What criteria does the Commission use to connect a catalogue to the EU OSS Catalogue?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission retains exclusive discretion to decide whether to connect a national or entity-specific software catalogue to the central EU Open Source Solutions Catalogue (EU OSS Catalogue). As proposed in Article 43(3), this decision must be based on "objective and relevant criteria," though the specific technical or administrative standards for these criteria are not yet defined in the primary legislation. Consequently, Union entities and public sector bodies must prepare to justify their catalogue's alignment with EU interoperability and open-source standards to secure connectivity, ensuring compliance with the broader obligation to reuse software through the centralised hub.

Detail

The Cloud and AI Development Act (CADA) introduces a structured framework to promote the reuse of open-source software within the public sector, aiming to reduce vendor lock-in, enhance security, and strengthen technological sovereignty. Central to this mechanism is the EU Open Source Solutions Catalogue (EU OSS Catalogue), established under Article 43. While Article 42 mandates that Union entities and public sector bodies making software available for reuse must do so via a catalogue connected to the EU OSS Catalogue, Article 43 governs the mechanics of that connection.

The Commission's Discretionary Power

The core provision regarding connectivity is Article 43(3) of the CADA proposal. It states:

"The Commission shall, on the basis of objective and relevant criteria, decide on the request of any Union entity or public sector body owning or maintaining a catalogue or repository to have that catalogue or repository connected to and made accessible through the EU OSS Catalogue."

This clause establishes several critical legal principles for in-house counsel and compliance officers:

1. Discretionary Authority: The connection is not automatic. The Commission holds the power to accept or reject requests for connectivity. This implies a gatekeeping function to ensure the integrity, security, and interoperability of the central catalogue. The legislation does not provide an automatic right to connection; rather, it creates a conditional right subject to the Commission's assessment.
2. "Objective and Relevant Criteria": The legislation does not explicitly list these criteria in the enacting articles. Instead, it delegates the definition of these standards to the Commission's exercise of discretion, likely to be detailed in implementing acts or technical guidelines. This creates a degree of regulatory uncertainty until secondary legislation or Commission guidance clarifies what constitutes "objective" (e.g., non-discriminatory, transparent) and "relevant" (e.g., technically compatible, legally compliant) factors. The phrase "objective and relevant" serves as a legal constraint on the Commission's power, preventing arbitrary decisions, but leaves the substantive content of the criteria to be developed in practice.
3. Request-Based Process: Connectivity is initiated by a request from the entity owning or maintaining the catalogue. This places the onus on the public sector body or Union entity to proactively apply for connection, rather than being automatically onboarded. The entity must demonstrate that its catalogue meets the Commission's standards before access is granted.

Contextual Obligations: The "Connect or Comply" Dynamic

To understand the stakes of Article 43(3), it must be read in conjunction with Article 42, which imposes the primary obligation. Article 42 states that when a Union entity or public sector body makes software available for reuse under an open-source licence, it "shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue."

This creates a de facto requirement for connectivity. If an entity maintains its own national or organisational repository (which is common for large public administrations), it cannot simply host software there and consider its Article 42 obligation fulfilled. It must either:

• Directly host the software in the central EU OSS Catalogue (if technically feasible and permitted by the Commission's operational rules); or
• Successfully request under Article 43(3) that its local catalogue be connected to the central hub.

If the Commission rejects the connection request based on its "objective and relevant criteria," the entity may face a compliance gap. It would need to migrate its reusable software to a compliant catalogue or adjust its technical architecture to meet the Commission's unstated criteria. The obligation to make software available for reuse is thus contingent upon the successful establishment of a technical and legal link to the central hub.

The Role of the Interoperable Europe Portal

Article 43(2) mandates that the EU OSS Catalogue shall be hosted on the Interoperable Europe portal (referenced in Article 8 of Regulation (EU) 2024/903, the Interoperable Europe Act). This technical dependency means that "objective criteria" for connection will likely include adherence to the technical standards, data formats, and interoperability requirements set by the Interoperable Europe framework. Entities seeking connection must therefore ensure their local catalogues are compatible with the technical infrastructure of the Interoperable Europe portal. The Commission's discretion will likely be exercised to ensure that connected catalogues do not fragment the single market or create technical silos that hinder the cross-border exchange of open-source solutions.

Secondary Legislation and Future Clarity

As CADA is a proposal, the precise "objective and relevant criteria" remain to be defined. The Commission is expected to develop these through implementing acts or technical specifications. Given the reference to the Interoperable Europe Act, criteria may include:

• Technical Interoperability: Support for standardised metadata, APIs, and search functionalities that align with the Interoperable Europe portal's architecture.
• Legal Compliance: Verification that software listings include valid open-source licences and comply with EU copyright and data protection laws.
• Security Standards: Alignment with cybersecurity requirements, potentially referencing the European Cybersecurity Certification Scheme for Cloud Services (EUCS) or other relevant frameworks.
• Data Quality: Ensuring that the metadata provided for each software solution is accurate, complete, and machine-readable.

Until these criteria are formalised, public sector bodies should adopt a precautionary approach, ensuring their local repositories are technically robust and legally transparent. The Commission's discretion under Article 43(3) will be the primary mechanism for enforcing these standards in the absence of detailed primary legislation.

What this means for you

For in-house counsel and compliance officers in public sector bodies or Union entities, the upcoming CADA framework necessitates immediate preparatory actions:

1. Audit Local Repositories: Identify all software developed by or for your entity that is intended for reuse. Verify that these are hosted in a catalogue or repository that can technically support connectivity to the EU OSS Catalogue. Assess whether your current infrastructure meets the likely interoperability standards of the Interoperable Europe portal.
2. Prepare for Connection Requests: Begin drafting internal procedures for submitting connection requests to the Commission under Article 43(3). Document the technical and legal merits of your catalogue to demonstrate compliance with "objective and relevant criteria." Prepare evidence of your catalogue's adherence to open-source licensing, security protocols, and data standards.
3. Monitor Secondary Legislation: Closely watch for Commission implementing acts or guidelines that define the specific criteria for connectivity. Early alignment with these standards will prevent last-minute compliance failures. The Commission's discretion will be exercised based on these future rules, so staying informed is critical.
4. Ensure Licence Clarity: Since the EU OSS Catalogue relies on open-source licences, ensure all reusable software has clear, valid, and EU-compliant licences. Ambiguity here could be a basis for the Commission to reject a connection request, as it would fail the "objective and relevant" test regarding legal compliance.
5. Interoperability Alignment: Ensure your IT systems align with the Interoperable Europe portal's technical standards. Non-compliance with these underlying standards may render your catalogue ineligible for connection, as the Commission's discretion will likely prioritize technical harmonization.

Failure to secure connectivity could result in non-compliance with Article 42, potentially exposing the entity to administrative penalties or reputational damage, although specific penalties for CADA infringements are detailed in Article 24 (for cloud services) and may be extended or mirrored for open-source obligations via national implementation. The risk is not just technical but legal, as the obligation to reuse software is tied to the ability to connect to the central hub.

Common misconceptions

• "Connection is automatic." Many assume that hosting software in a public repository automatically makes it part of the EU OSS Catalogue. Article 43(3) clearly establishes a discretionary, request-based process where the Commission must actively decide on the connection.
• "Any open-source repository qualifies." The Commission's power to use "objective and relevant criteria" means that not all repositories will be deemed suitable. Technical, legal, or security deficiencies could lead to rejection, even if the software itself is open source.
• "The criteria are already defined." The primary text of CADA does not list the specific criteria. They will be developed in practice through secondary legislation or Commission guidelines, creating a period of regulatory flux where entities must anticipate the Commission's standards.
• "Only the Commission maintains the catalogue." While the Commission maintains the central EU OSS Catalogue (Article 43(1)), public sector bodies maintain their own local catalogues, which must be connected. The misconception that all software must be directly uploaded to the Commission's server is incorrect; federation via connection is the intended model, subject to the Commission's approval.
• "The Commission can reject requests arbitrarily." While the Commission has discretion, it is legally bound to act "on the basis of objective and relevant criteria." This prevents arbitrary decisions, though the specific application of these criteria will be determined by the Commission in practice.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Article 42: When does the obligation to use the EU OSS Catalogue apply?
• CADA Open Source: The Commission's Role in the EU OSS Catalogue and OSPO Network
• Is the EU OSS Catalogue free to use? CADA Article 43
• How does Article 42 connect to the EU OSS Catalogue in Article 43?
• Who maintains the EU OSS Catalogue under CADA?

This is general information about a draft EU regulation, not legal advice.