What conditions must a EuroCloud sharing entity meet under CADA?

Summary As proposed in the Cloud and AI Development Act (CADA), a public-sector body wishing to share cloud or data centre services within the EuroCloud Federation would have to qualify as a "sharing entity" by directly or indirectly owning the underlying hardware and providing the service itself. Before any sharing could begin, the entity would have to demonstrate to the European Commission that it has put in place appropriate technical, operational, and organisational measures to ensure secure and resilient service provision. The Commission would then assess this information and formally allow the sharing only where these conditions are met. CADA remains a proposal (COM(2026) 502 final) and is not yet in force.

Detail

The proposed Cloud and AI Development Act (CADA) would introduce the European public sector cloud federation, known as the "EuroCloud Federation," to facilitate the secure sharing of computing resources among Union entities and public sector bodies. For a public authority to act as a sharing entity—providing capacity to other members—it would have to satisfy the eligibility and security conditions set out in Article 35 of the proposal. Because CADA is still a draft, the conditions below describe what the regulation would require if adopted in its current form.

Ownership and control requirements

The foundational condition for becoming a sharing entity would be rooted in public-sector ownership and control of the underlying assets. Under Article 35(1) as proposed, a sharing entity may share with a using entity "where the sharing entity directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available and provides the service that is made available to the using entity. Where the sharing entity indirectly owns the hardware and provides the services through an intermediate legal entity, the sharing entity shall exercise control over that intermediate legal entity."

Two elements are therefore essential. First, the sharing entity must own the hardware—either directly, or indirectly through an intermediate legal entity. The term "hardware" here would carry the meaning given in Article 3(5) of Regulation (EU) 2024/2847 (the Cyber Resilience Act), to which CADA cross-refers. Second, the sharing entity must also be the provider of the service made available to the using entity. This combination would limit the sharing mechanism to public entities leveraging their own infrastructure, rather than acting as resellers or brokers of someone else's commercial services.

Where an intermediate legal entity is used, the sharing entity would have to "exercise control" over it. Recital 71 of the proposal explains what that control would mean in practice, setting out three cumulative conditions:

• The sharing entity exercises decisive influence over both the strategic objectives and the significant decisions of the intermediate entity;
• There is no direct private capital participation in the intermediate entity; and
• More than 80% of the intermediate entity's activities are carried out in performing tasks entrusted to it by the sharing entity.

Recital 71 also makes clear that direct private participation would be excluded. Taken together, these requirements are intended to ensure that the sharing model rests on infrastructure that is genuinely under public control, rather than private commercial provision dressed up as public-sector cooperation.

Security and resilience obligations

Beyond ownership, Article 35(2) as proposed would impose a standing obligation: the sharing entity "shall put in place appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

The proposal does not spell out the technical detail of these measures in the article itself. Instead, Article 35(6) provides that the Commission may adopt implementing acts (under the procedure in Article 46(2)) to specify the measures. Until those implementing acts are adopted, Recital 72 gives the clearest indication of what would be expected. It states that the measures should include, in particular, policies on:

• Risk analysis and information system security, including access control;
• Incident handling;
• Business continuity; and
• Interoperability and connectivity.

These policy areas, drawn from Recital 72, are designed so that the shared infrastructure would meet the cybersecurity and resilience standards expected of public-sector operations, in line with the broader EU cybersecurity framework and the sovereignty objectives of CADA.

Commission demonstration and approval

A sharing entity would not be able to begin sharing services on its own initiative. Article 35(3) as proposed would require the entity, before any sharing takes place, to demonstrate to the Commission that it fulfils the conditions in paragraphs 1 (ownership and control) and 2 (security and resilience measures).

Article 35(4) sets out the next step: the Commission would assess the information provided and allow the sharing entity to share services within the EuroCloud Federation where the conditions in paragraphs 1 and 2 are fulfilled. This creates a gatekeeping mechanism in which the Commission acts as the arbiter of eligibility, so that only compliant, secure, and publicly controlled infrastructure would enter the federation's shared pool. It is an assessment process, not an automatic registration.

Financial and legal context

Sharing within the EuroCloud Federation would be anchored in public-sector cooperation rather than commercial supply. Recital 73 explains that this cooperation would be governed solely by considerations of public interest, that cost-recovery fees would not constitute a pecuniary interest or a public contract, and that the sharing "should not fall under Union public procurement rules."

Consistent with this, Article 35(5) as proposed would permit a sharing entity to charge a cost-recovery fee, while providing that the fee "shall not constitute a pecuniary interest within the meaning of Article 2 of Directive 2014/24/EU and Regulation (EU, Euratom) 2024/2509." The effect, as proposed, would be to distinguish EuroCloud sharing from commercial service provision and to keep it outside the standard public procurement regime.

What this means for you

For public-sector procurement officers and IT directors, the EuroCloud Federation would, if adopted, offer a route to access public cloud and data centre capacity without running complex cross-border procurement procedures. If your organisation wishes to provide capacity (to act as a sharing entity), you should anticipate a structured compliance process.

1. Audit your asset ownership. Check whether the hardware underpinning your cloud or data centre services is owned directly by your public body, or indirectly through an entity you control on the terms described in Recital 71. If you simply lease infrastructure from a private third party, you would likely not qualify as a sharing entity under the proposal as drafted.
2. Map your security policies. Begin documenting your technical, operational, and organisational measures across the areas flagged in Recital 72—risk analysis and information system security (including access control), incident handling, business continuity, and interoperability and connectivity. Watch for the Article 35(6) implementing acts, which would specify these measures in more detail.
3. Prepare for a Commission demonstration. Be ready to submit evidence that you meet the ownership/control and security conditions. Approval under Article 35(4) would follow the Commission's assessment of that evidence.
4. Plan for cost recovery only. If you intend to share capacity, structure your accounting to track the costs of sharing. Any fee would be limited to cost recovery and, as proposed, could not amount to a commercial pecuniary interest.

Common misconceptions

• "Any public cloud provider can join EuroCloud as a sharing entity." As proposed, the sharing role is tied to ownership and control of the hardware plus provision of the service. Recital 71 would exclude direct private participation, so a private commercial provider could not act as a sharing entity in its own right.

• "Sharing services in EuroCloud triggers standard public procurement rules." Recital 73 indicates the opposite: where the arrangement is governed solely by the public interest and any fee is cost-recovery only, it "should not fall under Union public procurement rules," and Article 35(5) provides that such a fee would not constitute a pecuniary interest.

• "I can share services immediately upon joining the Federation." Not under the proposal. Article 35(3) and 35(4) would require you first to demonstrate compliance to the Commission, which must then allow the sharing. There would be a mandatory pre-sharing assessment.

• "I can resell services provided by a third-party vendor." Article 35(1) as proposed would require the sharing entity itself to own the hardware (directly or indirectly) and to provide the service. Acting purely as a reseller or broker of a third party's commercial cloud services would not satisfy that condition.

Related

• Must a sharing entity own the hardware behind a shared service in the EuroCloud Federation?
• Why must EuroCloud sharing fees be cost-based under CADA?
• What technical measures must a sharing entity implement under CADA?
• What is an intermediate legal entity in EuroCloud sharing under CADA?
• What is a sharing entity in the EuroCloud Federation?

This is general information about a draft EU regulation, not legal advice.