Summary As proposed, the Cloud and AI Development Act (CADA) would require the Union and Member States to encourage public sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence. Under Article 41, this approach is designed to enhance transparency, security, and efficiency by granting access to source code, which enables auditability and reduces vendor lock-in. Recital 81 explicitly states that open source ensures "transparency, security and efficiency" and that "access to the source code enables auditability." By promoting open-source solutions, CADA aims to strengthen the Union's digital autonomy and ensure better accountability for public digital systems.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, places significant emphasis on open source as a strategic lever to boost technological sovereignty and improve the functioning of the public sector. The proposal recognizes that the choice of cloud computing services and software has profound implications for cost-efficiency, security, interoperability, and technological autonomy.

The Role of Open Source in Transparency and Accountability

Recital 81 of the CADA proposal explicitly states that "open source plays an important role in ensuring transparency, security and efficiency in the use of digital technologies by the public sector." The text highlights that "access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in."

This provision addresses a critical gap in public procurement: the opacity of proprietary systems. When public administrations rely on closed-source software, the underlying logic of the system remains hidden. This lack of visibility makes it difficult for independent experts, auditors, or citizens to verify whether the software functions as intended, respects fundamental rights, or contains hidden vulnerabilities.

By mandating the promotion of open-source solutions, CADA seeks to ensure that public administrations are not trapped in proprietary ecosystems where the code is opaque. Transparency in this context means that the code powering public services can be inspected, verified, and understood. This auditability is essential for ensuring that public digital systems function correctly and that the public can trust the digital infrastructure underpinning essential services.

Article 41: Promoting Open Source Solutions and Open Source First

The core legal obligation regarding this topic is found in Article 41, titled "Promoting open source solutions and open source first." The article states:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This provision does not mandate that all public software must be open source. Instead, it requires the Union and Member States to create an environment that encourages the use of open-source components. The decision to use open source must be based on objective criteria, including:

  • Functionalities: Does the open-source solution meet the technical requirements?
  • Security: Is the open-source solution secure and maintainable?
  • Total Cost: This includes not just the initial acquisition cost (which is often zero for open source) but also the costs of maintenance, support, and integration.
  • Other relevant, duly justified objective criteria: This allows for flexibility based on specific project needs.

The phrase "duly justified objective criteria" ensures that the shift to open source is pragmatic. If a proprietary solution offers superior functionality or security for a specific use case, it may still be selected, provided the justification is clear and documented.

Supporting Mechanisms: The EU OSS Catalogue and OSPO Network

To operationalize the transparency and reuse goals of Article 41, CADA introduces several supporting mechanisms designed to create a structured ecosystem for open-source software:

  1. EU Open Source Solutions Catalogue (Article 43): The Commission would provide and maintain a centralized catalogue to access software made available for reuse by Union entities and public sector bodies. This catalogue would be hosted on the Interoperable Europe portal. By centralizing these resources, the proposal aims to improve the searchability, discoverability, and ultimate reuse of public software, thereby maximizing the value of public expenditure.
  2. Network of Open Source Programme Offices (OSPO Network) (Article 44): The Commission would establish a network of OSPOs to facilitate cooperation on the implementation of open-source obligations. This network would promote the exchange of information, experience, and best practices between Member States and the Commission. It would address common technical, legal, and organizational challenges, including licensing, security, maintenance, and procurement of open-source software.
  3. Sharing and Reuse of Software (Article 42): When Union entities or public sector bodies voluntarily decide to make software available for reuse under an open-source licence, they must do so using a catalogue or repository connected to the EU OSS Catalogue. This ensures that publicly developed software is not siloed but is accessible for reuse across the Union, fostering innovation and reducing duplication costs.

Strategic Context: Digital Sovereignty and Efficiency

The push for open source under CADA is not merely about cost savings; it is fundamentally about strategic autonomy. Recital 81 notes that promoting the use of open source is "essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy."

By relying on open standards and open-source components, the EU can reduce its dependence on proprietary technologies controlled by a limited number of global providers, many of which are based in third countries. This aligns with the broader goals of CADA to reduce critical external dependencies and build a resilient, sovereign European cloud and AI ecosystem. The ability to audit source code ensures that the Union retains control over its digital infrastructure, preventing vendor lock-in and ensuring that public systems remain secure and interoperable.

What this means for you

For public-sector procurement officers, IT decision-makers, and software developers, CADA introduces a new framework for evaluating software and cloud services. Here is how you should prepare:

  • Integrate Open Source into Procurement Criteria: When drafting tender documents for cloud computing services or AI systems, ensure that your evaluation criteria include an assessment of open-source compliance. You should evaluate whether the proposed solutions use open standards and open-source components, and how this impacts security, total cost of ownership, and long-term maintainability.
  • Conduct Total Cost of Ownership (TCO) Analyses: Move beyond simple licensing fees. Assess the total cost of proprietary versus open-source solutions, including support, customization, and migration risks. Open-source solutions often offer lower long-term costs by avoiding vendor lock-in, but they require investment in maintenance and skills.
  • Leverage the EU OSS Catalogue: As the EU OSS Catalogue becomes operational, use it as a primary resource for discovering reusable software solutions. This can accelerate procurement processes and reduce development costs by leveraging existing public-sector innovations.
  • Engage with OSPO Networks: Participate in or establish local, regional, or national Open Source Programme Offices (OSPOs). These bodies will be crucial for managing open-source strategies, ensuring licensing compliance, and addressing security concerns related to open-source components.
  • Justify Proprietary Choices: If you choose a proprietary solution over an open-source alternative, ensure you have duly justified objective criteria for this decision. Be prepared to demonstrate why the proprietary option offers superior functionality, security, or cost-efficiency in your specific context.

Common misconceptions

"CADA mandates that all public software must be open source." No. Article 41 requires the Union and Member States to encourage the use of open-source solutions. It does not ban proprietary software. Procurement officers must still make decisions based on objective criteria, including functionality and security. Proprietary solutions remain viable if they are duly justified.

"Open source is always free of cost." No. While open-source software often has no licensing fee, it incurs other costs, such as maintenance, support, customization, and integration. CADA explicitly requires considering the "total cost" when making decisions, not just the initial acquisition price.

"Open source is inherently less secure than proprietary software." No. Recital 81 highlights that open source can enhance security through auditability and transparency. The ability to inspect source code allows for independent verification of security measures. However, security depends on proper management and maintenance, which is why CADA supports OSPOs to help manage these risks.

"Reusing public software is optional and unstructured." No. Article 42 requires that when public bodies make software available for reuse, it must be done through a catalogue connected to the EU OSS Catalogue. This creates a structured, discoverable ecosystem for software reuse, moving away from ad-hoc sharing.

Related

This is general information about a draft EU regulation, not legal advice.