Summary As proposed in the Cloud and AI Development Act (CADA), the OSPO Network addresses critical maintenance challenges by creating a structured forum for public sector bodies to exchange experiences on sustaining open-source software. Specifically, Article 44(3)(a) identifies maintenance as a common technical, legal, and organisational challenge, while Article 44(3)(d) facilitates collaboration on projects of common interest to prevent fragmentation. This mechanism aims to reduce vendor lock-in and ensure the long-term viability of open-source solutions used in the EU public sector.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a strategic shift in how the European Union and its Member States manage open-source software. A central pillar of this strategy is the establishment of a network of Open Source Programme Offices (OSPOs), outlined in Article 44. This network is designed not merely as a communication channel, but as an operational mechanism to address the practical difficulties of adopting and maintaining open-source technologies across fragmented public administrations.

Addressing Maintenance as a Core Challenge

One of the most significant barriers to widespread open-source adoption in the public sector is the long-term maintenance of software. Unlike proprietary solutions where a vendor contractually guarantees support, open-source projects often rely on community contributions or specific internal teams that may lack the resources for continuous upkeep. CADA explicitly acknowledges this friction.

Article 44(3)(a) mandates that the OSPO Network's tasks include facilitating the exchange of information, experience, and best practices between Member States and the Commission. Crucially, this exchange must cover "common technical, legal and organisational challenges, including those related to licensing, security, maintenance and procurement of open-source software."

By codifying "maintenance" alongside licensing and security, the proposal recognizes that sustaining code is a distinct, high-risk activity. The OSPO Network serves as the conduit for sharing solutions to these maintenance burdens. For example, if one Member State develops a robust strategy for maintaining a specific security library, the OSPO Network allows that knowledge to be disseminated to other Member States, preventing redundant effort and reducing the risk of abandoned projects. The text treats maintenance not as an isolated technical task, but as a holistic challenge involving legal clarity, organisational capacity, and technical sustainability.

Collaboration on Projects of Common Interest

Maintenance challenges are often exacerbated by duplication of effort. When multiple public entities independently maintain similar open-source components, resources are spread thin, and security vulnerabilities may go unpatched due to a lack of critical mass. To counter this, Article 44(3)(d) tasks the OSPO Network with "collaborating on and exchanging open-source projects of common interest to Union entities and public sector bodies."

This provision moves beyond passive knowledge sharing to active collaboration. It encourages public sector bodies to pool resources for the maintenance of software that serves a broader European interest. By identifying projects of "common interest," the network helps prioritize maintenance efforts on infrastructure that underpins multiple services or jurisdictions. This collaborative approach ensures that critical open-source components receive the necessary attention and funding, thereby enhancing the overall resilience of the EU's digital infrastructure. The network would act as a clearinghouse to identify which projects are truly of common interest and coordinate the maintenance strategy among the relevant OSPOs.

The Role of the Commission and Network Governance

The OSPO Network is not a self-regulating body without oversight; it is established and supported by the Commission. Article 44(1) states that the Commission shall establish the network to facilitate cooperation on the implementation of obligations under the chapter on open source. Article 44(4) further specifies that the Commission shall support and coordinate the OSPO Network.

This central coordination is vital for addressing maintenance challenges at scale. The Commission can identify systemic maintenance risks across the Union and direct the network's focus accordingly. Furthermore, Article 44(5) requires the Commission to convene and chair meetings of the OSPO Network at least twice a year. These regular interactions ensure that maintenance strategies are continuously updated in line with technological developments and emerging threats, such as supply chain attacks or dependency decay. The biannual convening power ensures that the network remains a dynamic entity rather than a static registry.

Integration with the EU OSS Catalogue

The maintenance efforts facilitated by the OSPO Network are closely linked to the EU Open Source Solutions Catalogue established under Article 43. Article 42 requires that when public sector bodies make software available for reuse, they must do so via a catalogue connected to the EU OSS Catalogue. The OSPO Network plays a supportive role in ensuring that the software listed in this catalogue is not just a static archive, but a living ecosystem. By promoting the sharing and reuse of open-source software (Article 44(3)(b)), the network helps create a user base that can contribute to maintenance, thereby sustaining the projects listed in the catalogue. The network effectively bridges the gap between the discovery of software (via the catalogue) and its long-term stewardship.

What this means for you

For CTOs, architects, and SMEs operating within or supplying the EU public sector, the OSPO Network presents both challenges and opportunities regarding software maintenance.

1. Standardization of Maintenance Practices As public sector bodies engage with the OSPO Network, you can expect a gradual harmonization of maintenance standards. The network will likely develop best practices for version control, patch management, and security auditing of open-source components. Aligning your internal maintenance processes with these emerging standards will make your solutions more attractive to public procurement bodies.

2. Opportunities for Collaboration SMEs specializing in open-source support and maintenance can position themselves as key partners in this new ecosystem. Since Article 44(3)(d) encourages collaboration on projects of common interest, public entities may seek external expertise to help sustain these shared projects. SMEs that can demonstrate capability in long-term code stewardship and community engagement will be well-placed to secure contracts.

3. Reduced Risk of Vendor Lock-in The emphasis on maintenance and collaboration helps mitigate the risk of vendor lock-in, a key concern for architects designing resilient systems. By participating in or aligning with the OSPO Network's initiatives, organizations can ensure that their reliance on open-source components is backed by a broader community of maintainers, rather than a single internal team or external vendor.

4. Enhanced Security Posture Maintenance is inextricably linked to security. By facilitating the exchange of experiences on security challenges (Article 44(3)(a)), the OSPO Network helps accelerate the identification and remediation of vulnerabilities. For providers, this means a more informed and security-conscious customer base, but also a higher expectation for transparent maintenance records and proactive security updates.

Common misconceptions

Misconception 1: The OSPO Network is a new regulatory body with enforcement powers. The OSPO Network is a coordination and exchange mechanism, not a regulatory authority. It does not impose fines or enforce compliance directly. Its power lies in influence, knowledge sharing, and the development of guidance. The actual enforcement of open-source obligations rests with national competent authorities and the Commission under other provisions of CADA.

Misconception 2: Maintenance refers only to technical bug fixes. While technical bug fixes are part of maintenance, the scope under Article 44(3)(a) is broader. It includes organizational and legal challenges. This means maintaining the legal clarity of licenses, ensuring compliance with evolving regulations, and managing the community and governance structures that keep a project alive. It is a holistic view of software sustainability.

Misconception 3: Only large government entities can benefit from the OSPO Network. While the network is composed of OSPOs from Member States and Union entities, its impact extends to the wider ecosystem. SMEs and startups that provide open-source solutions can benefit from the standardized best practices and increased demand for maintainable software that the network promotes. Additionally, the network's focus on projects of common interest can create larger markets for niche open-source solutions.

Related

This is general information about a draft EU regulation, not legal advice.