Summary As proposed, the Cloud and AI Development Act (CADA) fundamentally shifts the EU's approach to open source from a voluntary, fragmented policy to a mandatory, harmonized legal framework. While the previous EU Open Source Strategy relied on encouragement and best practices, CADA would legally require Union entities and public sector bodies to channel software reuse through a centralized EU Open Source Solutions Catalogue and to participate in a coordinated Network of Open Source Programme Offices (OSPOs). This transition, grounded in Recital 83 and Articles 41–44, moves open source from a discretionary preference to a standardized operational requirement designed to enhance transparency, security, and technological autonomy.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a decisive evolution in how the European Union manages open-source software within the public sector. To understand the magnitude of this shift, it is necessary to contrast the new statutory obligations with the prior landscape, which was characterized by voluntary guidelines, disparate national initiatives, and a significant lack of centralized discoverability.

From Voluntary Strategy to Statutory Framework

Prior to CADA, the EU's engagement with open source was primarily guided by the EU Open Source Strategy. As explicitly noted in the explanatory memorandum, this strategy aimed to "foster open source for sovereignty, competitiveness and security through a series of focused measures." However, these measures were largely persuasive rather than prescriptive. Public administrations were encouraged to use open standards and components, but there was no harmonized legal mechanism to ensure that software developed with public funds was consistently shared, discoverable, or managed across borders. The result was a patchwork of national approaches where valuable code often remained siloed.

CADA formalizes these ambitions into binding legal provisions. The proposal explicitly states that it places a "specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy." By embedding these goals into a Regulation, CADA moves beyond encouragement to create a uniform legal baseline for all Member States and Union entities. This ensures that the strategic objectives of the previous policy are no longer subject to varying levels of national implementation but are instead enforced as a single Union legal framework.

Formalizing the Catalogue and Discoverability

A critical pain point in the previous approach was the fragmentation of software repositories. As Recital 83 of the CADA proposal highlights, "an increasing number of Union entities and public-sector bodies are sharing software developed by or for them and making it available for reuse under an open-source licence." While this trend was positive, Recital 83 identifies a major inefficiency that the previous strategy failed to resolve: "software is often made available and accessible in different repositories or catalogues, hampering searchability, discoverability, and, ultimately, reuse."

CADA addresses this fragmentation through Article 42 and Article 43, creating a unified digital infrastructure for public software.

  • Article 42 establishes a clear, mandatory obligation: when a Union entity or public sector body voluntarily decides to make software available for reuse under an open-source licence, it "shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue." This removes the option of hosting code in isolated or incompatible systems.
  • Article 43 mandates the Commission to provide and maintain this EU Open Source Solutions Catalogue as a centralized hub. The regulation specifies that it "shall be hosted on the Interoperable Europe portal referred to in Article 8 of Regulation (EU) 2024/903 and shall be accessible electronically free of charge."

This creates a "one-stop-shop" for public-sector software, ensuring that valuable code developed in one Member State can be easily discovered and reused by another. As the explanatory memorandum notes, this approach is designed to "maximise the value of public expenditure, reduce duplication costs and foster innovation across the Union."

Establishing the OSPO Network

Beyond technical cataloguing, CADA introduces a structural governance mechanism to support open-source management. Previously, open-source coordination varied wildly between Member States, with some having robust internal programme offices and others having none. This lack of coordination hindered the exchange of best practices on complex issues like licensing, security, and procurement.

Article 44 of the CADA proposal requires the Commission to establish a Network of Open Source Programme Offices (OSPO Network). This network is designed to:

  1. Bring together OSPOs established by public sector bodies at local, regional, or national levels, as well as those by Union entities.
  2. Facilitate the exchange of information, experience, and best practices regarding technical, legal, and organizational challenges, including licensing, security, and procurement.
  3. Promote the sharing and reuse of open-source software.
  4. Contribute, on a voluntary and non-binding basis, to the development of guidance, templates, or recommendations.

This provision institutionalizes collaboration. Instead of isolated efforts, public-sector bodies would operate within a coordinated EU-wide network, ensuring consistent standards and shared learning. The Commission is tasked to "support and coordinate the OSPO Network" and convene meetings at least twice a year, ensuring that the network remains active and responsive to emerging challenges.

Promoting "Open Source First" and Security

While previous approaches encouraged open source, CADA integrates it into broader security and autonomy goals. Article 41 requires the Union and Member States to take measures to "encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence." The proposal justifies this by noting in Recital 81 that access to source code "enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in."

This links open source directly to the CADA's core objectives of reducing critical external dependencies and enhancing cybersecurity. It is no longer just about cost-saving or community ethos; it is a strategic imperative for security and sovereignty. The regulation emphasizes that the choice of software has "significant implications not only for cost-efficiency, but also for security, interoperability, accountability and technological autonomy."

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, CADA introduces concrete operational changes that will affect how you manage software assets and engage with vendors.

1. Mandatory Catalogue Integration If your organization develops software or holds intellectual property rights to software that you intend to release under an open-source licence, you can no longer simply host it on an internal server or a generic public repository like GitHub without further steps. You must ensure that your repository is connected to and accessible through the EU Open Source Solutions Catalogue. This requires technical integration with the Interoperable Europe portal and adherence to the Commission's criteria for connection. Failure to connect could mean your software is not recognized as part of the Union's shared ecosystem.

2. Participation in the OSPO Network If your entity has an Open Source Programme Office (or plans to establish one), you should prepare to integrate into the EU-wide OSPO Network mandated by Article 44. This means aligning your internal policies on licensing, security, and procurement with the best practices exchanged through this network. It also implies a duty to collaborate with peers in other Member States on common challenges. For entities without an OSPO, the network provides a pathway to establish one and gain access to shared expertise.

3. Procurement and Vendor Selection While CADA does not mandate that all public software must be open source, it strongly encourages it through Article 41. Procurement officers should be prepared to prioritize open standards and components in their tenders. The proposal suggests that the choice of software has significant implications for "security, interoperability, accountability and technological autonomy." You may need to adjust your evaluation criteria to explicitly value open-source compliance, auditability, and the absence of vendor lock-in. The regulation encourages the use of open source "taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

4. Increased Scrutiny on Reuse The formalization of the catalogue means that your organization's open-source contributions will be more visible. This brings reputational benefits but also requires higher standards for documentation, licensing clarity, and security hygiene, as your code will be part of a central EU infrastructure. The "one-stop-shop" nature of the catalogue means that poor quality or insecure code could be more easily identified and flagged by the wider community.

Common misconceptions

Misconception 1: CADA forces all public software to be open source. This is incorrect. Article 42 applies when entities "voluntarily decide to make software available for reuse." CADA does not mandate that every piece of software developed by the public sector must be released as open source. However, it does create a strong incentive structure and a streamlined path for those who choose to do so, making it the preferred route for maximizing public value. The regulation respects the discretion of public bodies while ensuring that if they choose to share, they do so in a standardized way.

Misconception 2: This replaces national open-source strategies. No. CADA complements national efforts. Article 44 allows Member States to join the OSPO network, fostering coordination rather than replacement. National strategies remain relevant, but they will now operate within a harmonized EU framework that ensures cross-border compatibility and discoverability. The network is designed to "facilitate the exchange of information, experience and best practices between Member States and the Commission."

Misconception 3: Open source is only about cost reduction. Under CADA, the narrative shifts from cost to sovereignty and security. The explanatory memorandum and Recital 81 explicitly link open source to "technological sovereignty," "security," and reducing "dependency on a single vendor." Procurement officers should frame open source decisions around risk mitigation and strategic autonomy, not just budgetary savings. The regulation views open source as a critical lever for "boosting technological sovereignty" and ensuring "security" in the digital ecosystem.

Misconception 4: The catalogue is just a list of links. The EU Open Source Solutions Catalogue is more than a directory; it is a functional platform hosted on the Interoperable Europe portal. It is designed to be "accessible electronically free of charge" and serves as the central point for searching and accessing software. The Commission is empowered to decide on requests to connect repositories, ensuring that only compliant and accessible solutions are included.

Related

This is general information about a draft EU regulation, not legal advice.