Summary Under the proposed Cloud and AI Development Act (CADA), a "Union entity" is strictly defined as any institution, body, office, or agency established by or pursuant to the EU Treaties (TEU, TFEU, or Euratom). These entities are eligible to voluntarily join the EuroCloud Federation, a mechanism designed to share secure public-sector cloud and data centre services. Participation is governed by Article 34, which requires Union entities to request Commission approval to join. Crucially, while membership is voluntary, the ability to share services is conditional on strict hardware ownership or control rules under Article 35 to prevent market distortion, and all shared services must still comply with the Union sovereignty framework (Article 16) and risk assessments (Article 29).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes the EuroCloud Federation to enhance the resilience, sovereignty, and efficiency of Europe's public-sector cloud infrastructure. To navigate this framework, legal and compliance teams must first distinguish between the different types of public actors and then understand the specific procedural and substantive conditions for joining the Federation.

1. Defining "Union Entity" under CADA

The scope of the EuroCloud Federation hinges on the precise definition of a "Union entity." This term is not a generic reference to any EU-related body but a specific legal category defined in Article 2(7) of the proposal.

According to Article 2(7), a "Union entity" means:

"the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

This definition encompasses the core pillars of the EU administration:

  • Institutions: Such as the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, and the European Court of Auditors.
  • Bodies, Offices, and Agencies: This includes decentralized agencies (e.g., the European Medicines Agency, Europol, Frontex), executive agencies, and other specialized offices established by specific EU regulations or decisions pursuant to the Treaties.

It is vital to distinguish "Union entities" from "public sector bodies." The latter, defined in Article 2(6) by reference to Directive (EU) 2019/1024, refers to authorities at the Member State, regional, or local level. While both groups can participate in the Federation, they are distinct legal categories with potentially different operational contexts.

2. Participation in the EuroCloud Federation

The rules governing the entry of Union entities into the Federation are set out in Article 34. The Federation is designed as a collaborative, voluntary mechanism to facilitate the sharing of public sector data centre services and cloud computing services.

Voluntary Nature and the Request Process Participation is not automatic. Article 34(1) explicitly states that the EuroCloud Federation is "open for the participation of Union entities and public sector bodies on a voluntary basis." Crucially, the provision mandates an active step for entry:

"Union entities and public sector bodies may request the Commission to join the EuroCloud Federation."

This creates a procedural requirement: a Union entity cannot simply declare itself a member; it must submit a formal request to the European Commission. The Commission holds the authority to manage this process. Article 34(4) empowers the Commission to adopt implementing acts to specify the detailed procedure for participation and the template for the request. Until these implementing acts are adopted, the specific administrative steps remain to be finalized, but the legal obligation to request entry is clear.

Scope of Sharing Once admitted, the Federation enables Union entities to share resources. Article 34(2) clarifies that the Federation "shall facilitate the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies." This sharing is intended to optimize capacity, reduce costs, and enhance security by leveraging idle resources across the EU public sector.

3. Conditions for Sharing: Ownership and Control

While Article 34 grants the right to request membership, the actual ability to share services (acting as a "sharing entity") is subject to rigorous conditions in Article 35. These conditions are designed to ensure that the Federation remains a public-sector tool and does not distort the market by allowing private entities to benefit indirectly.

Direct or Indirect Ownership Under Article 35(1), a Union entity may share services only if it "directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available."

Strict Control over Intermediate Entities If a Union entity owns the hardware indirectly through an intermediate legal entity, Article 35(1) imposes a strict "control" test. The Union entity must exercise control over that intermediate entity. The proposal defines this control through cumulative conditions:

  1. The Union entity must exercise decisive influence over both the strategic objectives and significant decisions of the intermediate entity.
  2. There must be no direct private capital participation in that intermediate legal entity.
  3. More than 80% of the activities of the intermediate entity must be carried out in the performance of tasks entrusted to it by the Union entity.

These criteria ensure that the infrastructure remains effectively under public control and that private capital does not gain an unfair advantage through the Federation.

4. Fees and Financial Obligations

Participation in the Federation involves financial commitments. Article 36 establishes that the costs arising from the Commission's activities in administering the Federation (including the establishment of the platform and assessing membership requests) are "jointly financed by the members of the EuroCloud Federation through fees levied by the Commission."

These fees are not optional. They are calculated to cover the costs incurred by the Commission and are classified as internal assigned revenues. Union entities must therefore anticipate these costs in their budgeting, as the fees are levied to ensure the financial sustainability of the Federation's operations.

5. Sovereignty and Risk Assessment

Joining the Federation does not exempt a Union entity from the broader sovereignty requirements of CADA. The Federation is a mechanism for sharing capacity, not a waiver of security standards.

  • Union Assurance Levels: Any cloud computing service shared within the Federation must still comply with the Union cloud computing sovereignty framework established in Article 16 and detailed in Annex II. This means services must be recognized at an appropriate Union assurance level (1–4).
  • Risk Assessments: Under Article 29, Member States and Union entities must conduct risk assessments to determine which activities contribute to the preservation of public order. If a Union entity shares services for activities identified as public-order-relevant, those services must meet the higher assurance levels (2, 3, or 4) mandated by Article 30(3).

What this means for you

For legal counsel, procurement officers, and IT directors at EU institutions and agencies, the EuroCloud Federation represents a new strategic avenue for cloud procurement and capacity management.

  1. Verify Your Status: Confirm that your organization falls squarely within the Article 2(7) definition of a "Union entity." If you are a national agency or a private contractor, you do not qualify as a Union entity, though you may qualify as a "public sector body" under different rules.
  2. Prepare for the Request: Monitor the adoption of the implementing acts under Article 34(4). Once published, you will need to submit a formal request to the Commission using the prescribed template. Do not assume automatic enrollment.
  3. Audit Hardware Ownership: If your entity intends to provide services to the Federation, conduct an immediate audit of your hardware ownership structure. If you use an intermediate entity, verify that it meets the strict "no private capital" and "80% activity" tests under Article 35(1). Failure to meet these criteria will disqualify you from sharing services, even if you are a member.
  4. Budget for Fees: Allocate resources for the fees mandated by Article 36. These are cost-recovery charges levied by the Commission and are a necessary cost of participation.
  5. Align with Sovereignty Rules: Ensure that any service you offer or consume through the Federation has been recognized at the correct Union assurance level. The Federation does not bypass the risk assessment requirements of Article 29; in fact, it reinforces the need for compliant, sovereign infrastructure.

Common misconceptions

  • "All EU bodies are automatically members of the EuroCloud Federation." Incorrect. Article 34(1) makes participation voluntary. A Union entity must actively request to join and be accepted by the Commission. There is no automatic enrollment upon the entry into force of the Regulation.
  • "A Union entity can share any cloud service it uses, even from a commercial provider." Incorrect. Article 35(1) restricts sharing to services where the Union entity owns the hardware (directly or via a strictly controlled intermediate entity). You cannot share a service provided by a third-party commercial cloud provider unless you own the underlying infrastructure or meet the specific control criteria.
  • "Joining the Federation waives the need for sovereignty risk assessments." Incorrect. The Federation is a sharing mechanism, not a regulatory exemption. Services shared must still comply with the Union assurance levels defined in Article 16 and Annex II, and the entity must have conducted the required risk assessment under Article 29.

Related

This is general information about a draft EU regulation, not legal advice.