levels of governance:

"Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network."

This provision creates a shared but differentiated role:

  • Union Entities: They have the direct right to establish an OSPO and request membership in the network. This allows EU institutions to coordinate their open source strategies internally and share experiences directly with national counterparts.
  • Member States: They have the authority to designate OSPOs at various levels of government (local, regional, or national). These national OSPOs can then join the EU-wide network. This structure encourages a bottom-up approach where local authorities can benefit from EU-level expertise, while also contributing to the broader European open source ecosystem.

The tasks of the OSPO Network, as outlined in Article 44(3), include facilitating the exchange of information, promoting the sharing and reuse of open-source software, and contributing to the development of guidance and templates. This collaborative framework ensures that Union entities and Member States do not operate in silos but rather benefit from a unified knowledge base.

Software Reuse and the EU OSS Catalogue

While Article 41 focuses on the adoption of open source, Article 42 and Article 43 address the reuse of software developed by public bodies. When Union entities or public sector bodies decide to make software available for reuse under an open source licence, they must do so through a catalogue or repository connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue).

This obligation applies equally to Union entities and Member State public bodies. However, the administrative burden of connecting to the catalogue may fall on different entities depending on national structures. For Union entities, this is a direct compliance requirement. For Member States, the "necessary measures" under Article 41 may include establishing national portals that interoperate with the EU OSS Catalogue, ensuring that software developed by local authorities is discoverable and reusable across the Union.

What this means for you

For in-house counsel, compliance officers, and public procurement specialists, the distinction between Union entities and Member States is primarily administrative rather than substantive. The core duty to evaluate open source options is the same, but the path to compliance differs significantly.

For Union Entity Compliance Officers

  • Direct Compliance: You are directly bound by Article 41. Ensure that your procurement policies for cloud and AI services explicitly include an assessment of open source alternatives.
  • Documentation: Maintain records demonstrating that you have considered open source options and that any decision to use proprietary software was based on "duly justified objective criteria" such as security or functionality.
  • OSPO Participation: Consider establishing or designating an OSPO to join the network under Article 44(2). This will provide access to best practices and may simplify compliance with software reuse obligations under Article 42.

For Member State Legal Teams

  • National Implementation: You are responsible for ensuring that public sector bodies within your jurisdiction comply with Article 41. This may require drafting national guidelines or amending existing public procurement laws to mandate the consideration of open source.
  • OSPO Coordination: Identify or establish OSPOs at the appropriate level of government (local, regional, or national) to join the EU network under Article 44(2). This will facilitate the exchange of best practices and help standardize open source policies across your country.
  • Catalogue Integration: Ensure that any software developed by public bodies is made available for reuse through a repository connected to the EU OSS Catalogue, as required by Article 42.

Deadlines and Milestones

  • National Strategies: Member States must adopt national cloud and AI strategies within one year of the Regulation's entry into force (Article 7). These strategies must include measures to support the development of cloud computing stack technologies built upon open hardware and software (Article 7(2)(g)).
  • OSPO Network: The Commission will establish the OSPO network. While there is no specific deadline for joining, early participation is encouraged to influence the development of guidance and templates.

Common misconceptions

Misconception 1: CADA mandates the exclusive use of open source. CADA does not require public bodies to use open source in all cases. Article 41 requires them to encourage and facilitate its use, taking into account functionalities, security, and total cost. Proprietary solutions remain permissible if they are objectively superior in these criteria.

Misconception 2: Union entities and Member States have different substantive obligations. The substantive obligation to encourage open source is identical for both. The difference lies in implementation: Union entities are directly bound, while Member States must take national measures to ensure their public bodies comply.

Misconception 3: Only large central government bodies need to join the OSPO network. Article 44(2) explicitly allows OSPOs from local, regional, and national levels to join the network. This inclusive approach is designed to foster widespread adoption and knowledge sharing across all levels of public administration.

Misconception 4: The OSPO network is mandatory. While Member States must take measures to encourage open source, joining the OSPO network is voluntary ("may request"). However, participation is the primary mechanism for accessing the guidance and templates necessary for effective compliance.

Related

This is general information about a draft EU regulation, not legal advice.