What is an Open Source Programme Office (OSPO) under CADA?

An Open Source Programme Office (OSPO) is a dedicated organisational structure within a public sector body or Union entity responsible for managing the lif

Summary An Open Source Programme Office (OSPO) is a dedicated organisational structure within a public sector body or Union entity responsible for managing the lifecycle of open-source software, from procurement and development to sharing and reuse. Under the proposed Cloud and AI Development Act (CADA), Article 44 establishes a formal OSPO Network to coordinate these offices across the EU. This network facilitates the exchange of best practices on critical challenges including licensing, security, maintenance, and procurement. While participation in the network is voluntary for OSPOs established at local, regional, or national levels, the Act mandates the Commission to support and convene this network at least twice a year to foster a cohesive European open-source ecosystem.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, identifies open source as a strategic lever to strengthen Europe's technological sovereignty, reduce vendor lock-in, and foster innovation. To operationalise this vision, the proposal moves beyond general encouragement to establish a structured governance framework. Central to this framework is the Open Source Programme Office (OSPO), defined not merely as a technical team but as a strategic organisational unit designed to manage the complex legal, security, and operational aspects of open-source software within the public sector.

The Organisational Structure of an OSPO under CADA

In the context of CADA, an OSPO serves as the central hub for an organisation's open-source strategy. It is the entity responsible for ensuring that the use, development, and sharing of open-source software align with Union legal obligations and strategic objectives. The Act recognises that open-source management requires a multidisciplinary approach, bridging the gap between legal compliance (licensing), technical risk management (security), operational continuity (maintenance), and public procurement rules.

The proposal explicitly acknowledges the multi-level nature of the EU public sector. Article 44(2) states that "Open Source Programme Offices established by public sector bodies at local, regional or national level in a Member State, and those established by Union entities, may request from the Commission to join the OSPO Network." This provision confirms that an OSPO is not restricted to central governments or EU institutions; it is a scalable organisational structure applicable to municipalities, regional authorities, and national ministries alike.

The OSPO Network: A Framework for Cooperation

While individual public bodies may establish OSPOs independently, CADA creates a formal mechanism to ensure these offices do not operate in silos. Article 44(1) mandates that "The Commission shall establish a network of Open Source Programme Offices ('the OSPO Network') to facilitate cooperation on the implementation of the obligations under this Chapter."

This network is designed to create a unified European approach to open-source management. By connecting OSPOs across different jurisdictions, the Act aims to harmonise practices, reduce duplication of effort, and accelerate the adoption of open-source solutions across the Union. The Commission plays a pivotal role in this structure: Article 44(4) states that "The Commission shall support and coordinate the OSPO Network," and Article 44(5) requires that "The Commission shall convene and chair a meeting of the members of the OSPO Network at least twice a year." These meetings, which may be organised online, ensure regular dialogue and strategic alignment among members.

Core Tasks and Responsibilities

The specific functions of an OSPO within the CADA framework are detailed in Article 44(3). These tasks define the operational scope of the office and highlight the critical areas where public sector bodies must focus their open-source governance efforts. The Act outlines five key areas of responsibility:

Facilitating Exchange of Information and Best Practices: The primary task of the OSPO Network is to "facilitat[e] the exchange of information, experience and best practices between Member States and the Commission." This includes discussing "common technical, legal and organisational challenges." This collaborative function is essential for addressing the fragmented nature of open-source policies across different Member States.
Addressing Specific Open-Source Challenges: The Act explicitly identifies four critical domains where OSPOs must focus their expertise:
- Licensing: Navigating the complex landscape of open-source licenses to ensure compliance and avoid legal risks.
- Security: Managing vulnerabilities within open-source components and ensuring the security of software supply chains.
- Maintenance: Coordinating the long-term maintenance of software to prevent abandonment and ensure sustainability.
- Procurement: Developing strategies for procuring open-source solutions effectively, ensuring that public procurement processes support the open-source ecosystem.
Promoting Sharing and Reuse: OSPOs are tasked to "promote the sharing and reuse of open-source software by public sector bodies." This aligns with CADA's broader objective of maximising the value of public expenditure and reducing duplication. By encouraging the release of software developed with public funds under open-source licenses, OSPOs help build a shared digital commons.
Developing Guidance and Recommendations: On a "voluntary and non-binding basis," OSPOs may "contribute to the development of guidance, templates or recommendations on the sharing and reuse of open-source software." This allows the network to produce practical tools that can be adopted by public bodies to streamline their open-source operations.
Collaboration on Projects of Common Interest: Finally, OSPOs are to "collaborate on and exchange open-source projects of common interest to Union entities and public sector bodies." This fosters joint development efforts and the creation of shared digital solutions that can be deployed across the EU.

Integration with Broader CADA Objectives

The role of the OSPO is deeply integrated with other provisions in the CADA proposal. Article 41 establishes the principle of "open source first," encouraging Union entities and public sector bodies to "use and facilitate the reuse of open standards and components released under an open source licence." Article 42 requires that when public bodies make software available for reuse, they must do so via a catalogue connected to the EU Open Source Solutions Catalogue (established under Article 43).

The OSPO acts as the operational engine for these requirements. It is the office that would typically identify software eligible for release, ensure it is properly licensed, verify security standards, and manage the submission to the EU OSS Catalogue. Without a dedicated OSPO, public bodies may struggle to navigate the technical and legal requirements of these articles effectively.

What this means for you

For public-sector officials, IT managers, legal counsel, and procurement officers, the introduction of OSPOs under CADA represents a significant shift towards professionalised open-source management.

Establish or Formalise Your OSPO: If your organisation (whether a municipality, regional authority, or national ministry) does not yet have a dedicated unit for open-source management, CADA provides a strong policy impetus to create one. This does not necessarily require a large new department; it can start as a designated function within existing IT, legal, or procurement teams. However, having a clearly defined OSPO is the prerequisite for joining the OSPO Network.
Join the OSPO Network: Once established, your OSPO can request to join the network via the Commission. This provides access to a European-wide community of practice, allowing you to learn from peers, share templates, and align your internal policies with emerging EU-wide standards.
Standardise Processes for Licensing, Security, and Maintenance: Use the OSPO framework to develop internal policies that address the specific challenges highlighted in Article 44(3). This includes creating standard operating procedures for license compliance, establishing security scanning protocols for open-source components, and defining maintenance strategies to prevent software abandonment.
Facilitate Software Reuse and Catalogue Submission: Your OSPO should take responsibility for auditing software developed by or for your entity to identify candidates for open-source release. Ensure that such software is properly documented, licensed, and submitted to the EU Open Source Solutions Catalogue, as required by Article 42. This fulfils regulatory obligations and contributes to the broader European digital ecosystem.
Integrate Open Source into Procurement: Your OSPO can lead the integration of open-source criteria into public procurement processes. This includes evaluating tenders based on the use of open standards, the avoidance of vendor lock-in, and the availability of source code, as encouraged by Article 41.

Common misconceptions

"An OSPO is only for large national governments or EU institutions." No. Article 44(2) explicitly includes OSPOs established at "local, regional or national level." Municipalities and smaller public bodies are encouraged to establish OSPO functions to participate in the network and benefit from shared resources. The structure is scalable to the size of the organisation.

"Joining the OSPO Network is mandatory for all public bodies." Participation in the network is voluntary. Article 44(2) states that OSPOs "may request from the Commission to join the OSPO Network." While joining is not compulsory, the benefits of collaboration, shared best practices, and access to common tools make it highly advantageous for any public body seeking to implement CADA's open-source objectives effectively.

"OSPOs have regulatory enforcement powers." OSPOs are coordinative and supportive bodies. They facilitate exchange, develop non-binding guidance, and manage internal open-source strategies. They do not have the power to enforce compliance with CADA; that responsibility remains with national competent authorities and the Commission. The OSPO's role is to enable compliance within their own organisation and the network.

"An OSPO is purely a technical team focused on code." Incorrect. As outlined in Article 44(3), OSPOs address a holistic range of challenges: legal (licensing), organisational (procurement, maintenance), and technical (security). They serve as a bridge between legal, technical, and procurement teams, ensuring that open-source software is managed responsibly across all dimensions.

This is general information about a draft EU regulation, not legal advice.