Summary Under the proposed Cloud and AI Development Act (CADA), Article 42 does not create a blanket obligation for public sector bodies or Union entities to open-source their software. Instead, it establishes a conditional obligation: if a body voluntarily decides to make software available for reuse under an open-source licence, it must do so through a catalogue or repository connected to the EU Open Source Solutions Catalogue (EU OSS Catalogue). This requirement applies strictly to software for which the entity holds intellectual property rights. As clarified in Recital 83, the obligation is triggered only by the voluntary decision to share; there is no mandate to share in the first place.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, seeks to foster a competitive and sovereign European cloud and AI ecosystem. A key mechanism for achieving this is the promotion of open-source solutions to reduce vendor lock-in and enhance transparency. However, the legislative text carefully balances this goal with the autonomy of public administrations regarding their software assets.

The Conditional Trigger: Voluntary Decision to Share

The core of the obligation lies in the phrasing of Article 42. The provision states:

"When making software to which they hold intellectual property rights available for reuse under an open source licence, a Union entity or public sector body shall do so using a catalogue or repository that is connected to, and made accessible through, the EU OSS Catalogue referred to in Article 43."

This sentence structure establishes a clear conditional trigger. The obligation to use the EU OSS Catalogue is not activated by the mere existence of software, nor by the mere use of open-source components. It is activated only when two specific conditions are met simultaneously:

  1. The entity holds intellectual property rights to the software.
  2. The entity voluntarily decides to make that software available for reuse under an open-source licence.

If a public sector body or Union entity chooses to keep its software proprietary, internal, or licensed under a non-open-source regime, Article 42 imposes no requirements. The regulation respects the discretion of the entity to decide whether to share. However, once that decision is made to share, the regulation dictates how it must be shared to ensure interoperability and discoverability across the Union.

Recital 83 of the explanatory memorandum explicitly reinforces this voluntary nature. It observes that while "an increasing number of Union entities and public-sector bodies are sharing software developed by or for them and making it available for reuse under an open-source licence," this practice is often fragmented. The recital notes that "software is often made available and accessible in different repositories or catalogues, hampering searchability, discoverability and, ultimately, reuse."

Consequently, the proposal introduces a centralised discovery mechanism. As Recital 83 states, "It is therefore necessary to require Union entities and public-sector bodies that voluntarily decide to make software available for reuse to do so in a catalogue or repository that is connected to, and made accessible through, the EU Open Source Solutions Catalogue." The use of the phrase "voluntarily decide" confirms that the obligation to connect to the catalogue is a consequence of the voluntary act of sharing, not a compulsion to share itself.

Scope of Application: Who and What?

The scope of Article 42 is precisely defined by the actors involved and the nature of the software.

1. The Actors The obligation applies to two distinct categories of entities defined in CADA:

  • Union entities: Defined in Article 2(7) as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community." This includes the European Commission, the European Parliament, and decentralized agencies.
  • Public sector bodies: Defined in Article 2(6) by reference to Directive (EU) 2019/1024, encompassing state, regional, and local authorities, as well as bodies governed by public law.

2. The Software The software subject to this obligation must meet two strict criteria:

  • Intellectual Property Ownership: The entity must hold the intellectual property rights to the software. This excludes software where the entity is merely a licensee or user of third-party proprietary software, or software where the IP is owned by a contractor without a transfer of rights. The text explicitly limits the scope to "software to which they hold intellectual property rights."
  • Open-Source Licensing: The software must be made available under an "open source licence." If an entity shares software under a proprietary licence, a custom non-open licence, or a restricted access model, Article 42 does not apply.

The Mechanism: Federated Connection, Not Centralized Hosting

A common misconception is that Article 42 requires all public sector code to be uploaded to a single, monolithic database managed by the Commission. The text of Article 42 and Article 43 clarifies that the mechanism is federated.

Entities are permitted to maintain their own catalogues or repositories (e.g., national open-source portals, internal GitLab instances, or GitHub organizations). However, these local repositories must be connected to and made accessible through the EU OSS Catalogue.

Article 43 establishes the EU Open Source Solutions Catalogue as a "centralised catalogue to access software made available for reuse by Union entities and public sector bodies." It is hosted on the Interoperable Europe portal. Crucially, Article 43(3) empowers the Commission to decide on requests from entities to have their existing catalogues connected to the central hub based on "objective and relevant criteria."

This structure ensures that:

  • Discoverability: A user searching the EU OSS Catalogue can find software hosted on a national or local repository.
  • Autonomy: Entities retain control over their hosting infrastructure and code management workflows.
  • Interoperability: The connection ensures a unified view of the European public sector's open-source output, preventing the fragmentation described in Recital 83.

What this means for you

For legal counsel, compliance officers, and Open Source Programme Office (OSPO) leads within public sector bodies and Union entities, Article 42 introduces a specific procedural checkpoint in the software release lifecycle.

1. Distinguish Between "To Share" and "How to Share"

The most critical compliance step is recognizing that CADA does not force you to open-source. Your organization retains the strategic right to keep software closed if security, commercial, or policy reasons dictate. However, if your organization chooses to release software under an open-source licence, you must immediately verify your hosting strategy. You cannot simply publish to a disconnected GitHub repository or a standalone national portal without ensuring a technical and legal connection to the EU OSS Catalogue.

2. Verify IP Ownership Before Release

Before triggering the Article 42 obligation, conduct a rigorous IP audit. The obligation applies only to software "to which they hold intellectual property rights." If your software relies heavily on third-party components, contractor-developed code where rights were not transferred, or complex open-source dependencies, you may not hold the necessary IP rights to trigger the obligation. Ambiguity here could lead to non-compliance if you proceed with sharing without the required catalogue connection.

3. Prepare for Federated Integration

Your technical teams should prepare for the integration of existing repositories with the EU OSS Catalogue. This may involve:

  • Developing metadata feeds (e.g., using standard APIs) to push repository information to the central catalogue.
  • Ensuring your local repository complies with the "objective and relevant criteria" set by the Commission under Article 43(3).
  • Coordinating with national OSPOs, as Article 44 establishes a network of Open Source Programme Offices to facilitate this coordination and the exchange of best practices.

4. Monitor the Legislative Timeline

CADA is currently a proposal. The exact dates for entry into force and application are subject to the ordinary legislative procedure. Article 48 states the Regulation shall apply from "[same day and month as date of entry into force plus 1 year]." Legal teams should monitor the final text for any transitional provisions that might allow existing repositories a grace period to establish the necessary connections to the EU OSS Catalogue.

5. Leverage the OSPO Network

Article 44 mandates the establishment of a network of Open Source Programme Offices (OSPO Network). Compliance officers should proactively engage with their national or organizational OSPO. These offices will likely be the primary interface for implementing the connection requirements, interpreting the Commission's criteria, and managing the technical integration with the EU OSS Catalogue.

Common misconceptions

Misconception 1: CADA forces all public sector software to be open-source. Correction: False. As explicitly stated in Recital 83, the obligation applies only to entities that "voluntarily decide" to make software available for reuse. There is no mandate to open-source software that an entity wishes to keep proprietary or internal. Article 42 governs the method of sharing, not the decision to share.

Misconception 2: You must upload your code directly to the Commission's server. Correction: False. Article 42 allows entities to use their own "catalogue or repository," provided it is "connected to, and made accessible through, the EU OSS Catalogue." This supports a federated model where entities maintain their own hosting infrastructure while ensuring their software is discoverable via the central index.

Misconception 3: This applies to all software used by the public sector, including commercial tools. Correction: False. The obligation is strictly limited to software "to which they hold intellectual property rights." It does not apply to commercial off-the-shelf (COTS) software, SaaS platforms, or third-party open-source libraries that the entity merely uses or integrates but does not own.

Misconception 4: Only the European Commission is affected. Correction: False. The obligation applies to both "Union entities" (including the Commission) and "public sector bodies" in Member States. National ministries, regional authorities, and local municipalities are equally bound by Article 42 if they hold IP rights and choose to share software under an open-source licence.

Related

This is general information about a draft EU regulation, not legal advice.