Summary In the proposed Cloud and AI Development Act (CADA), the "open source first" principle is set out in Article 41. As proposed, it would oblige the Union and the Member States to "take the necessary measures to encourage" Union entities and public sector bodies to use, and facilitate the reuse of, open standards and components released under an open source licence when building their cloud and AI ecosystem or stack. It is an encouragement-and-enabling duty, not an absolute mandate to use open source in every case: the same provision says the choice must take account of functionalities (including security), total cost, and other relevant, duly justified objective criteria. Because CADA is still a proposal, none of this is in force yet.
Detail
The Cloud and AI Development Act (CADA), COM(2026) 502 final, is a Commission proposal (not yet adopted) that aims to reduce the EU's dependence on a small number of non-European cloud and AI providers and to build a more competitive, autonomous European technology stack. Promoting open source software and open standards is one strand of that strategy, placed in Chapter V ("Open source") of Title IV (Autonomy).
The legal basis: Article 41
The principle is set out in Article 41, headed "Promoting open source solutions and open source first." As proposed, it reads:
"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."
Read carefully, the binding obligation in Article 41 falls on the Union and the Member States, not directly on each individual buyer. They would have to "take the necessary measures" to encourage and facilitate open source use and reuse. What exactly those measures are is left open in the proposal.
The term "open source licence" is itself a defined term: Article 2 of CADA (point 25) borrows the definition of "open source licence" from Article 2, point (12), of Regulation (EU) 2024/903 (the Interoperable Europe Act).
What "open source first" would mean in practice
"Open source first" in CADA is best read as a preference and a default starting point for evaluation, not a prohibition on proprietary software. The provision expressly requires the choice to take account of:
- Functionalities (the solution must meet the technical need), explicitly including security;
- Total cost — which goes beyond the licence fee (often zero for open source) to implementation, maintenance, support and training; and
- Other relevant, duly justified objective criteria — a catch-all that can cover interoperability, accessibility or specific compliance needs.
So if a proprietary solution is objectively better on these criteria for a given use case, nothing in Article 41 as proposed would force a public body to pick a weaker open-source alternative. The shift is in the order of consideration: open standards and open-source components would be looked at first and seriously.
The rationale
The recitals of the proposal explain the thinking. Recital 81 states that "open source plays an important role in ensuring transparency, security and efficiency in the use of digital technologies by the public sector," that access to source code "enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in," and that promoting open source is "essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy." Recital 82 adds that public administrations should promote open standards and components when building their cloud and AI stack.
How Article 41 connects to the rest of the chapter
Article 41 does not stand alone. The other provisions of the open source chapter would support it:
- Article 42 (Share and reuse of software): where a Union entity or public sector body makes software to which it holds intellectual property rights available for reuse under an open source licence, it must do so through a catalogue or repository connected to, and accessible through, the EU Open Source Solutions Catalogue.
- Article 43 (EU Open Source Solutions Catalogue): the Commission would provide and maintain a centralised EU OSS Catalogue, hosted on the Interoperable Europe portal and free of charge, so reusable software is discoverable.
- Article 44 (Network of Open Source Programme Offices): the Commission would establish an OSPO Network to support cooperation, exchange best practices and develop non-binding guidance.
What this means for you
For public-sector procurement officers and IT decision-makers, the "open source first" principle — if adopted — would set a new default for how cloud, AI and software options are weighed. In practice you would likely:
1. Build open source into your evaluation
When specifying tenders for cloud services, AI systems or software development, treat open standards and open-source components as the first option to assess. Consider non-price award criteria that recognise open standards and interoperability, and ask bidders to show how their solution avoids vendor lock-in.
2. Compare on total cost of ownership
Look beyond the upfront licence fee. Factor in integration and customisation, ongoing maintenance and support, staff training, and security and compliance work — the "total cost" the provision points to.
3. Document the justification if you go proprietary
If you choose proprietary software over an available open-source option, be ready to record the "duly justified objective criteria" — functionality, security or total cost — that supported the decision.
4. Use the supporting infrastructure
Before commissioning new software, check the EU OSS Catalogue (Article 43) for reusable solutions, and draw on the OSPO Network (Article 44) for guidance on licensing, security and procurement.
Bear in mind that these are proposed obligations. The detailed national "measures" implementing Article 41 are not yet defined, and CADA must be adopted and apply before any of this takes effect.
Common misconceptions
Misconception 1: "Open source first" means proprietary software is banned. No. CADA as proposed does not ban proprietary software. Article 41 requires a balanced assessment against functionalities, security, total cost and other duly justified objective criteria. A proprietary solution can be chosen where it is objectively better suited.
Misconception 2: Open source is always cheaper. Licence fees are often zero, but total cost of ownership can be significant where in-house expertise is lacking — integration, maintenance, support and training all count. Article 41 explicitly points to "total cost," not just licensing.
Misconception 3: Article 41 forces every public body to use open source for all cloud and AI. The binding duty falls on the Union and Member States to "encourage" and "facilitate," and the provision applies to "building their cloud and AI ecosystem or stack." It frames a preference, not a blanket requirement to open-source everything or to reject all proprietary tools.
Misconception 4: Open source is inherently less secure than proprietary software. Recital 81 highlights that source-code access enables auditability and transparency. Security still depends on proper management — timely patching and vulnerability monitoring — which is why Article 41 names security as a criterion.
Related
- CADA Open Source: Practical First Steps for Public Bodies
- How does 'open source first' reduce costs for public administrations under CADA?
- CADA Open Source First vs Sovereignty Tiers: How They Interact
- CADA Open Source First: How it interacts with EU procurement rules
- CADA Article 41: How 'Open Source First' Applies to AI Development
This is general information about a draft EU regulation, not legal advice.