How does CADA relate to the EU Open Source Strategy?

Summary As proposed, the Cloud and AI Development Act (CADA) would operationalise key elements of the EU Open Source Strategy by embedding open-source promotion into how Union entities and public sector bodies build their cloud and AI stacks. Articles 41 to 44 would create obligations to encourage open standards and open-source components, to share reusable software through a catalogue connected to the EU Open Source Solutions Catalogue, and to coordinate via a network of Open Source Programme Offices. The proposal frames open source not merely as cost-saving, but as a lever for technological sovereignty, reduced vendor lock-in, and security auditability.

Detail

The EU Open Source Strategy aims to foster open source for sovereignty, competitiveness, and security. CADA, as proposed, would translate these strategic goals into legislative measures sitting in Title IV, Chapter V (Open source). Recital 81 recognises that open source plays an important role in ensuring transparency, security, and efficiency, and that access to source code supports auditability and reduces dependency.

Open source as a sovereignty lever

CADA would position open source as a mechanism to support technological autonomy. Recital 15 states that the Cloud and AI Leadership Initiatives should also promote the development of technologies relying on open standards and open source. By encouraging open-source components, the proposal seeks to support a more autonomous European technology stack that is less exposed to unilateral decisions by third-country actors.

Proposed measures for the public sector (Articles 41-44)

The proposal would introduce specific obligations directed at Union entities and public sector bodies:

• Promoting open source and "open source first" (Article 41): The Union and Member States would take the necessary measures to encourage Union entities and public sector bodies to use, and facilitate the reuse of, open standards and components released under an open-source licence when building their cloud and AI ecosystem or stack. This decision would take into account functionalities, including security, total cost, and other relevant, duly justified objective criteria.
• Share and reuse of software (Article 42): When a Union entity or public sector body makes software to which it holds intellectual property rights available for reuse under an open-source licence, it would have to do so using a catalogue or repository connected to, and accessible through, the EU Open Source Solutions Catalogue.
• EU Open Source Solutions Catalogue (Article 43): The Commission would provide and maintain the EU OSS Catalogue as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies. As proposed, it would be hosted on the Interoperable Europe portal and accessible electronically free of charge.
• Network of Open Source Programme Offices (Article 44): The Commission would establish an OSPO Network to facilitate cooperation on implementing this chapter's obligations - exchanging best practices, promoting sharing and reuse, and contributing on a voluntary, non-binding basis to guidance and templates on open-source licensing, security, maintenance, and procurement.

Integration with the Leadership Initiatives

Beyond procurement-facing rules, the Cloud and AI Leadership Initiatives (Title II) would also support open source. Under operational objective 2 (Article 4(2)), the Initiatives would, among other things, develop and pilot secure, resilient, and performant open cloud computing stacks, foster the creation of open-source software foundations supporting open-source components, and establish a catalogue of European open cloud computing solutions.

What this means for you

For CTOs, architects, and SMEs, CADA's open-source provisions would signal a shift in how the European public sector approaches technology procurement.

For public sector CTOs and architects: You would need to factor open-source assessment into procurement. Article 41 would require encouraging open-source solutions and evaluating them on functionality, security, total cost, and other objective criteria. This is not a mandate to use open source exclusively, but a push to actively consider it. Where your entity makes its own software available for reuse under an open-source licence, Article 42 would require publishing it through a catalogue connected to the EU OSS Catalogue. Establishing or joining an OSPO (Article 44) would likely become a practical priority.

For SMEs and cloud providers: There is a growing opportunity for European open-source providers. Open-source transparency can make some sovereignty-related criteria easier to evidence, though it does not by itself confer any Union assurance level. Ensuring your offerings work with open standards, and can be surfaced via the EU OSS Catalogue where relevant, would help in public tenders.

For software architects: Design for auditability and reuse. The emphasis on source-code access (Recital 81) means opaque, proprietary black boxes may face higher scrutiny in public-sector deployments. Prioritising modular, open-standard components would align with the EU's sovereignty objectives.

Common misconceptions

Misconception 1: CADA would mandate exclusive use of open-source software. It would not. Article 41 would require encouraging and facilitating open-source use while taking into account objective criteria like security and cost. Proprietary solutions would remain viable where they meet the requirements. The goal is balanced evaluation, not exclusion.

Misconception 2: Open source automatically equals "sovereign" under CADA. While open source aids sovereignty by enabling auditability, it would not automatically confer a Union assurance level. A service would still have to meet the cumulative criteria for Union assurance levels 1-4 (Annex II). An open-source service hosted on infrastructure subject to third-country control could still fail the higher-level criteria. Open source is a lever, not a guarantee.

Misconception 3: The EU OSS Catalogue is a new development tool. The EU OSS Catalogue (Article 43) would be a discovery and reuse platform, not a development environment. It would aggregate software made available for reuse by Union entities and public sector bodies, improving findability and reducing redundant development.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What does CADA say about open source?
• What is the relationship between CADA and the Preparedness Union Strategy?
• How does CADA relate to the Digital Decade Policy Programme?
• CADA and the Chips Act 2.0: how the two relate
• What is the national cloud and AI strategy required by CADA?

This is general information about a draft EU regulation, not legal advice.