Summary Under the proposed Cloud and AI Development Act (CADA), a public sector body cannot simply begin sharing cloud or data centre services within the EuroCloud Federation. As proposed, the "sharing entity" must first demonstrate to the European Commission that it fulfills specific ownership, control, and security conditions. The Commission then formally assesses this demonstration and allows the sharing only if those conditions are met. This approval is a mandatory precondition to participating in the capacity-sharing mechanism.
Detail
The EuroCloud Federation, established under Article 34 of the CADA proposal, is designed to facilitate the sharing of secure and resilient public-sector data centre and cloud computing services between Union entities and public sector bodies. However, the proposal establishes a strict gatekeeping mechanism to ensure that only eligible, trustworthy infrastructure participates in this federation. The approval process for service sharing is governed primarily by Article 35.
The Demonstration Requirement
Before any data centre or cloud computing services can be shared within the EuroCloud Federation, the "sharing entity" (the public body offering the capacity) must take the initiative to prove its eligibility. Article 35(3) of the CADA proposal explicitly states that the sharing entity shall demonstrate to the Commission that it fulfills the conditions set out in paragraphs 1 and 2 of that same article.
These underlying conditions are rigorous. Paragraph 1 requires that the sharing entity directly or indirectly owns the hardware through which the service is made available. If an intermediate legal entity is involved, the sharing entity must exercise control over that intermediate entity. Paragraph 2 mandates that the sharing entity puts in place appropriate technical, operational, and organisational measures to ensure an effective, secure, and resilient provision of services. This includes policies on risk analysis, information system security, access control, incident handling, business continuity, and interoperability.
Therefore, the first step in the approval process is not an application form in the traditional sense, but a substantive demonstration of compliance with these structural and security requirements. The sharing entity must provide evidence that it meets the ownership criteria and that its security postures are robust enough to support cross-border public sector sharing.
The Commission's Assessment and Decision
Once the sharing entity has provided this demonstration, the process moves to the European Commission. Article 35(4) stipulates that the Commission shall assess the information provided by the sharing entity. This assessment is the core of the approval mechanism. The Commission reviews the evidence to verify whether the conditions laid down in paragraphs 1 and 2 are genuinely fulfilled.
If the Commission's assessment is positive, it will "allow the sharing entity to share data centre services and cloud computing services within the EuroCloud Federation." Conversely, if the conditions are not met, the sharing cannot proceed. This creates a centralized, Union-level quality and security check. It ensures that the EuroCloud Federation does not become a repository for infrastructure that fails to meet the high sovereignty and security standards required for public sector data.
Approval as a Precondition
It is critical to understand that this Commission approval is a strict precondition. The proposal does not allow for automatic entry into the federation based on membership in a Member State's national cloud initiative. Even if a public body is a member of the EuroCloud Federation, it cannot share its specific data centre or cloud services until the Commission has explicitly allowed it to do so under Article 35(4).
This centralized approval serves several policy goals. First, it protects the integrity of the federation by ensuring that all shared capacity meets a uniform standard of security and ownership. Second, it mitigates the risk of private sector distortion of competition. As noted in Recital 70, the federation must avoid placing private providers in a position of advantage over their competitors. By strictly controlling who can share servicesβand ensuring those entities are public bodies with direct control over the hardwareβthe Commission maintains the public-interest nature of the cooperation.
Secondary Legislation and Detailed Rules
While Article 35 sets out the high-level approval process, the CADA proposal empowers the Commission to adopt implementing acts to specify the technical, operational, and organisational measures referred to in Article 35(2). As stated in Article 35(6), these implementing acts will be adopted in accordance with the examination procedure referred to Article 46(2).
This means that the exact technical benchmarks for "appropriate technical, operational and organisational measures" may be defined in secondary legislation after the regulation is adopted. Public sector bodies should anticipate that the Commission will issue detailed guidelines or technical standards that will inform what constitutes a successful "demonstration" under Article 35(3). Until those implementing acts are finalized, the general principles of security, resilience, and interoperability outlined in the proposal will guide the initial assessments.
What this means for you
For public-sector procurement officers and IT directors, the Commission's approval process under Article 35 introduces a new layer of due diligence before your organization can contribute to or utilize the EuroCloud Federation.
Preparation for Demonstration: You must begin documenting your ownership structures and security frameworks now. If your organization uses an intermediate legal entity to manage its cloud infrastructure, you must be able to prove that you exercise decisive influence over that entity's strategic objectives and significant decisions. You must also ensure that there is no direct private capital participation in that intermediate entity and that more than 80% of its activities are carried out in the performance of tasks entrusted to it by you (as defined in Recital 71).
Security Posture: Your security policies must go beyond basic compliance. The Commission will assess your policies on risk analysis, access control, incident handling, and business continuity. Ensure these policies are written, up-to-date, and demonstrably effective. You should align your internal security audits with the expectations of a Union-level assessment.
Timing and Planning: Because the Commission's assessment is a mandatory step, you should factor this timeline into your cloud strategy. Do not assume that joining the EuroCloud Federation automatically grants you the right to share capacity. The approval process may take time, especially if the Commission requests additional information or clarification during its assessment under Article 35(4).
Coordination with National Authorities: While the Commission makes the final decision on sharing eligibility, you will likely need to coordinate with your national competent authorities. They may assist in the initial review of your documentation before it is submitted to the Commission. Ensure your national IT strategy is aligned with the requirements of the EuroCloud Federation.
Common misconceptions
Misconception 1: Membership in the EuroCloud Federation equals permission to share. Joining the EuroCloud Federation is a voluntary step for Union entities and public sector bodies (Article 34). However, membership alone does not authorize a specific entity to share its data centre or cloud services. Each sharing entity must undergo the separate demonstration and assessment process under Article 35 before it can actively share capacity.
Misconception 2: Private cloud providers can share services directly. The EuroCloud Federation is strictly for public entities. Recital 71 and Article 35(1) clarify that direct private participation is excluded. If a public body shares services through an intermediate legal entity, that entity must be under the strict control of the public body, with no direct private capital participation. Private cloud providers cannot be "sharing entities" in the federation.
Misconception 3: The assessment is purely technical. While technical security measures are crucial, the Commission's assessment also covers ownership and control structures. Demonstrating that you own the hardware (or control the intermediate entity that does) is just as important as demonstrating that your cybersecurity policies are robust. Both paragraphs 1 and 2 of Article 35 must be satisfied.
Misconception 4: Approval is permanent. The proposal does not explicitly state that approval is permanent. The Commission's assessment is based on the current state of the sharing entity's compliance. If circumstances changeβfor example, if control over the intermediate entity is lost, or if security measures are degradedβthe entity may no longer meet the conditions. The transparency obligations in Article 23 of the broader sovereignty framework suggest that material changes must be reported, which could impact a entity's status in the federation.
Related
- Must a sharing entity own the hardware behind a shared service in the EuroCloud Federation?
- How does service sharing work in the EuroCloud Federation under CADA?
- Why does CADA separate the EuroCloud Federation from Commission procurement?
- CADA EuroCloud Federation: Article 35 Sharing Fees vs. Article 36 Administration Fees
- What is a sharing entity in the EuroCloud Federation?
This is general information about a draft EU regulation, not legal advice.