Summary The EuroCloud catalogue, established under Article 34(3)(a) of the proposed Cloud and AI Development Act (CADA), is an internal discovery tool for the EuroCloud Federation. It lists available public-sector data centre and cloud computing services to facilitate sharing among Union entities and public bodies. Crucially, the specific data fields, update frequencies, and governance templates for this catalogue are not defined in the primary legislation; they must be specified by the Commission via implementing acts under Article 34(4). This catalogue is legally and functionally distinct from the central repository of sovereign services in Article 22. While the central repository is a public-facing record of services audited for Union assurance levels (1–4) subject to strict transparency and revocation rules (Articles 22–23), the EuroCloud catalogue is an operational mechanism for public-to-public capacity sharing, governed by public-interest principles rather than commercial sovereignty certification.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes two distinct digital registries with different purposes, audiences, and legal bases. Understanding the difference is essential for compliance and system architecture.
The EuroCloud Catalogue: An Internal Sharing Tool
The EuroCloud Federation is established by Article 34 to facilitate the sharing of public-sector data centre and cloud computing services between Union entities and public sector bodies on a voluntary basis. To enable this, Article 34(3) mandates that the Commission establish a platform for the Federation, which must include:
- A catalogue providing information on available public sector data centre services and cloud computing services (Article 34(3)(a)); and
- A service platform for the exchange and orchestration of computing, storage, and network resources (Article 34(3)(b)).
The catalogue acts as the "discovery layer" for the Federation. Its primary function is to allow member entities to identify idle or underutilised capacity offered by other members for sharing. However, the CADA proposal deliberately leaves the technical specifics of this catalogue open. Article 34(3)(a) does not enumerate the required data fields, metadata schemas, or refresh rates. Instead, Article 34(4) empowers the Commission to adopt implementing acts to specify "the procedure to participate in the EuroCloud Federation and templates concerning the content and other details of the request for participation."
Consequently, the exact transparency record-keeping requirements for the EuroCloud catalogue are pending secondary legislation. Until these implementing acts are adopted, the precise nature of the records remains defined only by the high-level objective of facilitating sharing.
The Central Repository: A Public Sovereignty Register
In contrast, the central repository established under Article 22 serves a completely different purpose within the Union cloud computing sovereignty framework (Title IV, Chapter I). This repository lists cloud computing services that have been formally recognised as offering specific Union assurance levels (1, 2, 3, or 4) following an application and audit process (Article 17).
The central repository is subject to rigorous public transparency obligations:
- Public Availability: It must be publicly available and regularly updated by the Commission and national competent authorities on a dedicated website (Article 22(4)).
- Revocation Records: Any revocation of an audit report, audit opinion, or recognition must be published in the repository and remain available for five years (Article 22(3)).
- Transparency Obligations: Providers listed here are subject to Article 23, which requires them to notify auditing organisations and competent authorities of any material changes that may affect their recognition. This triggers a reassessment process to ensure continued compliance with the assurance level criteria.
Key Distinctions
The distinction between the two is critical for legal and operational clarity:
| Feature | EuroCloud Catalogue (Article 34) | Central Repository (Article 22) |
|---|---|---|
| Primary Purpose | Facilitate sharing of capacity among public entities. | Public transparency of sovereign-compliant services. |
| Audience | Members of the EuroCloud Federation (public entities). | Public, including private sector and all public bodies. |
| Legal Basis | Article 34(3)(a); details via Article 34(4) implementing acts. | Article 22; details via Article 17 recognition process. |
| Content | Information on available services for sharing. | List of services recognised at Union assurance levels 1–4. |
| Audit Requirement | No mandatory third-party audit for listing (governed by Article 35 technical measures). | Mandatory independent third-party audit for levels 2–4 (Article 20). |
| Transparency | Internal operational tool; details pending secondary legislation. | Publicly accessible; mandatory publication of revocations for 5 years. |
| Trigger for Update | Changes in availability for sharing. | Material changes affecting sovereignty recognition (Article 23). |
The EuroCloud catalogue is not a substitute for the sovereignty framework. A service listed in the EuroCloud catalogue for sharing does not automatically possess a Union assurance level. Conversely, a service recognised at a high assurance level in the central repository may or may not be listed in the EuroCloud catalogue, depending on whether the provider chooses to share capacity within the Federation.
What this means for you
For technical leaders, architects, and compliance officers, the separation of these registries dictates different operational workflows.
- For Public Sector IT Leaders: If your entity intends to join the EuroCloud Federation to share idle capacity, you must prepare your service metadata for the EuroCloud catalogue. While the specific schema is not yet finalised, you should anticipate the need to standardise descriptions of your data centre and cloud services to enable orchestration. This is an administrative requirement for federation membership, distinct from the rigorous audit process required for sovereignty certification.
- For Cloud Providers: Do not conflate the EuroCloud catalogue with the central repository. Listing in the EuroCloud catalogue does not confer a Union assurance level. If you wish to offer services to public bodies that require sovereignty guarantees (e.g., for public-order-relevant activities under Article 30(3)), you must undergo the independent audit process under Article 20 and seek recognition under Article 17. Only then will your service appear in the public central repository. The EuroCloud catalogue is strictly for public-to-public sharing; the central repository is for market transparency of sovereign-compliant services.
- For SMEs and Vendors: The EuroCloud Federation is limited to public entities (Article 34(1)); private SMEs cannot directly join to share capacity. However, SMEs may provide the underlying infrastructure to public entities that are members. Ensure your contracts clearly distinguish between services used for internal EuroCloud sharing and those offered commercially under the sovereignty framework, as the transparency and audit obligations differ significantly.
Common misconceptions
"The EuroCloud catalogue is a public directory of all EU cloud services."
- Reality: It is an internal catalogue for members of the EuroCloud Federation to share public-sector services. It is not a general market directory. The public-facing list of trusted, audited sovereign services is the central repository under Article 22.
"Listing in the EuroCloud catalogue requires a sovereignty audit."
- Reality: Sharing capacity within the EuroCloud Federation is governed by Articles 35–36, which focus on technical, operational, and organisational measures for secure sharing. It does not automatically trigger the independent third-party audits required for Union assurance levels 2–4 under Article 20. However, if the shared service is also marketed as a sovereign service to the wider market, it must meet those separate requirements.
"The content of the EuroCloud catalogue is fixed by the CADA text."
- Reality: Article 34(3)(a) only mandates that the catalogue provide information on available services. The detailed content, format, and update mechanisms are to be specified by the Commission via implementing acts under Article 34(4).
Related
- EuroCloud Catalogue: What is listed and how it differs from the OSS Catalogue?
- What fees apply to the EuroCloud Federation under CADA?
- EuroCloud Federation benefits: cost recovery, spare capacity & sovereign pooling
- Why was the EuroCloud Federation created? CADA's public-sector cloud strategy
- Why must EuroCloud sharing fees be cost-based under CADA?
This is general information about a draft EU regulation, not legal advice.