Summary The proposed Cloud and AI Development Act (CADA) establishes the EuroCloud Federation but delegates the operational specifics to the European Commission via implementing acts. As proposed, these acts will define the procedure and template for joining (Article 34(4)), the technical, operational, and organisational measures required for sharing services (Article 35(6)), and the detailed rules for calculating administrative fees (Article 36(4)). Crucially, all three implementing acts must be adopted through the examination procedure under Article 46(2), ensuring Member State oversight. Until these acts are adopted, the high-level framework in the regulation remains the only binding rule.

Detail

The EuroCloud Federation, established under Article 34 of the CADA proposal (COM(2026) 502 final), is a voluntary mechanism designed to facilitate the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies. While the regulation sets the strategic objectives and legal boundaries, it explicitly recognises that the technical and administrative minutiae of such a complex federation require secondary legislation. Consequently, the proposal empowers the Commission to adopt implementing acts in three distinct but interconnected areas.

1. Participation Procedure and Request Templates (Article 34(4))

The regulation establishes that participation is voluntary and open to Union entities and public sector bodies. However, to ensure a harmonised and secure entry process across the Union, Article 34(4) grants the Commission the power to adopt implementing acts specifying:

  • The procedure to participate in the EuroCloud Federation; and
  • The template concerning the content and other details of the request for participation.

As proposed, these acts will standardise how entities apply to join. Without such standardisation, Member States and Union institutions might develop disparate application processes, leading to fragmentation and potential security gaps. The implementing act will likely mandate specific data points regarding the applicant's infrastructure, security posture, and legal capacity to share resources. This ensures that only entities capable of meeting the federation's "highly trusted and secure" standards are admitted, maintaining the integrity of the shared public sector cloud.

2. Technical, Operational, and Organisational Sharing Measures (Article 35(6))

The core function of the federation is the sharing of services. Article 35(2) imposes a general obligation on the "sharing entity" (the member providing the service) to put in place appropriate technical, operational and organisational measures to ensure effective, secure, and resilient provision.

To prevent these measures from being interpreted inconsistently across borders, Article 35(6) explicitly empowers the Commission to adopt implementing acts that specify these measures. These acts will define the minimum baseline for:

  • Technical measures: Including protocols for secure access, identity management, mutual authentication, and incident reporting tools.
  • Operational measures: Covering business continuity planning, disaster recovery, and interoperability standards to ensure seamless resource exchange.
  • Organisational measures: Including risk analysis policies, access control policies, and governance structures.

By codifying these requirements, the Commission ensures that a public body in one Member State can safely share capacity with a body in another, knowing that both adhere to the same rigorous security and operational standards. This harmonisation is essential for the federation to function as a single, trusted European public sector cloud.

3. Rules on Fees for Administration (Article 36(4))

The EuroCloud Federation is designed to be cost-recovery based, not a profit-making venture. Article 36(1) states that costs arising from the Commission's activities (such as assessing membership applications and maintaining the platform) are jointly financed by members through fees.

Article 36(4) empowers the Commission to adopt implementing acts laying down detailed rules for:

  • Determining the estimated costs: The methodology for calculating the total administrative burden of running the federation.
  • The individual amount of the fees: How these costs are apportioned among members (e.g., based on usage, size, or a fixed tier).
  • The manner and conditions under which the fees are to be paid: Including invoicing cycles, payment methods, and administrative procedures.

These revenues are designated as internal assigned revenues under the Financial Regulation, meaning they are ring-fenced specifically to cover the costs of the federation's administration. The implementing act ensures transparency and predictability, preventing arbitrary charges and ensuring that the financial burden is distributed fairly among participants.

The Examination Procedure (Article 46(2))

A critical procedural safeguard in the CADA proposal is the requirement that all three implementing acts mentioned above be adopted in accordance with the examination procedure referred to in Article 46(2).

This procedure involves a committee composed of representatives from the Member States. The Commission must submit draft implementing acts to this committee, which then votes on the proposal. This mechanism ensures that:

  1. Member State Oversight: National authorities have a direct say in the detailed rules governing the federation, balancing EU-level harmonisation with national interests.
  2. Democratic Accountability: The process prevents the Commission from unilaterally setting technical standards or fee structures without consultation.
  3. Legal Certainty: The adoption of these acts follows a strict, transparent legal pathway, reducing the risk of legal challenges to the secondary legislation.

What this means for you

For legal counsel, compliance officers, and IT directors in the public sector, the delegation of these powers has immediate strategic implications:

  1. The "Gap" Period: Until the implementing acts are adopted, the specific technical requirements and fee structures remain undefined. Public bodies should not assume they can join immediately or that they know the exact cost. The regulation provides the right to join, but the mechanism is pending.
  2. Preparation for Standardisation: Entities wishing to join should begin auditing their current infrastructure against the high-level requirements of Article 35. While the specific technical measures are not yet final, the expectation of "appropriate technical, operational and organisational measures" implies a need for robust security, incident handling, and interoperability capabilities.
  3. Budgeting for Fees: While the sharing of capacity itself is limited to cost recovery for the sharing entity (Article 35(5)), the administrative fees under Article 36 will be a new, recurring line item. Organisations should prepare for a fee structure that reflects the cost of the Commission's administrative burden, as detailed in the future implementing act.
  4. Engagement in the Committee Process: Since the acts are adopted via the examination procedure, there will be opportunities for Member States to influence the outcome. National competent authorities should actively engage with the Commission during the drafting phase to ensure the technical measures are realistic and aligned with existing national standards.

Common misconceptions

"The Commission sets the price for cloud capacity."

  • Correction: No. Article 35(5) explicitly states that any fee charged by a sharing entity to a using entity must be limited strictly to the additional costs incurred in sharing the service (e.g., isolation, integration). It cannot constitute a pecuniary interest or a profit. Article 36(4) only governs the administrative fees paid to the Commission for running the federation platform and assessing memberships.

"Joining the federation is automatic for all public bodies."

  • Correction: No. Article 34(1) states participation is voluntary. Furthermore, Article 34(4) mandates a specific procedure and template. Entities must actively apply and demonstrate they meet the technical and organisational criteria specified in the future implementing acts.

"Private cloud providers can join the EuroCloud Federation."

  • Correction: No. Article 34(1) and Recital 71 clarify that participation is limited to Union entities and public sector bodies. Private entities cannot be direct members. However, a public entity may use private infrastructure to fulfill its sharing obligations, provided the public entity retains control and meets the sovereignty criteria.

"The implementing acts are already in force."

  • Correction: No. The CADA proposal is currently a draft. The implementing acts under Articles 34(4), 35(6), and 36(4) have not yet been adopted. They will only become binding once the Commission follows the examination procedure and publishes them.

Related

This is general information about a draft EU regulation, not legal advice.