What is an intermediate legal entity in EuroCloud sharing under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), an "intermediate legal entity" is a distinct legal structure that allows a public "sharing entity" to indirectly own the hardware required for EuroCloud Federation services. Article 35(1) permits this indirect ownership only if the public sharing entity exercises strict, cumulative control over the intermediate entity. To qualify, the arrangement must satisfy three specific conditions: the public body must exercise decisive influence over strategic objectives; there must be no direct private capital participation in the intermediate entity; and more than 80% of the entity's activities must be performed for the sharing entity. This structure enables state-owned operators to participate in the Federation while preventing private market distortion.

Detail

The EuroCloud Federation, established under Article 34 of the proposed CADA, is designed to facilitate the sharing of public sector data centre and cloud computing services between Union entities and public sector bodies. A critical operational question for public authorities is whether they can share capacity hosted on infrastructure they do not directly own, but rather control through a subsidiary or separate legal vehicle. Article 35(1) provides a clear, conditional answer: yes, provided the ownership chain is strictly controlled by the public sector.

Specifically, Article 35(1) states that a member of the EuroCloud Federation (the "sharing entity") may share services with another member (the "using entity") where the sharing entity "directly, or indirectly through an intermediate legal entity, owns the hardware through which the service is made available." This provision explicitly acknowledges that public authorities often operate through dedicated digital infrastructure agencies or state-owned enterprises rather than holding title to servers directly.

However, this indirect ownership is not unconditional. The text mandates that "where the sharing entity indirectly owns the hardware and provides the services through an intermediate legal entity, the sharing entity shall exercise control over that intermediate legal entity." To prevent private market distortion and ensure the arrangement remains a public-sector cooperation rather than a commercial transaction, the proposal defines "control" through three cumulative conditions, as detailed in Recital 71 and Article 35(1):

1. Decisive Influence: The sharing entity must exercise decisive influence over both the strategic objectives and significant decisions of the intermediate legal entity. This ensures that the public authority, not the intermediate entity's independent board or private stakeholders, dictates the operational and strategic direction of the cloud infrastructure.
2. No Direct Private Capital: There must not be any direct private capital participation in that intermediate legal entity. This condition is designed to ring-fence the EuroCloud sharing mechanism from private commercial interests, ensuring that the infrastructure is not leveraged for private profit in a way that would distort competition in the broader cloud market.
3. Activity Threshold: More than 80% of the activities of the intermediate legal entity must be carried out in the performance of tasks entrusted to it by the sharing entity. This ensures that the intermediate entity is functionally dedicated to the public sector mission, rather than operating as a general-purpose commercial cloud provider that happens to have a public shareholder.

A practical example of this structure is a state-owned cloud operator that is wholly owned by a national ministry. In this scenario, the ministry acts as the "sharing entity" within the EuroCloud Federation. The cloud operator serves as the "intermediate legal entity" that legally owns the physical servers and data centre facilities. As long as the ministry exercises decisive strategic control, there is no private capital in the operator, and the operator's primary activity (exceeding 80%) is serving the ministry's cloud needs, the ministry can share its idle capacity with other EuroCloud members under Article 35.

It is important to note that while the intermediate legal entity owns the hardware, the service provision is attributed to the sharing entity for the purposes of the Federation. The sharing entity remains responsible for demonstrating to the Commission that it fulfils the conditions set out in Article 35(1) and (2) prior to sharing services. Furthermore, Recital 71 clarifies that the sharing of services within the Federation should be anchored in public-sector cooperation, governed solely by considerations of public interest, and should not entail any form of consideration in exchange for another, except for cost recovery.

What this means for you

For in-house counsel, compliance officers, and procurement teams in public sector bodies or state-owned enterprises, the introduction of the "intermediate legal entity" concept expands the pool of eligible infrastructure for EuroCloud sharing but imposes rigorous governance and structural requirements.

Structural Audit and Control Verification If your organisation intends to share cloud capacity via an intermediate entity (e.g., a national digital infrastructure agency or a state-owned IT company), you must conduct a comprehensive structural audit to verify compliance with the three cumulative control conditions. You must document the mechanisms by which your public authority exercises "decisive influence" over strategic objectives. This may involve reviewing board appointment powers, voting rights in shareholder meetings, and strategic planning approval processes. Evidence of this control will be required when demonstrating compliance to the Commission under Article 35(3).

Capital Structure Review Compliance teams must ensure that the intermediate legal entity has no direct private capital participation. This requires a thorough review of the entity's capital structure, shareholder agreements, and investment history. Any private equity investment, private shareholder dividends, or private capital injections could disqualify the entity from participating in EuroCloud sharing under this specific provision. If private capital is present, the entity may need to restructure or rely on different procurement mechanisms outside the EuroCloud framework.

Activity Monitoring and Reporting The 80% activity threshold is a critical operational compliance metric. Finance and operations departments must track the revenue streams, service allocations, and workload distribution of the intermediate entity to ensure that more than 80% of its activities are performed for the public sharing entity. If the intermediate entity begins offering significant commercial services to the private market, it risks falling below this threshold. In such a case, the sharing arrangement with EuroCloud members would cease to be compliant, potentially exposing the public authority to regulatory scrutiny and the loss of Federation membership.

Demonstration of Compliance Before any sharing occurs, the sharing entity must demonstrate to the Commission that it fulfils the conditions in Article 35(1) and (2). This is not a passive registration; it is an active compliance demonstration. Prepare detailed documentation outlining the governance structure, capital composition, and activity breakdown of the intermediate entity. Failure to meet these conditions could result in the Commission refusing to allow the sharing entity to participate in the Federation, disrupting planned capacity-sharing agreements.

Common misconceptions

Misconception 1: Any state-owned company qualifies automatically. It is incorrect to assume that any entity owned by the state automatically qualifies as a valid intermediate legal entity. The 80% activity rule and the no-private-capital rule are strict. A state-owned cloud provider that generates significant revenue from private commercial clients may fail the 80% threshold if its commercial activities exceed 20% of its total operations.

Misconception 2: The intermediate entity can have private shareholders if the state has a majority stake. The requirement for "no direct private capital participation" is absolute. Even if the state holds a 51% majority, the presence of private capital in the intermediate entity disqualifies it from being used for EuroCloud sharing under Article 35(1). This distinguishes EuroCloud sharing from general public procurement, where public-private partnerships are common.

Misconception 3: Control is solely determined by majority voting rights. While voting rights are important, "decisive influence over strategic objectives" is a broader concept. It encompasses the ability to shape the long-term direction and significant decisions of the entity. Compliance officers must look beyond simple majority voting to ensure that the public authority has effective strategic control, as required by the first cumulative condition.

Related

• What is a sharing entity in the EuroCloud Federation?
• EuroCloud Federation fees: What can a sharing entity charge?
• What conditions must a EuroCloud sharing entity meet under CADA?
• Must a sharing entity own the hardware behind a shared service in the EuroCloud Federation?
• Can a sharing entity refuse to share with a particular using entity in the EuroCloud Federation?

This is general information about a draft EU regulation, not legal advice.