How does service sharing work in the EuroCloud Federation under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the EuroCloud Federation enables Union entities and public sector bodies to share data centre and cloud computing services to boost resilience and optimize resource use. As proposed in Article 35, a "sharing entity" may offer its capacity to a "using entity" only if it directly or indirectly owns the underlying hardware and provides the service itself. This exchange is not a commercial transaction; it is a public-interest cooperation that must be approved by the European Commission before it begins. The arrangement allows public authorities to leverage idle resources without triggering standard public procurement rules, provided strict conditions on security, cost recovery, and public interest are met.

Detail

The EuroCloud Federation is a cornerstone of the proposed CADA's strategy to strengthen Europe's technological sovereignty and reduce fragmentation. It creates a legal framework for Union entities and public sector bodies to pool their cloud and data centre capacities across borders. The mechanics of this exchange are strictly defined in Article 35 of the proposal to ensure security, prevent market distortion, and maintain the public-service nature of the cooperation.

The Core Mechanism: Sharing and Using Entities

The mechanism relies on two distinct roles defined within the Federation: the sharing entity and the using entity. Both must be members of the EuroCloud Federation, which is open to Union entities and public sector bodies on a voluntary basis (Article 34).

• The Sharing Entity: This is the member providing the capacity. Crucially, under Article 35(1), the sharing entity must own the hardware through which the service is made available. This ownership can be direct, or indirect through an intermediate legal entity, provided the sharing entity exercises control over that intermediate entity. The sharing entity must also be the one providing the service to the using entity.
  • Control Definition: The proposal specifies that a sharing entity exercises control over an intermediate legal entity if: (i) it exercises decisive influence over strategic objectives and significant decisions; (ii) there is no direct private capital participation in that entity; and (iii) more than 80% of the entity's activities are carried out in performance of tasks entrusted by the sharing entity (Recital 71).
• The Using Entity: This is another member of the Federation that requires additional computing or storage capacity to meet its public service obligations.

This structure is designed to prevent private cloud providers from selling their services through the Federation. The proposal explicitly excludes direct private participation where the sharing entity does not own the hardware or where a private party provides the service (Recital 71). The goal is to facilitate cooperation between public bodies, not to create a new marketplace for private vendors.

The Mandatory Commission Approval Process

Sharing services within the EuroCloud Federation is not automatic. Article 35(3) mandates that prior to sharing any data centre or cloud computing services, the sharing entity must demonstrate to the European Commission that it fulfils the conditions set out in Article 35(1) and Article 35(2).

The process involves two key steps:

1. Demonstration of Conditions: The sharing entity must prove its ownership or control of the hardware and its role as the service provider.
2. Security and Resilience Assessment: Under Article 35(2), the sharing entity must have put in place appropriate technical, operational, and organisational measures to ensure an effective, secure, and resilient provision of services. This includes policies on risk analysis, information system security, access control, incident handling, business continuity, and interoperability.

Once the sharing entity provides this information, the Commission assesses it. Under Article 35(4), the Commission allows the sharing entity to share services within the Federation only if it confirms that the conditions are fulfilled. This centralized approval ensures that all shared capacity meets a high, uniform standard of security and sovereignty across the Union before any data or services are exchanged.

Financial Terms and Procurement Exemptions

A critical feature of the EuroCloud Federation is how it handles costs, which distinguishes it from standard commercial cloud procurement.

Article 35(5) states that a sharing entity may charge a fee to the using entity. However, this fee is strictly limited to the costs incurred by the sharing entity in relation to the sharing of the service. These costs include:

• Allocating and isolating resources.
• Managing access.
• Enabling integration and interoperability.
• Ensuring compliance with applicable Union law requirements.
• Managing the sharing relationship.

Crucially, these fees do not constitute a pecuniary interest within the meaning of the Public Procurement Directive (Directive 2014/24/EU) or the Financial Regulation (Regulation (EU, Euratom) 2024/2509). Consequently, the sharing of services within the EuroCloud Federation does not fall under Union public procurement rules (Recital 73).

This exemption is vital for operational efficiency. It allows public authorities to access capacity quickly and flexibly without undergoing lengthy tender processes, provided the cost-recovery principle is strictly adhered to. The cooperation is governed solely by considerations of public interest and should not entail consideration in exchange for another service. The sharing entity cannot profit from the arrangement; the fee is purely a mechanism to recover the additional costs of sharing.

Operational Requirements and Security Standards

To ensure the stability and trustworthiness of the Federation, sharing entities must maintain high standards of operational readiness. Article 35(2) requires appropriate technical, operational, and organisational measures. These are not merely recommendations but mandatory conditions for Commission approval under Article 35(4).

Key requirements include:

• Risk Analysis: Regular assessment of threats to the shared infrastructure.
• Access Control: Strict policies on who can access the shared resources.
• Incident Handling: Clear procedures for responding to security breaches or outages.
• Business Continuity: Plans to ensure service availability during disruptions.
• Interoperability: Ensuring the shared services can seamlessly integrate with the using entity's existing systems.

The Commission is empowered to adopt implementing acts to specify the technical, operational, and organisational measures referred to in Article 35(2) (Article 35(6)), ensuring that these standards evolve with technological developments.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the EuroCloud Federation offers a new tool to manage cloud capacity and reduce dependencies on external commercial providers. Here is how you should prepare:

1. Audit Your Hardware Ownership: Before considering joining the Federation as a sharing entity, verify your legal ownership of the underlying hardware. If you lease hardware from a private provider without control over it, you may not qualify as a sharing entity under Article 35(1). You may instead be a using entity. If you use an intermediate entity, ensure you meet the strict "control" criteria (no private capital, >80% public tasks).
2. Prepare for Commission Scrutiny: If you intend to share capacity, begin documenting your technical and operational security measures now. You will need to demonstrate compliance with high-security standards to the Commission before any sharing can begin. This includes detailed policies on access control, incident response, and business continuity.
3. Calculate True Costs: Develop a cost-model for sharing capacity. Remember, you cannot profit from this exchange. Your fees must be strictly limited to the additional costs of isolating resources, managing access, and ensuring interoperability. Ensure your accounting systems can track these specific incremental costs separately from your general operational expenses.
4. Review Interoperability: Assess whether your existing cloud infrastructure can be easily integrated with other public sector bodies. The Federation relies on seamless resource exchange. Invest in standardized interfaces and interoperability protocols to minimize the technical burden of sharing.
5. Engage Early: The Commission will establish a platform for the Federation (Article 34). Engage with your national authorities and the Commission early to understand the specific technical templates and reporting requirements for demonstrating compliance with Article 35.

Common misconceptions

• Misconception 1: The EuroCloud Federation is a marketplace for buying and selling cloud services.

  • Reality: It is a cooperation mechanism for public entities. Private companies cannot sell their services through the Federation. The exchange is based on public interest, not commercial profit. Fees are strictly for cost recovery, not for generating revenue.

• Misconception 2: Any public body with cloud servers can immediately start sharing capacity.

  • Reality: No. Article 35(3)-(4) requires prior demonstration and approval by the European Commission. You must prove you own the hardware and meet strict security and operational standards before any sharing begins.

• Misconception 3: Sharing services through the Federation requires a public tender.

  • Reality: No. Because the fees are limited to cost recovery and do not constitute a pecuniary interest, the exchange is exempt from standard EU public procurement rules (Recital 73). This allows for faster, more flexible capacity sharing among public partners.

• Misconception 4: You can share capacity even if you lease the hardware from a third party.

  • Reality: Article 35(1) requires the sharing entity to own the hardware, either directly or indirectly through an intermediate entity it controls. If you are a simple lessee without control over the hardware provider, you do not qualify as a sharing entity.

• Misconception 5: The sharing entity can charge a market rate for the service.

  • Reality: No. Article 35(5) limits fees strictly to the costs incurred in relation to the sharing (e.g., isolation, access management). Any fee exceeding these costs would likely constitute a pecuniary interest, triggering public procurement rules.

Related

• Must a sharing entity own the hardware behind a shared service in the EuroCloud Federation?
• How does the Commission approve service sharing in the EuroCloud Federation?
• CADA EuroCloud Federation: Article 35 Sharing Fees vs. Article 36 Administration Fees
• What is a sharing entity in the EuroCloud Federation?
• EuroCloud Federation fees: What can a sharing entity charge?

This is general information about a draft EU regulation, not legal advice.