Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) explicitly identifies open source as a strategic lever to boost technological sovereignty. Article 41 obliges the Union and Member States to encourage public-sector bodies to use and facilitate the reuse of open standards and open-source components when building their cloud and AI ecosystems. This measure is not an isolated technical requirement but a core component of the EU's broader digital policy framework. The explanatory memorandum confirms that CADA reinforces the Apply AI Strategy by tackling cross-cutting challenges in AI development and deployment, while simultaneously complementing the Digital Decade Policy Programme by providing the concrete regulatory framework and support measures that the Digital Decade currently lacks for compute capacity and data-centre deployment. By reducing vendor lock-in and fostering a competitive single market for European providers, CADA would align public procurement with the EU's strategic autonomy objectives.

Detail

The proposed CADA moves beyond viewing open source merely as a cost-saving or technical preference; it elevates open source to a foundational element of the EU's digital sovereignty architecture. The explanatory memorandum states that the proposal "places a specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy which aims to promote open European alternatives across the European technology stack." This strategic alignment addresses the current market reality where "three non-EU hyperscalers control over 70% of the European cloud market," creating dependencies that expose the Union to operational discontinuity and extraterritorial legal risks.

Alignment with the Apply AI Strategy

The relationship between CADA and the Apply AI Strategy is one of direct reinforcement and operationalisation. The explanatory memorandum notes that the Apply AI Strategy "sets out concrete actions to harness AI's transformative potential, with a focus on boosting adoption across key industry sectors and the public sector." Crucially, the Strategy also "introduces support measures to strengthen the EU's technological sovereignty by tackling cross-cutting challenges in AI development and deployment."

CADA is designed to underpin these objectives. The memorandum explains that the proposal "contributes to their implementation by introducing targeted measures aimed at supporting the development and deployment of cloud and AI, increasing access to compute capacity and building trust in cloud computing services."

Article 41 operationalises this alignment by mandating that "the Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack." This obligation is not absolute; it requires authorities to take into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria." However, the intent is clear: by prioritising open standards and components, public procurement would drive demand for European alternatives, directly supporting the Apply AI Strategy's goal of ensuring that AI adoption strengthens, rather than undermines, the Union's technological autonomy.

Furthermore, Article 42 supports this ecosystem by requiring that when Union entities or public-sector bodies make software available for reuse under an open-source licence, they must do so via a catalogue connected to the EU Open Source Solutions Catalogue. This centralised repository, hosted on the Interoperable Europe portal, aims to "maximise the value of public expenditure, reduce duplication costs and foster innovation across the Union."

Connection to the Digital Decade Policy Programme

CADA also serves as a critical missing link for the Digital Decade Policy Programme. The explanatory memorandum highlights that while the Digital Decade focuses on four cardinal pointsβ€”a digitally skilled population, secure and sustainable digital infrastructures, digital transformation of businesses, and digitalisation of public servicesβ€”it "does not include either a target for measuring progress in the deployment of compute capacity or data centres in the EU or concrete support measures for their deployment."

CADA fills this gap. The memorandum states that the proposal "complements the Digital Decade Policy Programme by leveraging the existing yearly monitoring exercise, thus creating synergies with the existing framework." It helps advance all four cardinal points by "establishing concrete measures centred on developing innovative AI-enabling technologies, deploying expanded compute capacity, and creating a trust framework for enhanced use of cloud and AI."

The connection is further solidified in Recital 23, which links the broad adoption of AI to the network of Experience and Acceleration Centres for AI (established under Article 5). These centres are tasked with helping organisations accelerate their digital transformation and are explicitly linked to the Digital Decade's target of "digital transformation of businesses." By promoting open-source solutions through these centres and the broader CADA framework, the proposal ensures that the infrastructure underpinning the Digital Decade's goals is resilient, sovereign, and aligned with EU values.

Open Source as a Sovereignty Lever

The explanatory memorandum provides the strategic rationale for why open source is a sovereignty lever. It notes that "Europe has world-class research and development capabilities, vibrant open-source communities and a strong industrial base in cloud and AI, which however remain largely untapped." By leveraging these assets, CADA aims to reduce the EU's reliance on third-country providers.

The memorandum explains that "access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in." This is particularly critical for the sovereignty framework established in Title IV. While the sovereignty framework (Article 16) focuses on assurance levels regarding establishment, infrastructure location, and third-country control, open source provides the technical transparency necessary to verify these claims. As noted in the memorandum, "promoting the use of open source is therefore essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy."

What this means for you

For public-sector bodies, procurement officers, and IT strategists, the integration of CADA with the Apply AI Strategy and Digital Decade creates a new compliance and strategic landscape.

  • Procurement Strategy: Under Article 41, you must actively evaluate open-source options when procuring cloud or AI services. While proprietary solutions are not banned, you are required to consider functionalities, security, and total cost of ownership. Ignoring open-source alternatives could be seen as failing to take necessary measures to encourage their use.
  • Reuse Obligations: If your entity develops software, Article 42 encourages (and in some contexts mandates via national strategies) making that software available for reuse under an open-source licence. You must ensure this software is listed in a repository connected to the EU Open Source Solutions Catalogue to maximise its visibility and utility across the Union.
  • National Alignment: Your procurement practices must align with your Member State's national cloud and AI strategy (required under Article 7). These national strategies must include measures to support the development of cloud computing stack technologies built upon open hardware and software.
  • Strategic Planning: View open source not just as a technical choice but as a tool to meet the Digital Decade's targets for digital transformation and the Apply AI Strategy's goals for sovereignty. Using open-source components can help demonstrate compliance with the "European added value" criteria in public procurement (Article 32).

Common misconceptions

"CADA mandates that all public software must be open source." No. Article 41 states that authorities shall "encourage" the use and reuse of open standards and components. It explicitly requires taking into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria." Proprietary solutions remain an option if they better meet these objective criteria.

"Open source is inherently less secure than proprietary software." The explanatory memorandum argues the opposite in the context of sovereignty: "Access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor." For sovereign cloud services, the ability to audit code is a critical security feature that supports the rigorous auditing requirements of the sovereignty framework.

"The Digital Decade and CADA are separate, unrelated initiatives." They are deeply interconnected. The explanatory memorandum states that the Digital Decade "does not include... concrete support measures" for compute capacity, and CADA "complements" it by providing those measures. CADA provides the regulatory and operational framework to achieve the Digital Decade's high-level targets.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.