How does a repository get connected to the EU OSS Catalogue under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), any Union entity or public sector body that owns or maintains a software catalogue or repository may request to have it connected to the central EU Open Source Solutions Catalogue (EU OSS Catalogue). This connection is not automatic; it requires a formal request and a decision by the European Commission based on "objective and relevant criteria." Once connected, the repository becomes accessible through the central portal, facilitating the discovery and reuse of open-source software across the EU public sector. This mechanism supports the broader CADA objective of reducing vendor lock-in and fostering a competitive, sovereign digital ecosystem.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A critical component of this framework is the promotion of open-source software to ensure transparency, security, and technological autonomy. To achieve this, the proposal mandates the creation of a centralised access point for public sector software, the EU Open Source Solutions Catalogue (EU OSS Catalogue), and defines a specific legal mechanism for integrating existing national or entity-level repositories into this central system.

The Legal Basis: Article 43 of CADA

The primary legal instrument governing the connection of repositories is Article 43 of the proposal. This article is divided into three paragraphs, each addressing a distinct aspect of the catalogue's operation:

1. Article 43(1) establishes the Commission's obligation to "provide and maintain an EU Open Source Solutions Catalogue ('EU OSS Catalogue') as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies."
2. Article 43(2) mandates that this catalogue "shall be hosted on the Interoperable Europe portal referred to in Article 8 of Regulation (EU) 2024/903 and shall be accessible electronically free of charge."
3. Article 43(3) sets out the specific procedure for connecting external repositories.

The Connection Mechanism: Article 43(3)

Article 43(3) is the operational heart of the repository connection process. It states:

"The Commission shall, on the basis of objective and relevant criteria, decide on the request of any Union entity or public sector body owning or maintaining a catalogue or repository to have that catalogue or repository connected to and made accessible through the EU OSS Catalogue."

This provision establishes a request-based, federated model. It does not require public bodies to migrate their software to a central EU-hosted database. Instead, it allows them to retain ownership and maintenance of their local or national repositories while ensuring that the metadata and access points are aggregated at the EU level.

Who Can Request Connection?

The scope of eligible requesters is broad. The text explicitly includes:

• Union entities: This covers the Union institutions, bodies, offices, and agencies as defined in the proposal.
• Public sector bodies: This includes national, regional, and local authorities, as well as other bodies governed by public law, consistent with the definition in Directive (EU) 2019/1024.

Crucially, the entity must be the owner or maintainer of the catalogue or repository. This ensures that the entity submitting the request has the legal and technical authority to manage the connection and ensure the continued availability of the software listed.

The Commission's Decision-Making Role

The European Commission holds the authority to approve or reject connection requests. However, this power is constrained by the requirement to act "on the basis of objective and relevant criteria." This phrasing is significant for several reasons:

• Objectivity: The criteria cannot be arbitrary or discriminatory. They must be based on measurable technical and functional standards.
• Relevance: The criteria must be directly related to the purpose of the catalogue, which is to facilitate searchability, interoperability, and reuse.
• Transparency: While the specific technical details of these criteria are not enumerated in the enacting text of CADA itself, the requirement for objectivity implies that they will be defined in a transparent manner, likely through implementing acts or guidance documents.

The decision is binary: the Commission either approves the connection, making the repository accessible through the EU OSS Catalogue, or rejects it. If rejected, the entity would likely need to address the specific deficiencies identified against the objective criteria before reapplying.

Technical and Functional Criteria for Connection

Although Article 43(3) does not list the specific criteria, the context of the proposal and the hosting environment (the Interoperable Europe portal) provide strong indicators of what these "objective and relevant criteria" will entail. The goal is to ensure that the central catalogue functions as a reliable, unified search engine.

Likely criteria include:

1. Interoperability Standards: Since the catalogue is hosted on the Interoperable Europe portal, repositories must likely comply with the interoperability specifications set out in Regulation (EU) 2024/903. This includes supporting standardised metadata schemas (e.g., DCAT-AP) and APIs that allow the central catalogue to harvest data from the external repository in real-time or via scheduled updates.
2. Data Quality and Completeness: To be useful for reusers, software entries must contain sufficient information. Criteria may require the presence of specific metadata fields such as the software name, version, description, license type, documentation links, contact information for maintainers, and a clear statement of the open-source licence under which the software is released.
3. Legal Compliance: The repository must host software that is genuinely released under an open-source licence. The criteria may require verification that the licences used are recognised by the Open Source Initiative (OSI) or the Free Software Foundation (FSF) and that the legal terms are clearly displayed.
4. Security and Stability: The repository must demonstrate a baseline level of security to protect the integrity of the software and the data of users. This could involve requirements for secure hosting, regular security updates, and mechanisms for reporting vulnerabilities.
5. Accessibility: As per Article 43(2), the catalogue must be accessible electronically free of charge. Therefore, the connected repository must not impose paywalls or restrictive access controls that would prevent the free discovery and download of the software.

The Relationship with Article 42: The Obligation to Connect

The connection process under Article 43(3) is intrinsically linked to the obligations set out in Article 42. Article 42 states:

"When making software to which they hold intellectual property rights available for reuse under an open source licence, a Union entity or public sector body shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue."

This creates a mandatory workflow for public sector bodies that wish to release software under an open-source licence:

1. Selection of Repository: The entity must host the software in a catalogue or repository.
2. Connection Requirement: That repository must be connected to the EU OSS Catalogue.
3. Compliance: If the entity's repository is not yet connected, it must submit a request under Article 43(3) to have it connected. If the request is denied, the entity cannot legally release the software under an open-source licence in that repository until the connection is established.

This linkage ensures that the central catalogue is not merely a voluntary directory but a mandatory gateway for all public sector open-source software, thereby maximising its visibility and potential for reuse.

Governance and Implementation

The implementation of Article 43 is supported by the broader governance structure of CADA. The Commission is empowered to adopt implementing acts to specify the detailed procedures for connection requests, the technical standards for interoperability, and the precise definition of the "objective and relevant criteria." These acts would be adopted in accordance with the examination procedure referred to in Article 46(2), ensuring oversight by Member State representatives.

Furthermore, Article 44 establishes a network of Open Source Programme Offices (OSPOs). These offices, established by public sector bodies at local, regional, or national levels, are tasked with facilitating the exchange of information and best practices. In the context of Article 43, OSPOs will likely play a crucial role in assisting entities with the technical preparation of their repositories for connection, ensuring they meet the necessary criteria before submitting a request to the Commission.

What this means for you

For public sector bodies, Union entities, and the technical teams responsible for managing software repositories, the connection process under CADA has several immediate and strategic implications:

1. Audit Your Current Repositories: If your organisation maintains a catalogue or repository of open-source software, conduct a thorough audit. Check for compliance with potential interoperability standards, the completeness of metadata, and the clarity of licensing information.
2. Prepare for the Connection Request: Do not wait for the Commission to reach out. If you own a repository, proactively prepare a request for connection under Article 43(3). Ensure that your technical infrastructure is ready to support the required data exchange protocols.
3. Align with Interoperable Europe Standards: Given that the EU OSS Catalogue is hosted on the Interoperable Europe portal, align your repository's technical architecture with the standards of Regulation (EU) 2024/903. This includes adopting standard metadata formats and ensuring API compatibility.
4. Understand the Mandatory Nature of Article 42: If you plan to release software under an open-source licence, remember that Article 42 makes connection to the EU OSS Catalogue a legal requirement. Failure to connect your repository could result in non-compliance with the regulation.
5. Leverage the OSPO Network: Engage with your national or regional Open Source Programme Office. They will be a primary source of guidance on the specific criteria for connection and the best practices for repository management under CADA.
6. Plan for Ongoing Maintenance: Connection is not a one-time event. The criteria for connection likely include ongoing requirements for data quality and security. Ensure you have the resources to maintain your repository's compliance over time.

Common misconceptions

• Misconception 1: The EU OSS Catalogue will replace all national repositories.
  • Reality: CADA explicitly supports a federated model. Article 43(3) allows entities to keep their own repositories and simply "connect" them to the central catalogue. The central catalogue is a discovery layer, not a replacement for local hosting.
• Misconception 2: Connection is automatic for all public sector software.
  • Reality: Connection is a request-based process. Article 43(3) requires a formal request and a decision by the Commission. Repositories must meet specific "objective and relevant criteria" to be approved.
• Misconception 3: Only large EU institutions can connect repositories.
  • Reality: The scope is broad. Article 43(3) applies to "any Union entity or public sector body," which includes national, regional, and local authorities, as well as smaller public bodies.
• Misconception 4: The criteria for connection are vague and subjective.
  • Reality: The law mandates that the Commission's decision be based on "objective and relevant criteria." This legal requirement ensures that the process is transparent, non-discriminatory, and based on measurable technical standards, even if the specific details are defined in secondary legislation.
• Misconception 5: Private companies can connect their repositories.
  • Reality: Article 43(3) is limited to "Union entities or public sector bodies." Private companies cannot directly request connection under this article, though their software may be listed if hosted by a public sector body.

Related

• Why does CADA require sharing through a connected catalogue?
• Who maintains the EU OSS Catalogue under CADA?
• Where is the EU OSS Catalogue hosted? CADA Article 43 explained
• CADA Article 42: When does the obligation to use the EU OSS Catalogue apply?
• What records or metadata are needed to list software in the EU OSS Catalogue?

This is general information about a draft EU regulation, not legal advice.