Summary Under the proposed Cloud and AI Development Act (CADA), a "Union entity" is strictly defined in Article 2(7) as any Union institution, body, office, or agency established by or pursuant to the EU Treaties. For open source purposes, these entities are distinct from national "public sector bodies" and are directly subject to the "open source first" principle (Article 41) and mandatory obligations to share and reuse software via the EU Open Source Solutions Catalogue (Articles 42–44). As proposed, Union entities must prioritize open standards in their cloud and AI stacks and ensure any software they make available for reuse is integrated into a central EU repository, enhancing transparency and technological sovereignty.

Detail

To navigate the regulatory landscape of the proposed CADA, it is essential to distinguish between the two primary categories of public actors: "public sector bodies" (national and local authorities) and "Union entities" (EU-level institutions). While both are encouraged to adopt open source, the legal mechanisms and specific obligations differ significantly due to their distinct definitions and the direct applicability of the Regulation to Union entities.

Definition of a Union Entity

The scope of the open source obligations hinges on the precise definition found in Article 2(7) of the CADA proposal. A "Union entity" means:

"the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

This definition encompasses the core EU institutions (e.g., the European Commission, the European Parliament, the Council), as well as decentralized agencies (e.g., ENISA, Europol, EMA) and other bodies established under the Treaties. Crucially, this definition excludes national ministries, local councils, and national regulatory authorities. Those national actors fall under the definition of "public sector body" in Article 2(6). This distinction is vital because while Member States must take measures to encourage open source use among their national bodies, Union entities are directly bound by the specific procedural requirements of the Regulation itself.

The "Open Source First" Principle

Article 41 establishes the foundational principle for the public sector's approach to software procurement and development. It mandates that the Union and Member States shall take necessary measures to encourage Union entities and public sector bodies to "use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack."

For Union entities, this is not merely a suggestion but a binding requirement to prioritize open source. However, the proposal includes necessary flexibility. The obligation requires entities to take into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria." This means that while the default position must be open source, an entity may opt for proprietary solutions if they can objectively demonstrate that open source alternatives do not meet specific security, functional, or cost requirements.

Mandatory Share-and-Reuse Obligations

The most significant operational change for Union entities under the proposal concerns the management of intellectual property. Article 42 imposes a strict condition on how Union entities handle software they develop or own.

When a Union entity holds intellectual property rights to software and decides to make it available for reuse under an open source licence, it must do so using a catalogue or repository that is "connected to, and made accessible through, the EU Open Source Solutions Catalogue" (the "EU OSS Catalogue").

This requirement prevents the fragmentation of EU software assets. An entity cannot simply host reusable software on an isolated internal server or a disconnected external platform. The software must be integrated into the central EU infrastructure to ensure it is discoverable and reusable by other public administrations across the Union.

The EU Open Source Solutions Catalogue and Governance

Article 43 details the infrastructure supporting these obligations. The Commission is required to provide and maintain the EU OSS Catalogue as a centralised access point. This catalogue will be hosted on the Interoperable Europe portal, ensuring it is accessible electronically and free of charge. The Commission retains the authority to decide on requests from Union entities to connect their existing catalogues or repositories to this central hub, ensuring a unified ecosystem.

To support the practical implementation of these rules, Article 44 establishes a network of Open Source Programme Offices (OSPO Network). Union entities may establish their own OSPOs and request to join this network. The network serves as a coordination mechanism, facilitating the exchange of information, best practices, and guidance on technical, legal, and organisational challenges, including licensing, security, and procurement. The Commission is mandated to convene and chair meetings of this network at least twice a year, ensuring ongoing alignment between EU institutions and Member States.

What this means for you

For legal counsel, compliance officers, and IT directors within EU institutions, bodies, and agencies, the proposed CADA introduces a structured, binding framework for open source adoption that goes beyond voluntary best practices.

  1. Strategic Procurement and Development: Your organization must formally adopt an "open source first" approach. This requires updating procurement guidelines and development policies to prioritize open standards. You must be prepared to document the evaluation process, demonstrating how open source options were weighed against proprietary ones based on security, functionality, and total cost of ownership.
  2. IP Management and Centralised Cataloguing: If your entity develops software internally and holds the IP rights, you must establish a workflow to make this software available for reuse under an open source licence. Crucially, this software must be published in a repository connected to the EU OSS Catalogue. Failure to integrate with this central catalogue would constitute non-compliance with Article 42.
  3. OSPO Establishment and Network Participation: You should prepare to establish or designate an Open Source Programme Office (OSPO) within your entity. Joining the OSPO Network (Article 44) will be essential for accessing evolving guidance, sharing best practices, and ensuring your entity remains aligned with Union-wide standards on licensing and security.
  4. Interoperability and Reuse: The focus on the Interoperable Europe portal and the central catalogue means that software developed by one Union entity is intended for immediate reuse by others. Your teams must ensure that software documentation and licensing are clear and compatible to facilitate this cross-institutional reuse.

Common misconceptions

  • "Union entities and public sector bodies are treated identically under CADA." They are not. Article 2 provides separate definitions. While both are encouraged to use open source, Union entities are directly subject to the Commission's maintenance of the central catalogue and the specific procedural requirements of Articles 42–44. National public sector bodies are subject to measures taken by their respective Member States to encourage similar behavior, but the direct EU-level infrastructure obligations apply specifically to Union entities.
  • "Open source first means we must use open source in every single case." No. Article 41 requires entities to encourage and facilitate the use of open source, taking into account functionalities, security, and total cost. It is a preference principle, not an absolute mandate. Entities may justify the use of proprietary solutions if they can demonstrate that open source alternatives fail to meet specific, objective criteria.
  • "We can host our reusable software on any internal platform we choose." Incorrect. Article 42 explicitly requires that software made available for reuse by Union entities must be done so via a catalogue or repository connected to the EU OSS Catalogue. Isolated repositories that are not connected to this central hub do not meet the regulatory requirement for discoverability and reuse across the Union.
  • "This only applies to new software developed after the law enters into force." The obligation to share and reuse applies to software to which the entity holds intellectual property rights. If an entity decides to make existing software available for reuse under an open source licence, it must follow the catalogue requirement. The "open source first" principle applies to the ongoing building of the cloud and AI ecosystem, covering new developments and significant upgrades.

Related

This is general information about a draft EU regulation, not legal advice.