Summary Under the proposed Cloud and AI Development Act (CADA), joining the OSPO Network is a voluntary process open to Open Source Programme Offices (OSPOs) established by Union entities or public sector bodies at local, regional, or national levels. As proposed in Article 44(2), interested OSPOs must submit a formal request to join directly to the European Commission. The Commission is mandated to establish and coordinate this network to facilitate cooperation on open-source implementation, but membership itself is not automatic; it requires an active request from the eligible entity.

Detail

The Cloud and AI Development Act (CADA) introduces a comprehensive framework to strengthen the European public sector's use of open-source software. A critical component of this strategy is the creation of a coordinated, EU-wide network for Open Source Programme Offices (OSPOs). This network is designed to dismantle silos, harmonize practices, and ensure consistent implementation of open-source policies across the diverse governance structures of the Union.

The Legal Basis for Membership

The specific mechanism for joining the network is explicitly defined in Article 44 of the CADA proposal. The regulation establishes the "Network of Open Source Programme Offices" (OSPO Network) with the primary objective of facilitating cooperation on the implementation of obligations related to open-source software sharing and reuse.

While Article 44(1) mandates that the Commission shall establish this network, membership is not automatic for every entity that maintains an OSPO. Instead, Article 44(2) outlines the specific eligibility criteria and the application process:

"Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network."

This provision establishes a clear, voluntary pathway for participation. It explicitly defines the eligible entities as:

  • Union entities: Institutions, bodies, offices, and agencies of the European Union.
  • Public sector bodies: Entities operating at the local, regional, or national level within any EU Member State.

The core action required is a request made to the Commission. The text of Article 44 does not stipulate a complex accreditation exam, a mandatory certification process, or a specific fee structure for entry. The primary barrier to entry is administrative: an entity must have an established OSPO and must formally ask to join. The use of the phrase "may request" underscores the voluntary nature of the network, distinguishing it from mandatory compliance regimes found elsewhere in the regulation.

The Role of the Commission

The European Commission acts as the central hub for the OSPO Network. As per Article 44(4), the Commission is responsible for supporting and coordinating the network's activities. This includes a specific obligation to convene and chair meetings of the network members at least twice a year. These meetings may be organized online, ensuring accessibility for members across different time zones and locations.

By centralizing the invitation and coordination process through the Commission, CADA ensures that the network remains a unified EU-wide structure rather than a fragmented collection of national or regional groups. The Commission's role is to facilitate the exchange of information and best practices, ensuring that the network serves as a cohesive platform for digital sovereignty.

Why Join? The Tasks of the Network

Understanding the value proposition is crucial for public sector leaders deciding whether to submit a request. Article 44(3) details the specific tasks the OSPO Network will perform, which directly benefit its members and the broader public sector ecosystem:

  1. Exchange of Information and Best Practices: The network facilitates the discussion of common technical, legal, and organizational challenges. This includes critical topics such as licensing models, security protocols, maintenance strategies, and the procurement of open-source software.
  2. Promoting Sharing and Reuse: A core goal is to encourage public sector bodies to share and reuse open-source software, thereby reducing duplication of effort, lowering costs, and accelerating innovation.
  3. Guidance Development: Members contribute on a voluntary and non-binding basis to the development of guidance, templates, and recommendations for sharing and reusing open-source software. This allows members to shape the standards that will be used across the EU.
  4. Collaboration on Projects: The network serves as a platform for exchanging open-source projects of common interest to Union entities and public sector bodies, fostering cross-border collaboration on specific software solutions.

The Broader Context: Open Source in CADA

The OSPO Network does not operate in a vacuum; it is the human and organizational infrastructure supporting a larger ecosystem of open-source measures in CADA. For instance:

  • Article 41 encourages Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence.
  • Article 42 requires that when software is made available for reuse, it must be done so through a catalogue connected to the EU Open Source Solutions Catalogue (maintained by the Commission under Article 43).

The OSPO Network acts as the connective tissue for these mandates. By joining, an OSPO gains direct insight into how other jurisdictions are interpreting and implementing these requirements, which is invaluable for procurement officers navigating complex licensing and security landscapes.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the establishment of the OSPO Network under CADA represents a significant shift towards collaborative governance of software assets. Here is how you should prepare and proceed:

1. Audit Your Current OSPO Structure

Before submitting a request to the Commission, ensure your organization has a defined OSPO or a dedicated team fulfilling the functions of an OSPO. The regulation refers to "Open Source Programme Offices established by public sector bodies." If your organization currently manages open-source compliance ad-hoc through legal or IT departments without a coordinated strategy, you may need to formalize this structure first. The Commission will likely expect a clear point of contact and a defined mandate to ensure effective participation.

2. Prepare Your Request

While Article 44 does not specify a detailed application form, you should prepare a formal request to the European Commission. This request should likely include:

  • Identification of your public sector body (local, regional, national, or Union entity).
  • Confirmation of the establishment of your OSPO.
  • Designation of a primary liaison officer who will participate in network activities and the bi-annual meetings.

3. Leverage the Network for Procurement Strategy

Once joined, use the network to inform your procurement decisions. Article 32 of CADA requires contracting authorities to include "Union added value" criteria in public procurement for cloud and AI services. The OSPO Network is the ideal venue to learn how other authorities are defining "European cloud and AI ecosystem" contributions in their tenders. You can share templates and learn from peers on how to evaluate open-source contributions as part of quality evaluations.

4. Engage in Guidance Development

Article 44(3)(c) allows members to contribute to the development of guidance and templates. This is an opportunity for your organization to shape the standards that will be used across the EU. If your organization has developed robust security policies for open-source software, you can propose these as best practices for the wider network. This proactive engagement can elevate your organization's profile as a leader in digital sovereignty.

5. Monitor for Implementing Acts

While Article 44 sets the framework, the Commission may adopt implementing acts or detailed guidelines to operationalize the network. Keep an eye on official communications from the Commission regarding the OSPO Network. These may include specific registration portals, codes of conduct, or technical standards for participation.

Common misconceptions

Misconception 1: Membership is mandatory for all public sector bodies. Reality: Article 44(2) uses the phrase "may request," indicating that participation is voluntary. However, while joining the network is optional, the underlying obligations to share software (Article 42) and use open standards (Article 41) are mandatory for Union entities and public sector bodies. The network is a support mechanism, not a compliance penalty.

Misconception 2: Any IT department can join. Reality: The regulation specifically refers to "Open Source Programme Offices." This implies a level of formalization. An ad-hoc IT team without a defined open-source governance strategy may not qualify as an OSPO under the spirit of the regulation. The entity must have an established office or structure dedicated to open-source management.

Misconception 3: The OSPO Network has regulatory enforcement powers. Reality: The tasks listed in Article 44(3) are focused on facilitation, exchange, and voluntary guidance. The network does not have the power to impose fines or enforce compliance. Enforcement remains with the national competent authorities and the Commission under other parts of CADA. The network is a cooperative body, not a regulatory one.

Misconception 4: Joining requires a financial contribution. Reality: The text of Article 44 does not mention membership fees. The costs of the network (such as convening meetings) are likely covered by the Commission's budget or specific administrative appropriations, as is typical for EU-coordinated networks. However, your organization will bear the internal costs of staffing the OSPO and attending meetings.

Related

This is general information about a draft EU regulation, not legal advice.