Summary Under the proposed Cloud and AI Development Act (CADA), open source is positioned as a core lever for digital sovereignty by reducing vendor lock-in and increasing technical control. As proposed, CADA would encourage Union entities and public-sector bodies to use open standards and open-source components ("open source first," Article 41), supported by an EU Open Source Solutions Catalogue (Articles 42–43) and a network of Open Source Programme Offices (Article 44). This approach aligns with the EU Open Source Strategy to keep critical infrastructure transparent, auditable and less dependent on third countries.

Detail

CADA positions open source not merely as a licensing choice but as a strategic instrument for technological sovereignty and resilience. The proposal and its explanatory memorandum highlight that dependence on proprietary technologies from a limited number of global providers creates risks to the EU's operational autonomy and security.

Open source as a sovereignty lever

The explanatory memorandum states that the proposal places a focus on open source "as a lever to boost technological sovereignty, in line with the EU Open Source Strategy which aims to promote open European alternatives across the European technology stack."

Recital 81 sets out the rationale. It states that "Access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in." It adds that promoting open source is "essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy." For CTOs and architects, open source is thus framed as a risk-mitigation strategy against supply-chain disruption and unilateral external control.

The "open source first" approach for the public sector

Article 41 ("Promoting open source solutions and open source first"), as proposed, provides:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This would not ban proprietary software, but it creates a regulatory preference for open alternatives, requiring decision-makers to weigh objective criteria such as security and total cost rather than legacy inertia.

Infrastructure for reuse: the EU OSS Catalogue and OSPO network

To make this preference practical, CADA establishes concrete mechanisms. Article 42 requires that when a Union entity or public-sector body makes software it owns available for reuse under an open-source licence, it must do so using a catalogue or repository connected to, and accessible through, the EU Open Source Solutions Catalogue.

Article 43 requires the Commission to provide and maintain that centralised EU OSS Catalogue, hosted on the Interoperable Europe portal (referred to in Article 8 of Regulation (EU) 2024/903) and accessible free of charge. It serves as a single entry point for public administrations to find and reuse software developed by other public bodies, addressing the fragmentation of open-source efforts across the EU.

Article 44 requires the Commission to establish a network of Open Source Programme Offices (OSPOs) to facilitate cooperation on implementing the open-source obligations. Public-sector OSPOs at local, regional or national level, and those of Union entities, may request to join. Its tasks include exchanging best practices on licensing, security, maintenance and procurement, and promoting the sharing and reuse of open-source software. The Commission supports and coordinates the network and convenes it at least twice a year.

Connection to the EU Open Source Strategy

CADA is closely tied to the broader EU Open Source Strategy, which, per the explanatory memorandum, proposes to foster open source for sovereignty, competitiveness and security. CADA operationalises these high-level goals by embedding them into the framework for cloud and AI procurement and deployment, helping ensure the push for open source is consistent across policy domains.

What this means for you

For CTOs, architects and SMEs, the shift toward open source is both a compliance signal and a market opportunity.

For public-sector buyers and their suppliers: If you supply cloud or AI services to the public sector, align your offerings with the "open source first" principle. Proprietary-only solutions may face headwinds in procurement. Prioritise interoperability with open standards, transparency about how you avoid lock-in, and reuse of, or contribution to, the EU OSS Catalogue.

For SMEs and startups: The OSPO network and EU OSS Catalogue lower the barrier to entry. Instead of competing on price alone, smaller providers can compete on the quality, security and sovereignty of their open-source contributions, with OSPO guidance reducing legal and technical overhead.

For enterprise architects: Prioritise open standards in new cloud and AI stacks. Future-proofing against third-country dependencies is likely to feature in procurement evaluations, and open-source middleware and tools improve your ability to switch providers, a core tenet of digital sovereignty.

Common misconceptions

Misconception: CADA bans proprietary software. It does not. Article 41 encourages open standards and components "taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria." Proprietary solutions can still be used where justified.

Misconception: Open source automatically equals sovereign. Open source facilitates sovereignty by enabling auditability and reducing lock-in, but it is not sufficient on its own. A service can be open source yet rely on infrastructure or supply chains controlled by third countries. CADA's Union assurance levels assess data location, personnel, third-country control and more, in addition to licensing.

Misconception: Only the public sector is affected. Article 41 targets Union entities and public-sector bodies, but the effects ripple outward. As public procurement shifts toward open-source-friendly solutions, private enterprises, especially in regulated industries or those partnering with the public sector, will find it advantageous to align.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.