How does a public body share cloud or data centre services in the EuroCloud Federation?

Summary Under the proposed Cloud and AI Development Act (CADA), a public body may share cloud or data centre services within the EuroCloud Federation only if it directly or indirectly owns the underlying hardware and exercises strict control over any intermediate legal entity providing the service. As proposed in Article 35, the sharing entity must demonstrate compliance with these ownership, security, and operational conditions to the European Commission before any sharing begins. Any fees charged to the receiving ("using") entity are strictly limited to recovering the specific additional costs incurred by the sharing (e.g., isolation, access management), ensuring the arrangement remains a public-sector cooperation rather than a commercial contract.

Detail

The EuroCloud Federation, established under Title IV, Chapter III of the CADA proposal, creates a unique mechanism for Union entities and public sector bodies to share data centre services and cloud computing services. This framework is designed to optimize resource utilization, reduce dependencies on third-country providers, and enhance the resilience of the EU's public sector digital infrastructure. However, the ability to act as a "sharing entity"—the body offering its capacity to others—is governed by rigorous eligibility and procedural requirements outlined primarily in Article 35.

Eligibility: The Ownership and Control Test

The cornerstone of the sharing mechanism is the requirement for genuine public ownership and control. According to Article 35(1), a member of the EuroCloud Federation may share data centre services and cloud computing services with another member only if the sharing entity directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available and provides the service to the using entity.

This provision is critical because it prevents private cloud providers from using the Federation as a backdoor to access public procurement benefits or share resources without meeting the same sovereignty standards as direct public actors. The proposal explicitly excludes direct private participation where the sharing entity does not own the hardware.

When the sharing entity does not own the hardware directly but instead operates through an intermediate legal entity, Article 35(1) imposes a stringent control test. The sharing entity must exercise control over that intermediate legal entity. As detailed in the proposal's recitals and the structural logic of the article, this control is defined by three cumulative conditions:

1. Decisive Influence: The sharing entity must exercise a decisive influence over both the strategic objectives and significant decisions of the intermediate legal entity.
2. No Private Capital: There must be no direct private capital participation in that intermediate legal entity.
3. Public Task Focus: More than 80% of the activities of the intermediate legal entity must be carried out in the performance of tasks entrusted to it by the sharing entity.

This ensures that the intermediate entity is effectively an arm of the public sector, rather than a commercial vehicle or a joint venture with private interests. If these conditions are not met, the entity cannot act as a sharing entity within the Federation.

Demonstrating Compliance to the Commission

Ownership and control alone are not sufficient. Before any services can be shared, the sharing entity must prove it meets the necessary security and operational standards. Article 35(2) requires the sharing entity to put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services. These measures include policies on risk analysis, information system security (including access control), incident handling, business continuity, and interoperability.

Crucially, Article 35(3) mandates that prior to sharing, the sharing entity must demonstrate to the European Commission that it fulfils the conditions set out in paragraphs 1 and 2. The Commission then assesses this information. As stated in Article 35(4), the Commission allows the sharing entity to share services within the EuroCloud Federation only where these conditions are fulfilled. This centralised oversight by the Commission ensures that the Federation maintains a high baseline of security and sovereignty across all participating members. The Commission is empowered to adopt implementing acts to specify the technical, operational, and organisational measures required, ensuring a harmonised approach across the Union.

Financial Framework: Strict Cost Recovery Only

A defining feature of the EuroCloud Federation is that it operates as a public-sector cooperation, not a commercial marketplace. Article 35(5) permits the sharing entity to charge a fee to the using entity, but this fee is strictly capped. The amount must be limited to the costs that the sharing entity incurs in relation to the sharing of the service.

These costs are narrowly defined in the proposal. They cover the additional costs incurred in the sharing of capacity, including:

• Allocating and isolating resources.
• Managing access.
• Enabling the integration and interoperability of resources.
• Ensuring compliance with applicable Union law requirements.
• Managing the sharing relationship.

Importantly, these fees do not constitute a pecuniary interest within the meaning of Directive 2014/24/EU on public procurement or the EU Financial Regulation. Consequently, the sharing of services within the EuroCloud Federation does not fall under standard Union public procurement rules. This exemption is vital for enabling seamless cross-border sharing without the administrative burden of tendering for every capacity transfer. However, it also means that the sharing entity cannot make a profit from the arrangement; the model is purely one of cost recovery and resource optimization. Charging a fee that exceeds these specific costs would likely reclassify the transaction as a public contract, triggering full procurement obligations.

Governance and Administrative Fees

While the service sharing itself is cost-neutral for the Federation's administration, the administration of the Federation incurs costs. Article 36 establishes that these costs are jointly financed by members through fees levied by the Commission. These fees are separate from the service-sharing fees described in Article 35. The revenues generated from these administrative fees constitute internal assigned revenues, ensuring the Federation is financially self-sustaining in its governance operations. The Commission is empowered to adopt implementing acts to determine the estimated costs, individual fee amounts, and payment conditions.

What this means for you

For public-sector IT directors, procurement officers, and legal counsel, the EuroCloud Federation offers a powerful tool to leverage idle capacity and reduce reliance on commercial hyperscalers. However, participating as a sharing entity requires rigorous preparation and a clear understanding of the "ownership" and "cost" boundaries.

1. Audit Your Ownership Structure Immediately

Before considering sharing, verify that your organization or its subsidiary truly owns the hardware. If you operate through a public limited company, a joint venture, or a special purpose vehicle, you must conduct a deep-dive audit.

• Check Capital: Is there any direct private capital participation? If yes, you likely fail the test.
• Check Control: Do you have decisive influence over strategic objectives?
• Check Activity Ratio: Is more than 80% of the entity's activity dedicated to your public tasks? If the entity engages in significant commercial activities for third parties, it may not qualify.
• Hardware vs. Building: Remember, the requirement is ownership of the hardware (servers, storage, network equipment) through which the service is made available. Owning the data centre building but leasing the hardware from a third party may disqualify you unless the leasing arrangement meets the strict control criteria for intermediate entities.

2. Prepare for the Commission Assessment

You cannot simply start sharing. You must compile a comprehensive evidence package to demonstrate compliance to the Commission.

• Security Policies: Document your technical, operational, and organisational measures. This includes access control policies, incident response plans, and business continuity strategies.
• Legal Evidence: Prepare corporate documents proving ownership, control, and the absence of private capital.
• Engage Early: Engage with your national competent authority and the Commission early to understand the specific format of the demonstration required. The Commission will assess your submission before granting permission to share.

3. Calculate True Marginal Costs

Your financial team must be able to isolate the additional costs of sharing. You cannot pass on general overheads, depreciation of the hardware itself (unless directly attributable to the sharing activity), or profit margins.

• Cost Isolation: Identify costs specifically related to allocating resources, managing access, and ensuring interoperability for the specific using entity.
• Transparency: The fee structure must be transparent and strictly cost-based. Any deviation risks violating the cost-recovery principle and could jeopardize the procurement exemption, potentially turning a simple sharing agreement into a complex public tender.

4. Ensure Technical Interoperability

Since the Federation relies on a common platform managed by the Commission (established under Article 34), your technical infrastructure must be capable of integrating with the Federation's orchestration services. Ensure your cloud or data centre management systems support the necessary APIs, security protocols, and data flow standards for cross-border resource allocation. The Commission will specify these technical measures via implementing acts.

Common misconceptions

Misconception 1: Any public cloud provider can join and share services. Correction: No. Only entities that are members of the EuroCloud Federation (Union entities and public sector bodies) can share. Furthermore, private providers, even if they have public contracts, cannot act as sharing entities unless they are fully owned and controlled by a public body as defined in Article 35. The framework is designed for public-to-public sharing, not public-to-private outsourcing.

Misconception 2: Sharing services requires a new procurement tender. Correction: No. Because the fees are limited to strict cost recovery and do not constitute a pecuniary interest, the arrangement is exempt from standard public procurement directives (Directive 2014/24/EU). This allows for faster, more flexible capacity sharing among public bodies without the administrative burden of a full tender process.

Misconception 3: The sharing entity can charge market rates for its idle capacity. Correction: Absolutely not. Article 35(5) limits fees to the additional costs incurred in sharing. The model is not designed to generate revenue for the sharing entity but to optimize public resource use. Charging market rates would violate the cost-recovery principle and could jeopardize the procurement exemption, potentially exposing the entity to legal challenges.

Misconception 4: Ownership of the data centre building is sufficient. Correction: The requirement is ownership of the hardware through which the service is made available. Leasing hardware from a third party, even if you own the building, may disqualify you unless the leasing arrangement meets the strict control and ownership criteria outlined for intermediate entities. The focus is on the control of the computing assets, not just the real estate.

Misconception 5: The Commission only checks eligibility once. Correction: While the initial demonstration is a prerequisite, the Commission maintains oversight. If a sharing entity no longer meets the conditions (e.g., due to a change in ownership structure or loss of control), the recognition could be withdrawn, and sharing would have to cease.

Related

• How does a public body join the EuroCloud Federation under CADA?
• What should a public-sector body do before CADA's application date?
• What is the data centre permit timeline under CADA?
• How does a public buyer procure cloud services correctly under CADA?
• How does a public body apply CADA's open source first principle?

This is general information about a draft EU regulation, not legal advice.