Summary No, membership in the EuroCloud Federation is not mandatory under the proposed Cloud and AI Development Act (CADA). Article 34(1) of the proposal explicitly states that participation is on a voluntary basis. While Union entities and public sector bodies may request to join the federation to share cloud and data centre services, there is no legal obligation to become a member. This voluntary nature stands in sharp contrast to other CADA obligations, such as the mandatory requirement to procure cloud services meeting specific Union assurance levels for critical public sector activities.
Detail
The Cloud and AI Development Act (CADA), proposed by the European Commission in COM(2026) 502 final, introduces the European public sector cloud federation (the "EuroCloud Federation"). This initiative is designed to interconnect cloud computing infrastructures across the EU to increase resilience, efficiency, and sustainability for the public sector. However, the legislation carefully distinguishes between mandatory regulatory obligations regarding cloud sovereignty and voluntary participation in collaborative frameworks like the Federation.
Voluntary Participation under Article 34(1)
The definitive provision governing membership is Article 34(1) of the CADA proposal. This article establishes the EuroCloud Federation and explicitly defines its scope and the nature of participation. The text states:
"The EuroCloud Federation shall be open for the participation of Union entities and public sector bodies on a voluntary basis. Union entities and public sector bodies may request the Commission to join the EuroCloud Federation."
This language leaves no ambiguity: joining the federation is an option, not a requirement. Public sector bodiesβranging from national ministries and local governments to EU institutionsβretain full autonomy to decide whether the operational benefits of joining the federation outweigh the administrative and technical changes required to participate. There is no penalty, sanction, or compliance failure associated with choosing not to join. The initiative relies on the willingness of entities to share capacity rather than a top-down mandate.
How the Voluntary Mechanism Works
While joining is voluntary, the process for those who choose to participate is structured and governed by the Commission. Under Article 34(1), entities must actively request the Commission to join. The Commission is tasked with establishing a platform for the federation (as detailed in Article 34(3)), which will include a catalogue of available public sector data centre services and a service platform for the exchange and orchestration of computing resources.
Furthermore, Article 34(4) empowers the Commission to adopt implementing acts to specify the procedure to participate in the EuroCloud Federation and to establish templates concerning the content of the request for participation. This ensures a standardized onboarding process for those who opt in, but it does not create a duty for any entity to initiate that process.
Contrast with Mandatory CADA Obligations
It is crucial for procurement officers and IT directors to distinguish between the voluntary EuroCloud Federation and the mandatory regulatory framework established elsewhere in the proposal. While federation membership is optional, the broader cloud computing sovereignty framework is not.
- Mandatory Risk Assessments: Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate level of cloud assurance for their activities. This is a compulsory step for all relevant public bodies.
- Mandatory Procurement Standards: Article 30 imposes strict procurement rules. For example, public sector bodies whose activities are identified as contributing to the preservation of public order (such as national security, justice, or law enforcement) must procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4. Even for non-critical activities, a minimum of Union assurance level 1 is required.
Therefore, while a public authority is not forced to join the EuroCloud Federation, it is still legally bound to ensure that any cloud services it procuresβwhether from the Federation, private commercial providers, or other sourcesβmeet the specific sovereignty standards defined in Annex II. The Federation is merely one mechanism to help access these sovereign services, but it is not the exclusive or mandatory path to compliance.
What this means for you
For public-sector procurement officers, IT directors, and legal counsel, the voluntary nature of the EuroCloud Federation offers strategic flexibility but requires careful planning to ensure compliance with other mandatory CADA rules.
- Strategic Assessment: Evaluate whether your organization has idle cloud capacity that could be shared to generate efficiency, or if you need access to sovereign cloud resources that might be available through the federation. If your current suppliers already meet the mandatory Union assurance levels (as recognized under Article 17), you may not see an immediate operational need to join the Federation.
- Compliance is Separate: Do not confuse federation membership with regulatory compliance. You must still ensure that any cloud services you procureβwhether from the EuroCloud Federation or private commercial providersβmeet the relevant Union assurance levels defined in Annex II. Failure to procure compliant services is a violation of Article 30, regardless of whether you are a member of the Federation.
- Monitor Implementation Acts: The specific procedures for joining, including the templates for requests and the technical requirements for the platform, will be detailed in future implementing acts adopted by the Commission under Article 34(4). Stay informed about these procedural details to understand the administrative burden of participation should you choose to join.
- Leverage Collective Bargaining: One of the primary incentives for joining is the ability to pool demand and potentially access better terms or shared infrastructure. If your organization faces challenges in finding compliant sovereign cloud providers in the open market, the Federation may offer a viable pathway to market access and shared capacity.
Common misconceptions
"I must join the EuroCloud Federation to comply with CADA."
- Reality: No. You comply with CADA by procuring cloud services that meet the required Union assurance levels (Article 30). You can achieve this through private commercial providers who have obtained recognition under Article 17. The Federation is a tool for cooperation, not a compliance checkbox.
"The Commission can force my agency to join."
- Reality: Article 34(1) uses the phrase "may request," indicating that the initiative comes from the public sector body. The Commission facilitates the platform and approves requests, but it cannot compel participation.
"Joining the Federation means I must use only EU-based hardware."
- Reality: While the EuroCloud Federation facilitates sharing among public entities, the specific technical requirements for the services shared are governed by the Union assurance levels. Higher assurance levels (e.g., Level 3 and 4) do have strict requirements regarding infrastructure location and personnel (Annex II), but these apply to the service being used, not merely the act of joining the federation. A member could theoretically share a service that meets Level 1 criteria, though the Federation aims for high trust.
Related
- EuroCloud Federation: What is the membership request template?
- What counts as a public sector body for EuroCloud Federation membership under CADA?
- Why was the EuroCloud Federation created? CADA's public-sector cloud strategy
- Why does CADA separate the EuroCloud Federation from Commission procurement?
- Who runs the EuroCloud Federation under CADA?
This is general information about a draft EU regulation, not legal advice.