How does open source help avoid vendor lock-in under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), open source is a strategic lever to prevent vendor lock-in by ensuring public sector bodies retain control over their digital infrastructure. As proposed, Article 41 mandates that the Union and Member States encourage the use of open standards and components released under open-source licenses, while Article 42 requires that any software developed by or for public entities and made available for reuse must be published in a centralized catalogue. These measures aim to enhance auditability, foster collaboration, and reduce dependency on single proprietary vendors, thereby strengthening the EU's digital sovereignty.

Detail

The Cloud and AI Development Act (CADA) explicitly positions open source not merely as a technical preference, but as a critical mechanism for achieving technological sovereignty and mitigating the risks of vendor lock-in. The proposal addresses the EU's heavy reliance on non-European cloud providers by creating a regulatory framework that incentivizes transparency, interoperability, and reuse of digital assets.

The Legal Basis: Articles 41 and 42

The core provisions governing open source and vendor lock-in are found in Title IV, Chapter V of the proposed regulation.

Article 41: Promoting Open Source Solutions and "Open Source First" Article 41 establishes a binding obligation for the Union and Member States to take necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open-source license. This applies when building their cloud and AI ecosystem or stack.

Crucially, this encouragement is not absolute; it must be balanced against other objective criteria. The article specifies that decisions should take into account functionalities, including security, total cost, and other relevant, duly justified objective criteria. This ensures that open source is adopted where it delivers value without compromising performance or security.

Article 42: Share and Reuse of Software Article 42 operationalizes the principle of reuse. It mandates that when a Union entity or public sector body decides to make software available for reuse under an open-source license, it must do so using a catalogue or repository that is connected to, and made accessible through, the EU Open Source Solutions Catalogue (EU OSS Catalogue). This centralization prevents fragmentation and ensures that software developed with public funds is discoverable and reusable across the public sector, reducing the need to reinvent the wheel or purchase proprietary alternatives.

Recital 81: The Rationale for Avoiding Lock-In

The legislative intent behind these articles is clearly articulated in Recital 81. This recital provides the philosophical and practical justification for the open-source push, stating:

"Access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in. Promoting the use of open source is therefore essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy."

This recital highlights three key benefits of open source in the context of CADA:

1. Auditability: Public bodies can verify the security and integrity of the software they use, which is critical for sovereign cloud services.
2. Collaboration and Reuse: By sharing code, public sector bodies can leverage each other's investments, reducing duplication of effort.
3. Reduced Dependency: Moving away from proprietary, closed-source solutions limits the power of any single vendor to dictate terms, pricing, or service continuity.

Link to Digital Sovereignty

The push for open source is inextricably linked to CADA's broader objective of digital sovereignty. The explanatory memorandum and recitals emphasize that Europe's dependence on a limited number of third-country cloud providers poses significant risks to operational autonomy and data security. By fostering an ecosystem where software is transparent and interoperable, CADA aims to create a resilient market where European providers can compete on merit rather than proprietary barriers. Open source allows for the development of "European open cloud stacks" (referenced in the Cloud and AI Leadership Initiatives under Article 4), ensuring that the underlying technology of the EU's digital infrastructure is not controlled by external actors.

Furthermore, the proposal establishes the EU Open Source Solutions Catalogue (Article 43) and a Network of Open Source Programme Offices (OSPO Network) (Article 44). These structures provide the governance and infrastructure needed to manage open-source assets effectively, ensuring that the shift away from vendor lock-in is supported by robust organizational capabilities. The OSPO Network, in particular, is tasked with facilitating the exchange of information and best practices regarding licensing, security, and maintenance, which are critical for managing the risks associated with open-source adoption in a sovereign context.

What this means for you

For public-sector procurement officers and IT strategists, CADA's open-source provisions represent a significant shift in how digital contracts and software development are approached. Here is how these rules would likely impact your operations if the proposal is adopted:

1. Procurement Criteria Must Include Open Source Considerations: When drafting tender documents for cloud computing services or AI systems, you must consider open-source solutions as a viable, and often preferred, option. Article 41 requires you to encourage their use. This means evaluating bids not just on price and features, but on the degree to which they rely on open standards and licenses that prevent lock-in. You may need to adjust your evaluation matrices to reward solutions that offer greater transparency and portability.

2. Mandatory Reuse of Publicly Funded Software: If your organization develops custom software or modifies existing software with public funds, and you choose to release it under an open-source license, Article 42 requires you to publish it in the EU OSS Catalogue. This is not optional if you wish to reuse it. You must ensure your internal processes can handle the submission of code to this central repository. This promotes cross-border collaboration and allows other public bodies to build upon your work.

3. Shift from "Buy" to "Build and Share": CADA encourages a cultural shift towards developing and sharing solutions rather than purchasing proprietary black-box services. By participating in the OSPO Network (Article 44), your organization can access best practices, legal templates, and technical guidance on managing open-source risks. This network will help you navigate the complexities of licensing, security, and maintenance.

4. Risk Mitigation in Vendor Contracts: When engaging with cloud providers, you should negotiate terms that align with the "open source first" principle. This might include requiring vendors to provide access to source code for critical components, or ensuring that data and applications are portable across different platforms. The goal is to ensure that if a vendor fails or changes terms, your organization can migrate to an alternative provider without significant disruption.

5. Total Cost of Ownership (TCO) Analysis: While open source can reduce licensing fees, it may increase costs related to maintenance, support, and security audits. Article 41 explicitly mentions "total cost" as a relevant criterion. Procurement officers must conduct thorough TCO analyses that account for these hidden costs, ensuring that the choice of open source is economically sustainable in the long term.

Common misconceptions

Misconception 1: CADA mandates that all public sector software must be open source. This is incorrect. Article 41 uses the term "encourage" rather than "mandate." It requires public bodies to take measures to encourage the use of open standards and components. The choice must still consider other factors like security, functionality, and total cost. Proprietary solutions remain permissible if they are justified by objective criteria.

Misconception 2: Open source automatically means lower costs. While open source eliminates licensing fees, it does not eliminate costs. Public bodies must invest in expertise, maintenance, security auditing, and potentially support contracts. Article 41 explicitly lists "total cost" as a factor to consider, acknowledging that open source is not always the cheapest option when all factors are included.

Misconception 3: Any software can be uploaded to the EU OSS Catalogue. Article 42 specifically applies to software that Union entities or public sector bodies voluntarily decide to make available for reuse under an open-source license. It does not force every piece of software to be open-sourced. However, if you choose to open-source it, you must use the connected catalogue.

Misconception 4: Open source solves all vendor lock-in issues. Open source reduces dependency on a single vendor for the software code, but lock-in can also occur through data formats, APIs, and infrastructure dependencies. CADA addresses this through broader measures, such as the sovereignty framework (Article 16) and data portability requirements, but open source is only one part of the solution.

Related

• How does CADA open source help startups access public-sector technology?
• Why does CADA promote open source for digital sovereignty?
• Who must promote open source under CADA? Article 41 explained
• Which licences count as open source for CADA purposes?
• CADA Open Source Chapter: Articles 41–44 Explained

This is general information about a draft EU regulation, not legal advice.