How to set up an Open Source Programme Office (OSPO) to join the CADA network

Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies at local, regional, or national levels are encouraged to establish Open Source Programme Offices (OSPOs) to foster software reuse and reduce vendor lock-in. Article 44(2) explicitly allows these offices to "request from the Commission to join" the newly established OSPO Network. To set up an OSPO, your body must define clear functions covering governance, licensing, security, maintenance, and procurement, aligning with the network's tasks outlined in Article 44(3). Once established, the OSPO can formally request membership to facilitate the exchange of best practices and contribute to EU-wide guidance on open-source software.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, identifies open source as a critical lever for technological sovereignty, security, and efficiency. Article 44 establishes a specific mechanism to coordinate these efforts: the Network of Open Source Programme Offices (the "OSPO Network"). This network is designed to bridge the gap between isolated national or local initiatives and a cohesive Union-wide strategy.

For public sector bodies, understanding the requirements to set up an OSPO and the process to join this network is essential for compliance with the Act's broader objectives on software reuse and interoperability.

1. The Legal Basis for OSPOs and the Network

Article 44(1) mandates the Commission to "establish a network of Open Source Programme Offices ('the OSPO Network') to facilitate cooperation on the implementation of the obligations under this Chapter." This Chapter (Title IV, Chapter V) includes obligations for public bodies to encourage the use of open standards and components released under an open-source licence (Article 41) and to share software via a connected catalogue (Article 42).

Crucially, Article 44(2) defines the scope of potential members:

"Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network."

This provision confirms that the network is not limited to central government bodies; it explicitly includes local and regional authorities. However, it is a voluntary mechanism: bodies "may request" to join, rather than being automatically enrolled.

2. Setting Up the OSPO: Core Functions and Governance

While Article 44 does not prescribe a rigid internal organizational chart for an individual OSPO, the tasks assigned to the network in Article 44(3) serve as a functional blueprint. To be an effective member and contribute meaningfully, a newly established OSPO should structure its governance and operations around these four key pillars:

A. Governance and Coordination

The primary task of the network, under Article 44(3)(a), is "facilitating the exchange of information, experience and best practices between Member States and the Commission."

• Implication for Setup: Your OSPO must have a governance structure capable of engaging in high-level dialogue. This typically requires a cross-functional team that can discuss "common technical, legal and organisational challenges."
• Action: Establish a steering committee or working group that includes representatives from IT, legal, and procurement departments to ensure the OSPO can address the multidimensional nature of open-source adoption.

B. Licensing and Legal Compliance

Article 44(3)(a) explicitly lists "licensing" as a key challenge to be discussed within the network.

• Implication for Setup: The OSPO must possess the legal expertise to manage open-source licenses. This involves defining acceptable license types (e.g., permissive vs. copyleft), ensuring compliance with license obligations, and managing the legal implications of contributing code back to upstream projects.
• Action: Develop internal policies on license selection and contribution. The OSPO should be prepared to share these policies with the network to help develop "guidance, templates or recommendations" as per Article 44(3)(c).

C. Security and Maintenance

Security and maintenance are critical for public sector software. Article 44(3)(a) identifies "security" and "maintenance" as specific areas of focus for the network.

• Implication for Setup: The OSPO must implement processes for monitoring vulnerabilities in open-source components and ensuring the long-term viability of adopted software.
• Action:
  • Vulnerability Management: Establish a protocol for tracking and responding to security advisories for open-source dependencies.
  • Maintenance Strategy: Define how the body will handle software that is no longer maintained by the upstream community (e.g., forking, internal maintenance, or finding alternatives).
  • Supply Chain Security: Evaluate the security posture of open-source dependencies, aligning with CADA's broader goals of reducing dependencies on critical technologies.

D. Procurement Functions

Article 44(3)(a) also highlights the "procurement of open-source software" as a topic for the network.

• Implication for Setup: The OSPO must work closely with procurement departments to ensure that public tenders do not inadvertently favor proprietary solutions.
• Action:
  • Draft procurement clauses that favor open-source solutions where appropriate.
  • Develop evaluation criteria that value a vendor's open-source contributions and compliance.
  • Ensure technical specifications are neutral and do not create barriers to entry for open-source providers.

3. The Process to Join the OSPO Network

Once an OSPO is established and operational, the next step is to seek membership in the EU-wide network. Article 44(2) provides the mechanism: the OSPO "may request from the Commission to join the OSPO Network."

Step 1: Preparation

Although the proposal does not detail a specific application form, the Commission is tasked with "supporting and coordinating" the network (Article 44(4)). To prepare a robust request:

• Document Scope: Clearly define the OSPO's mandate, the public sector body it serves (local, regional, or national), and its specific areas of expertise (e.g., healthcare, education, cybersecurity).
• Align with Tasks: Demonstrate how your OSPO's current or planned activities align with the network's tasks, such as promoting the sharing and reuse of software (Article 44(3)(b)) or contributing to guidance development (Article 44(3)(c)).

Step 2: Submission of Request

The request should be directed to the Commission. While the text does not specify a department, the explanatory memorandum and the nature of the tasks (involving DG CNECT and DG DIGIT) suggest that the request should be submitted to the Commission services responsible for digital policy and the internal market.

• Action: Submit a formal request indicating the desire to join the network, accompanied by the documentation prepared in Step 1.

Step 3: Integration and Participation

Upon acceptance, the OSPO becomes a member of the network. Article 44(5) states that the Commission "shall convene and chair a meeting of the members of the OSPO Network at least twice a year."

• Action: Participate in these meetings to exchange information, contribute to the development of templates, and collaborate on projects of common interest.

4. The Role of the Commission

The Commission plays a central role in the ecosystem. Under Article 44(4), the Commission "shall support and coordinate the OSPO Network." This includes:

• Organizing the biannual meetings.
• Facilitating the exchange of information and best practices.
• Providing a platform for collaboration on open-source projects.

The Commission's role is supportive rather than directive; the network is a collaborative platform where members voluntarily contribute to the development of guidance (Article 44(3)(c)).

What this means for you

For public sector bodies, setting up an OSPO and joining the CADA network is a strategic move to enhance digital sovereignty and efficiency.

For Public Administrations (Local/Regional/National):

• Strategic Alignment: Establishing an OSPO aligns your body with the EU's push for technological sovereignty. It demonstrates a commitment to reducing vendor lock-in and fostering innovation.
• Resource Efficiency: By joining the network, you gain access to a pool of shared knowledge and reusable software, potentially saving significant resources on development and procurement.
• Influence: Participation allows your body to influence EU-wide standards and guidance on open-source software, ensuring that future regulations reflect the realities of local and regional implementation.

For Procurement Officers:

• Better Value: Use the network to identify best practices in open-source procurement, leading to better value for money and reduced dependency on single vendors.
• Market Shaping: Collaborate with other public bodies through the network to create demand for open-source solutions, encouraging market growth and competition.

For IT and Security Teams:

• Enhanced Security: Leverage the network's focus on security to benchmark your practices and stay informed about emerging threats and mitigation strategies in the open-source ecosystem.
• Interoperability: Promote the reuse of software across borders, improving interoperability between different public sector systems and reducing data silos.

For Legal Teams:

• Risk Management: Collaborate with other OSPOs to develop robust licensing strategies and address common legal challenges, reducing the risk of non-compliance.
• Standardization: Contribute to the development of standardized templates for open-source contributions and licenses, simplifying legal processes across the Union.

Common misconceptions

Misconception 1: The OSPO Network is mandatory for all public sector bodies.

• Fact: Article 44(2) states that OSPOs "may request" to join the network. Participation is voluntary. While CADA encourages the use of open source (Article 41), it does not mandate the creation of an OSPO or membership in the network. However, establishing an OSPO is highly recommended to effectively implement the Act's objectives.

Misconception 2: You must have a fully mature OSPO to join the network.

• Fact: The network is designed to facilitate the "exchange of information, experience and best practices" (Article 44(3)(a)). This implies that even nascent OSPOs can benefit from joining to learn from more established offices and contribute to the network's growth. The network is a learning community, not just a club for experts.

Misconception 3: The OSPO Network only deals with technical issues.

• Fact: Article 44(3)(a) explicitly includes "technical, legal and organisational challenges." The network is a multidisciplinary forum that addresses licensing, procurement, security, and governance, not just code and architecture.

Misconception 4: Joining the network imposes binding obligations on your OSPO.

• Fact: Article 44(3)(c) states that contributions to the development of guidance, templates, or recommendations are "voluntary and non-binding." The network is a collaborative platform for sharing and learning, not a regulatory body that imposes mandatory rules on its members.

Misconception 5: Only national governments can join.

• Fact: Article 44(2) explicitly includes "public sector bodies at local, regional or national level." Local municipalities and regional authorities are fully eligible to establish OSPOs and join the network.

Related

• What is the CADA OSPO Network (Network of Open Source Programme Offices)?
• What is an Open Source Programme Office (OSPO) under CADA?
• CADA Open Source: The Commission's Role in the EU OSS Catalogue and OSPO Network
• CADA Open Source Assessment: Obligations, OSPO Network & Reuse Rules
• How does the OSPO Network share best practices on open source under CADA?

This is general information about a draft EU regulation, not legal advice.