Summary The proposed Cloud and AI Development Act (CADA) operationalizes the strategic recommendations of Mario Draghi’s report, The future of European competitiveness, by explicitly designating open source as a primary lever for technological sovereignty. As proposed, CADA would require the Union and Member States to encourage public-sector bodies to prioritize open standards and open-source components when building cloud and AI ecosystems. This moves beyond voluntary best practices to a regulatory framework designed to reduce critical external dependencies on third-country providers, foster a competitive domestic industrial base, and ensure the EU retains control over its digital infrastructure. The proposal frames open source not merely as a licensing choice, but as a mechanism to enhance auditability, prevent vendor lock-in, and drive the "robust financial and talent flywheel" called for in the Draghi report.

Detail

The relationship between CADA’s open-source provisions and the Draghi report is foundational to the proposal’s design. The explanatory memorandum for CADA explicitly cites the Draghi report, stating that the EU must "maintain a foothold in areas where technological sovereignty is required, such as security and encryption ('sovereign cloud' solutions)." The report calls on the European Commission to take "targeted actions aimed at regaining and retaining control over data and cloud computing services, expanding domestic computational capacity and establishing a robust financial and talent flywheel to drive innovation." CADA translates these high-level strategic imperatives into binding regulatory measures, embedding open-source promotion directly into the architecture of the EU’s cloud and AI policy.

Open Source as a Strategic Lever for Sovereignty

The explanatory memorandum identifies a critical gap in the current EU landscape: while Europe possesses "world-class research and development capabilities, vibrant open-source communities and a strong industrial base in cloud and AI," these assets "remain largely untapped." In contrast, the EU market is characterized by a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the European cloud market.

To address this, CADA places a "specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy." The proposal posits that access to source code is essential for "auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in." By mandating a shift toward open-source solutions, CADA aims to transform the EU from a consumer of foreign technology into a global hub for "trusted, sovereign and scalable digital infrastructure."

Article 41: The "Open Source First" Mandate The legal engine of this strategy is Article 41, titled "Promoting open source solutions and open source first." As proposed, this article states:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This provision establishes a regulatory preference for open source, requiring public bodies to weigh open standards heavily in their procurement and development decisions. The explanatory memorandum clarifies that this choice has "significant implications not only for cost-efficiency, but also for security, interoperability, accountability and technological autonomy."

Competitiveness and the Industrial Base

The Draghi report emphasizes that reducing external dependencies is a prerequisite for competitiveness. CADA supports this by fostering the development of "innovative, competitive and resilient cloud and AI technologies" through the Cloud and AI Leadership Initiatives (Title II). These initiatives include specific operational objectives to:

  • Foster the creation of "open-source software foundations supporting the design, development and maintenance of open-source components."
  • Establish a "catalogue of European open cloud computing solutions."
  • Develop "cloud computing stacks alternatives for strategic sectors."

By encouraging the use of open-source components, CADA aims to lower barriers to entry for smaller EU-based providers, thereby creating a more diverse and competitive market. The explanatory memorandum notes that the proposal "provides a sector-specific approach to sovereignty" that complements horizontal rules like the Data Act. While the Data Act facilitates switching between providers, CADA actively shapes the market to ensure a "more sovereign and trusted EU cloud computing sector" exists to switch to.

Policy Context and Synergies

CADA’s open-source framework is designed to be consistent with and reinforce existing EU policies. It complements the Digital Decade Policy Programme and the Apply AI Strategy, both of which aim to boost AI adoption and digital transformation. The proposal also aligns with the EU Open Source Strategy, which proposes to "foster open source for sovereignty, competitiveness and security."

To ensure effective implementation, CADA establishes a network of Open Source Programme Offices (OSPOs) under Article 44. This network will facilitate the exchange of information and best practices between Member States and the Commission, addressing common technical, legal, and organizational challenges. Furthermore, Article 42 mandates that when Union entities or public sector bodies make software available for reuse under an open-source licence, they must do so via a repository connected to the EU Open Source Solutions Catalogue. This centralizes access to public-sector software, maximizing the value of public expenditure and fostering innovation across the Union.

What this means for you

For public-sector bodies, Union entities, and procurement officers, CADA introduces a significant shift in how cloud and AI ecosystems are built and procured.

1. Procurement and Development Strategy

You must integrate the "open source first" principle into your procurement processes. Under Article 41, you are required to encourage the use of open standards and open-source components. When evaluating tenders, you must consider functionalities, security, total cost, and other relevant criteria, but with a distinct preference for solutions that enhance auditability and reduce vendor lock-in. This does not mean proprietary software is banned, but it must be justified against these objective criteria.

2. National Strategy Alignment

Member States are required to establish national cloud and AI strategies under Article 7. These strategies must include measures to support the development of cloud computing stack technologies built upon "open hardware and software to strengthen technological sovereignty." You should assess how open-source adoption can be leveraged to meet these national objectives and reduce dependencies on non-EU providers.

3. Reuse and Collaboration

If your organization develops software, Article 42 requires that you make it available for reuse under an open-source licence via a catalogue connected to the EU OSS Catalogue. This facilitates discoverability and reuse across the Union. Additionally, you should engage with the OSPO network (Article 44) to share best practices, address licensing challenges, and collaborate on common technical standards.

4. Strategic Planning

As proposed, CADA would enter into force one year after publication. Public bodies should begin auditing their current software stacks and procurement pipelines to identify opportunities for transitioning to open-source alternatives. This proactive approach will ensure compliance with the new regulatory framework and align with the Draghi report’s vision of a self-sufficient European digital economy.

Common misconceptions

"CADA mandates the exclusive use of open-source software." No. Article 41 states that public bodies shall "encourage" the use of open source while taking into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria." Proprietary solutions remain permissible if they are objectively justified and meet the required criteria. The goal is to shift the balance, not to impose a blanket ban.

"Open source automatically guarantees security and sovereignty." Not necessarily. While open source enhances auditability and reduces vendor lock-in, it does not guarantee security on its own. CADA requires that open-source components be evaluated based on security and other relevant criteria. Furthermore, sovereignty is achieved through a combination of measures, including the Union assurance levels (data localization, personnel requirements) and the open-source mandate.

"CADA replaces national open-source strategies." No. CADA complements and reinforces national efforts. Article 7 explicitly requires Member States to include measures supporting open hardware and software in their national strategies. CADA provides the EU-level framework, the OSPO network, and the central catalogue to facilitate and coordinate these national initiatives.

"CADA is only about software licensing." No. The proposal views open source as a strategic lever for industrial policy. It aims to build a competitive supply base, foster innovation, and ensure the EU retains control over its digital infrastructure. The focus is on the entire "cloud and AI ecosystem or stack," including hardware, middleware, and AI models.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.