Summary As proposed, the Cloud and AI Development Act (CADA) sets out an "open source first" principle for the EU public sector in Article 41 — but it is an encouragement-and-enabling duty on the Union and the Member States, weighed against functionalities (including security), total cost and other duly justified objective criteria, not an absolute mandate to use open source. Where a public body chooses to make software it owns available for reuse under an open source licence, Article 42 requires it to publish through a catalogue connected to the EU Open Source Solutions Catalogue (Article 43). An OSPO Network (Article 44) supports implementation. The aim is to reduce vendor lock-in and strengthen the EU's technological autonomy. CADA is still a proposal, so none of this is yet in force.
Detail
CADA (COM(2026) 502 final), proposed by the Commission on 3 June 2026, seeks to reduce the EU's dependence on a few non-European cloud and AI providers and to build a more autonomous European technology stack. Promoting open source is one strand. Chapter V ("Open source") of Title IV (Autonomy), Articles 41–44, sets out the relevant provisions for Union entities and public sector bodies.
The "open source first" principle (Article 41)
Article 41 provides that "the Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack." The binding duty here runs to the Union and the Member States — to encourage and facilitate — rather than imposing a hard procurement rule on each buyer.
It is not a ban on proprietary software but a structured preference. The provision requires the choice to take account of "functionalities, including security, total cost, and other relevant, duly justified objective criteria." That shifts the mindset from upfront licence fees toward longer-term value, autonomy and risk — aiming to limit vendor lock-in, support auditability and foster reuse across the public sector.
Sharing and reuse, and the EU OSS Catalogue (Articles 42 and 43)
Article 42 addresses how reusable software is published. As proposed, when a Union entity or public sector body holds intellectual property rights in software and chooses to make it available for reuse under an open source licence, it "shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue." This is a conditional rule: it does not require any body to open-source its software; it governs the channel when a body decides to share.
Article 43 establishes the EU Open Source Solutions Catalogue (EU OSS Catalogue) as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies. The Commission would provide and maintain it; it would be hosted on the Interoperable Europe portal (Article 8 of Regulation (EU) 2024/903) and accessible electronically free of charge. Under Article 43(3), the Commission would decide, on objective and relevant criteria, on requests by bodies owning or maintaining a catalogue or repository to connect it to the EU OSS Catalogue.
The OSPO Network (Article 44)
Article 44 would have the Commission establish a Network of Open Source Programme Offices (OSPOs) to facilitate cooperation on implementing the chapter — exchanging best practices and contributing voluntary, non-binding guidance and templates on sharing and reuse. This supports buyers who lack in-house expertise.
What this means for you
For public-sector procurement officers and digital leaders, CADA's open source chapter — if adopted — would reshape how cloud and AI contracts are structured and evaluated. Because CADA is a proposal, preparing now is about readiness rather than present legal compliance.
1. Build "open source first" into your evaluation
Under Article 41, open standards and open-source components would be the first option to assess. This does not mean rejecting proprietary bids automatically; it means showing open source was genuinely evaluated against objective criteria.
- Total cost of ownership (TCO): weigh implementation, integration, maintenance, training and support, not just licence fees.
- Security and auditability: factor in the value of independent verification, especially for critical systems.
- Interoperability: favour open standards so solutions integrate across the EU ecosystem.
2. Check the EU OSS Catalogue before buying
Before commissioning custom software or AI tools, check the EU OSS Catalogue (Article 43) for an existing reusable solution. A "catalogue check" step, with the result documented, supports the chapter's reuse and value-for-money goals.
3. Plan for software reuse
If you develop custom software or AI models and choose to release them under an open source licence, Article 42 would require publication via a repository connected to the EU OSS Catalogue. Set up internal processes to spot software with reuse potential and ensure your IT and legal teams understand open-source licensing and the connection process.
4. Engage with the OSPO Network
Article 44 would create the OSPO Network. If you have no OSPO, you can collaborate with existing ones or draw on the network's shared best practices, templates and guidance.
Practical buyer checklist
| Step | Action | CADA reference |
|---|---|---|
| 1 | Search for existing solutions in the EU OSS Catalogue. | Art. 43 |
| 2 | Assess open source first if no suitable existing solution is found. | Art. 41 |
| 3 | Evaluate on total cost, security and interoperability, not just upfront price. | Art. 41 |
| 4 | Document the justification if you choose proprietary software. | Art. 41 |
| 5 | Plan for reuse — decide early whether custom software will be open-sourced via the EU OSS Catalogue. | Arts. 42–43 |
| 6 | Collaborate with the OSPO Network for guidance and templates. | Art. 44 |
Common misconceptions
Misconception 1: CADA bans proprietary software. No. Article 41 frames a preference and requires a balanced assessment against functionalities, security, total cost and other duly justified objective criteria. Proprietary software can be chosen where objectively better suited.
Misconception 2: All public software must be open-sourced. No. Article 42 applies only where a body voluntarily decides to make software it owns available for reuse — and then governs how it is published. There is no duty to open-source all custom-developed software.
Misconception 3: Open source means no cost. There may be no licence fee, but total cost of ownership includes support, maintenance, training and integration. Article 41 expressly names "total cost" as a criterion.
Misconception 4: "Open source first" forces every buyer to pick open source. The duty runs to the Union and Member States to encourage open source; the buyer's choice still turns on objective criteria. "First" is about the order of consideration, not a guaranteed outcome.
Related
- What is a public sector body for CADA open source purposes?
- How does open source under CADA reduce duplication across the public sector?
- How does open source improve transparency in the public sector under CADA?
- How does 'open source first' affect cloud migration decisions in the public sector under CADA?
- How does CADA open source support resilience of public-sector IT?
This is general information about a draft EU regulation, not legal advice.