Summary Under the proposed Cloud and AI Development Act (CADA), liability for services shared within the EuroCloud Federation rests exclusively with the sharing entity (the provider), not the using entity. Article 35(2) imposes a strict obligation on the sharing entity to ensure the "effective, secure and resilient provision of services" by implementing appropriate technical, operational, and organisational measures. While the specific operational details will be defined in future implementing acts under Article 35(6), the sharing entity retains ultimate accountability for the service lifecycle. The relationship is one of public-sector cooperation, not a commercial contract, meaning fees are limited to cost recovery and do not constitute a "pecuniary interest," yet the operational liability remains absolute.

Detail

The proposed Cloud and AI Development Act (CADA) establishes the EuroCloud Federation (Article 34) to facilitate the voluntary sharing of data centre and cloud computing services between Union entities and public sector bodies. A critical legal question for in-house counsel and public administrators is how liability and operational responsibility are allocated when one public body (the sharing entity) provides infrastructure to another (the using entity).

1. The Sharing Entity Bears Primary Operational Liability

Article 35 of the CADA proposal explicitly places the burden of responsibility on the sharing entity. Paragraph 1 defines the sharing entity as a member that owns the hardware (directly or indirectly through an intermediate legal entity it controls) and provides the service. Crucially, Article 35(2) states:

"The sharing entity shall put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

This provision creates a non-delegable duty. The sharing entity is not merely a passive host; it is the active guarantor of service quality, security, and resilience. The sharing entity is responsible for the entire stack of measures required to maintain the service's integrity, availability, and confidentiality. This includes, but is not limited to:

  • Policies on risk analysis and information system security.
  • Access control policies.
  • Policies on incident handling and business continuity.
  • Policies supporting interoperability and connectivity.

Because the sharing entity retains control over the hardware and the service delivery, it remains the primary point of contact for any security incidents, service disruptions, or compliance failures. If a using entity suffers damage due to the sharing entity's failure to implement these measures, the sharing entity is the liable party under the framework of CADA and applicable national administrative or tort laws.

2. Implementing Acts Will Define Specific Operational Measures

While Article 35(2) sets the high-level obligation, the specific technical and operational details are not fully codified in the primary legislation. Article 35(6) empowers the European Commission to adopt implementing acts that specify the exact "technical, operational and organisational measures" referred to in paragraph 2.

For compliance officers, this creates a two-stage compliance landscape:

  1. Immediate Duty: The obligation to ensure security and resilience is immediate upon joining the federation. Sharing entities must rely on best practices and existing frameworks (such as NIS2 or EUCS, where applicable) to demonstrate "appropriate measures" in the interim.
  2. Future Specificity: The specific checklist of compliance measures will be defined in secondary legislation. Until these implementing acts are adopted, sharing entities must maintain a robust security posture that anticipates these future requirements. Non-compliance with the eventual implementing acts could result in the withdrawal of eligibility to share services.

3. No Pecuniary Interest, But Full Accountability

It is vital to distinguish between financial liability and operational liability. Article 35(5) clarifies that the sharing entity may charge a fee to the using entity, but these fees are strictly limited to the costs incurred in relation to the sharing of the service. They must not constitute a "pecuniary interest" within the meaning of Directive 2014/24/EU. Consequently, EuroCloud sharing does not trigger standard public procurement rules.

However, the absence of a commercial transaction does not absolve the sharing entity of liability. The sharing entity must demonstrate to the Commission that it fulfils the conditions in Article 35(1) and (2) before sharing begins. Article 35(4) states that the Commission will assess this information and allow the sharing only if the conditions are fulfilled. This pre-clearance step acts as a liability gatekeeper: the sharing entity must proactively prove its resilience and security posture before any data or workload is transferred.

What this means for you

For in-house counsel and compliance officers in public sector bodies considering joining the EuroCloud Federation, the liability landscape shifts significantly depending on whether your entity is a sharing entity or a using entity.

If you are a Sharing Entity:

  • Assume Full Risk: You assume full operational and security liability for the services you provide. You cannot contract this liability away to the using entity.
  • Proactive Compliance: You must prepare to demonstrate compliance with Article 35(2) to the Commission. Begin documenting your technical, operational, and organisational measures now.
  • Monitor Implementing Acts: Closely track the Commission's development of implementing acts under Article 35(6). These will define the specific technical controls you must implement.
  • Incident Response: Ensure your incident handling and business continuity plans are robust, as you will be the first line of defense and the primary accountable party in the event of a breach or outage.

If you are a Using Entity:

  • Verify Approval: While you are not directly liable for the sharing entity's security failures, you must ensure that the sharing entity has been properly assessed and approved by the Commission under Article 35(4).
  • Contractual Clarity: Although EuroCloud sharing is not a commercial contract, ensure that any internal agreements clearly define the scope of service, support levels, and incident reporting protocols to avoid operational friction.
  • Data Protection: Remember that while the sharing entity handles infrastructure security, you remain the data controller under the GDPR. Ensure that the sharing entity's security measures align with your data protection impact assessments.

Common misconceptions

"EuroCloud sharing is a commercial service provider relationship." Reality: No. Article 35(5) explicitly states that fees are limited to cost recovery and do not constitute a pecuniary interest. This is a public-sector cooperation model, not a market transaction. However, this does not reduce the sharing entity's operational liability; it simply changes the legal nature of the relationship from commercial to administrative/cooperative.

"Liability is shared equally between the sharing and using entities." Reality: No. Article 35(2) places the obligation to implement security and resilience measures solely on the sharing entity. The using entity relies on the sharing entity's compliance. While the using entity has its own obligations regarding data protection and appropriate use, the core infrastructure and service liability rests with the provider.

"The Commission manages day-to-day security." Reality: No. The Commission's role under Article 35(4) is to assess and approve the sharing entity's compliance before sharing begins. It does not act as an ongoing security operator. The sharing entity is responsible for maintaining the measures and reporting material changes.

"Existing cybersecurity certifications (like EUCS) automatically satisfy Article 35(2)." Reality: Not necessarily. While EUCS or NIS2 compliance will be highly relevant, Article 35(2) requires measures specific to the EuroCloud Federation context. The upcoming implementing acts under Article 35(6) may introduce additional or specific requirements for federation members that go beyond standard certification scopes.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.