How does CADA open source affect open source software providers' business models?

Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate a ban on proprietary software, but it structurally alters the public procurement landscape to favor open source. Under Article 41, public bodies must consider "total cost" alongside security and functionality, a metric that often disadvantages high-licensing proprietary models in favor of transparent open source alternatives. Simultaneously, Article 43 establishes the EU Open Source Solutions Catalogue, a centralized repository for reusable public code that increases competition for commercial providers while creating significant market opportunities for those offering managed services, integration, and security support around open source solutions.

Detail

The CADA proposal introduces a dedicated Chapter V to promote open source within the European public sector. These provisions are designed to reduce vendor lock-in, enhance technological sovereignty, and improve the efficiency of public spending. For cloud service providers, data centre operators, and software vendors, these changes reshape the competitive landscape by altering the criteria for public procurement decisions and by increasing the availability of free, high-quality software alternatives.

The Shift to "Total Cost" Evaluation (Article 41)

Article 41 of the CADA proposal requires the Union and Member States to take necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence. Crucially, this encouragement is not a blind mandate; it requires decision-makers to take into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This explicit inclusion of "total cost" is a pivotal shift for business models. Historically, proprietary software often secured public contracts due to bundled support, perceived lower risk, and the simplicity of a single vendor relationship, despite often carrying high upfront licensing fees. Conversely, open source software (OSS) frequently presented a lower upfront acquisition cost but carried higher integration, customization, and maintenance costs that were sometimes opaque to buyers.

By mandating that public buyers evaluate the "total cost," CADA levels the playing field. It forces a rigorous assessment of long-term operational expenses. This can disadvantage proprietary vendors whose high licensing fees are not justified by superior security or functionality, while benefiting open source providers who can demonstrate lower total costs through community-driven maintenance, transparent development lifecycles, and the absence of restrictive licensing fees. The "total cost" metric effectively penalizes business models reliant on recurring licensing revenue without commensurate value addition, while rewarding models that monetize expertise, support, and integration.

The EU Open Source Solutions Catalogue and Reusable Code (Article 43)

Article 43 establishes the EU Open Source Solutions Catalogue (EU OSS Catalogue). This centralized catalogue is intended to make software available for reuse by Union entities and public sector bodies easily accessible. The proposal mandates that when Union entities or public sector bodies make software they hold intellectual property rights over available for reuse under an open source licence, they must do so through a catalogue or repository connected to the EU OSS Catalogue.

This provision directly impacts the market for "free reusable solutions." By aggregating publicly funded software into a single, searchable, and interoperable repository, the EU increases the discoverability and perceived quality of free alternatives. For commercial cloud providers and software vendors, this creates a dual effect:

1. Increased Competition: Public buyers can more easily find vetted, secure, and compliant open source alternatives to proprietary software. The catalogue reduces the "search cost" and perceived risk associated with adopting OSS, as it aggregates solutions that have already been tested and funded by public entities.
2. Standardization: The catalogue promotes the use of common, interoperable solutions. This can reduce the demand for highly customized, proprietary vertical solutions that rely on closed ecosystems, pushing the market toward standardized, open components.

New Market Opportunities: Support, Security, and Integration

While the availability of free code increases competition for license sales, it simultaneously creates robust new revenue streams for providers who adapt their business models. The CADA framework implicitly supports a shift from selling software licenses to selling services around that software. As public sector bodies are encouraged to use open source, they still require critical services that the code itself does not provide:

• Integration and Customization: Tailoring generic open source solutions to specific public sector workflows and legacy systems.
• Security and Compliance: Ensuring that open source components meet the strict cybersecurity and sovereignty requirements of the CADA's Union Assurance Levels (outlined in Annex II). Providers can monetize the expertise required to audit, harden, and certify open source stacks.
• Managed Services: Hosting, maintaining, updating, and providing 24/7 support for open source infrastructure.
• Training and Skills: Developing the workforce capable of managing these new open source ecosystems.

Providers who can offer robust support, security auditing, and seamless integration for open source solutions will find a growing market in the public sector. The "open source first" principle in Article 41 does not mean "open source only," but it does mean that proprietary solutions must justify their value against these free alternatives through demonstrable superior security, lower total cost of ownership, or unique functionality.

Pressures on Proprietary Business Models

For providers relying on traditional proprietary licensing models, CADA poses significant structural pressures. The requirement to consider "total cost" and the availability of high-quality reusable code in the EU OSS Catalogue mean that proprietary software must offer clear, quantifiable advantages. If a proprietary solution cannot demonstrate superior security or lower long-term costs compared to a well-supported open source alternative, it risks losing public sector contracts.

This pressure encourages providers to evolve their strategies:

• Adopt Hybrid Models: Offering open source core products with paid enterprise features, advanced management tools, or premium support tiers.
• Reduce Licensing Fees: Adjusting pricing structures to remain competitive on the "total cost" metric.
• Focus on Niche Innovation: Concentrating on high-value, specialized applications where open source alternatives are less mature, less secure, or lack the necessary sovereignty guarantees.

What this means for you

As a cloud service provider, data centre operator, or software vendor, you must adapt your go-to-market strategy for the public sector. The CADA proposal signals that public buyers will increasingly favor solutions that are transparent, interoperable, and cost-effective over their entire lifecycle.

1. Audit Your Value Proposition: Ensure your sales materials clearly articulate the "total cost" benefits of your solutions, including security, maintenance, and integration costs. If you offer proprietary software, you must demonstrate why it is more secure or efficient than open source alternatives listed in the EU OSS Catalogue.
2. Invest in Open Source Support: If you offer open source solutions, invest heavily in high-quality support, security auditing, and integration services. These services will likely become your primary revenue stream as the software itself becomes commoditized.
3. Engage with the EU OSS Catalogue: Consider contributing your own open source components to the EU OSS Catalogue (Article 43) if you hold the intellectual property rights. This increases your visibility in the public sector market and positions you as a partner in Europe's digital sovereignty.
4. Prepare for Hybrid Models: Evaluate whether a hybrid model, combining open source core technologies with proprietary management tools or support services, offers the best balance of competitiveness and profitability for public sector clients.

Common misconceptions

"CADA bans proprietary software." No. Article 41 encourages the use of open source but explicitly allows for the use of proprietary solutions if they are justified by security, total cost, or other objective criteria. The law requires a balanced assessment, not a blanket prohibition.

"All public sector software must be open source." The proposal encourages open source but recognizes that proprietary solutions may be necessary for specific security or functional requirements. The decision must be based on a balanced assessment of total cost, security, and functionality, as mandated by Article 41.

"Open source providers will go out of business due to free competition." While competition from free reusable code increases, the demand for support, integration, security auditing, and compliance services around open source software is growing. Providers who shift their business model to focus on services rather than licenses can thrive in this environment. The "free" code creates the demand for the "paid" expertise.

Related

• What CADA's open source rules mean for cloud and software providers
• CADA Article 42: What happens if a public body shares open source software outside the EU OSS Catalogue?
• How does the OSPO Network promote sharing and reuse of open-source software?
• How does 'open source first' affect cloud migration decisions in the public sector under CADA?
• CADA Open Source First: How it compares to choosing proprietary software

This is general information about a draft EU regulation, not legal advice.