How does CADA open source support resilience of public-sector IT?

As proposed, the Cloud and AI Development Act (CADA) would require the Union and Member States to take necessary measures to encourage public-sector bodies

Summary As proposed, the Cloud and AI Development Act (CADA) would require the Union and Member States to take necessary measures to encourage public-sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence when building their cloud and AI ecosystems. Anchored in Article 41, this mandate aims to reduce dependency on single proprietary vendors, mitigate vendor lock-in, and enhance the technological sovereignty and resilience of public-sector IT. By prioritizing open-source solutions, the proposal seeks to ensure that public administrations maintain control over their digital assets, improve security through auditability, and lower long-term costs, thereby supporting the broader objective of preserving public order through resilient, autonomous digital services.

Detail

The proposed Cloud and AI Development Act (CADA) explicitly identifies open source as a critical lever for strengthening the European cloud and AI ecosystem. The legislation moves beyond voluntary encouragement, establishing a binding framework that integrates open-source principles into the core of public-sector digital strategy. This approach is designed to address the EU's current heavy reliance on a limited number of third-country cloud providers and to foster a more competitive, resilient, and sovereign digital market.

The Legal Mandate: Article 41

The cornerstone of this policy is Article 41 of the CADA proposal, titled "Promoting open source solutions and open source first." The article states that "The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack."

Crucially, the provision requires that this encouragement takes into account specific, objective criteria, including functionalities, security, total cost, and other duly justified objective criteria. This ensures that the shift toward open source is not merely ideological but is grounded in practical performance, security standards, and economic efficiency. By mandating that Member States take "necessary measures," the proposal implies that national strategies and procurement guidelines must be adapted to favor open-source solutions where they meet these rigorous standards.

Strategic Rationale: Recital 81 and Resilience

The strategic intent behind Article 41 is elaborated in Recital 81 of the explanatory memorandum. The recital highlights that open source plays an "important role in ensuring transparency, security and efficiency in the use of digital technologies by the public sector." It argues that access to source code enables auditability, fosters collaboration and reuse, and significantly reduces dependency on a single vendor.

Recital 81 explicitly links open source to resilience by stating that promoting its use is "essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy." The recital further notes that the choice of cloud computing services or software has "significant implications not only for cost-efficiency, but also for security, interoperability, accountability and technological autonomy." By reducing the risk of vendor lock-in, open source allows public sector bodies to switch providers more easily, adapt systems to evolving needs, and maintain operational continuity even if a specific vendor fails or withdraws from the market. This directly supports CADA's broader objective of safeguarding public order by ensuring that critical digital infrastructure remains under European control and is resilient to external shocks or geopolitical pressures.

Operational Mechanisms: Reuse and Catalogues

To operationalize this mandate, CADA introduces several supporting mechanisms. Article 42 requires that when Union entities or public sector bodies make software available for reuse under an open-source license, they must do so using a catalogue or repository connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue). Article 43 establishes this centralised catalogue, hosted on the Interoperable Europe portal, to improve the searchability, discoverability, and ultimately the reuse of public-sector software. This creates a "public good" of software assets that can be shared across borders and administrations, reducing duplication of effort and cost.

Furthermore, Article 44 establishes a network of Open Source Programme Offices (OSPO Network) to facilitate cooperation, exchange best practices, and address common technical, legal, and organizational challenges related to open-source licensing, security, and procurement. This network ensures that public sector bodies have the expertise and support needed to implement open-source strategies effectively.

Alignment with Sovereignty and Procurement

The push for open source is deeply intertwined with CADA's sovereignty framework. Article 32 allows contracting authorities to include "Union added value" criteria in public procurement, which can favor solutions that strengthen the European digital supply chain. Open-source software, particularly when developed or maintained within the EU, aligns with these criteria by ensuring that the underlying technology is transparent, auditable, and not subject to the extraterritorial laws of third countries. This reduces the risk of backdoors, unauthorized data access, or service disruptions imposed by foreign entities, thereby enhancing the resilience of public-sector IT.

What this means for you

For public-sector procurement officers and IT decision-makers, the proposed CADA introduces a significant shift in how cloud and AI infrastructure should be evaluated and acquired. Here are the key implications:

Review Procurement Criteria: You must review your tender documents and evaluation criteria to ensure they align with the "open source first" principle. While CADA does not mandate open source in every case, it requires that you take necessary measures to encourage its use. This means giving weight to open-source solutions in your evaluations, particularly when they offer comparable or superior security, functionality, and total cost of ownership.
Prioritize Auditability and Security: When assessing cloud and AI services, prioritize those that provide access to source code or are based on open standards. This allows for independent security audits, which is crucial for maintaining the integrity of public-sector data and systems. Proprietary black-box solutions may pose higher risks if they cannot be thoroughly vetted for vulnerabilities or compliance with EU data protection standards.
Leverage the EU OSS Catalogue: Utilize the EU Open Source Solutions Catalogue to identify reusable software components and solutions developed by other public sector bodies. This can accelerate deployment, reduce development costs, and ensure interoperability with other EU systems. When your organization develops new software, consider releasing it under an open-source license and contributing it to the catalogue to foster a collaborative ecosystem.
Mitigate Vendor Lock-in: Design your IT architecture to avoid dependency on a single proprietary vendor. By adopting open standards and open-source components, you retain the flexibility to switch providers or adapt systems without being held hostage by proprietary licensing terms or technical incompatibilities. This is essential for maintaining operational resilience and ensuring that critical public services can continue uninterrupted.
Engage with OSPO Networks: Participate in the network of Open Source Programme Offices to share best practices, access expert guidance on licensing and security, and collaborate on common challenges. This network will be a valuable resource for navigating the complexities of open-source adoption and ensuring compliance with CADA's requirements.

Common misconceptions

"CADA mandates open source for all public-sector IT."
- Correction: CADA does not impose a blanket ban on proprietary software. Article 41 requires Member States to "encourage" the use of open source, taking into account functionalities, security, and total cost. Proprietary solutions may still be used if they are demonstrably superior or if no viable open-source alternative exists, but the default preference should shift toward open source where it meets the required standards.
"Open source is always less secure than proprietary software."
- Correction: Recital 81 explicitly states that open source enhances security through transparency and auditability. While security depends on implementation and maintenance, the ability to inspect source code allows for faster identification and patching of vulnerabilities. CADA emphasizes that open source supports "security, interoperability, accountability and technological autonomy."
"Open source means no vendor support or accountability."
- Correction: CADA encourages the use of open-source components, but this does not preclude contracting with vendors for support, maintenance, or customization. Many European providers offer robust support services for open-source solutions. The goal is to reduce dependency on a single vendor's proprietary ecosystem, not to eliminate professional support entirely.
"This only applies to new projects."
- Correction: While new developments are the primary focus, the principle of reusing open-source software (Article 42) applies to existing software holdings as well. Public sector bodies are encouraged to review their existing software portfolios and consider migrating to open-source alternatives where feasible to reduce long-term costs and risks.

This is general information about a draft EU regulation, not legal advice.