Summary The open source chapter of the proposed Cloud and AI Development Act (CADA) is defined by Articles 41, 42, 43, and 44 within Title IV (Autonomy). As proposed, these provisions would require the Union and Member States to encourage public sector bodies to use open source solutions when building cloud and AI stacks. They would mandate that software voluntarily shared for reuse be listed in the EU Open Source Solutions Catalogue (hosted on the Interoperable Europe portal) and establish a Network of Open Source Programme Offices (OSPOs) to coordinate best practices. This framework aims to reduce vendor lock-in, enhance auditability, and foster a unified European digital ecosystem.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, treats open source not merely as a licensing choice but as a strategic lever for technological sovereignty. Chapter V of Title IV (Autonomy) consolidates these measures into four specific articles. As proposed, the framework shifts public sector software strategy from ad-hoc adoption to a coordinated, Union-wide approach.

The Four Building Blocks of the Open Source Framework

The chapter is structured around four distinct but interconnected obligations and mechanisms:

1. Promoting Open Source Solutions (Article 41) Article 41 establishes the foundational policy for the public sector. It mandates that the Union and Member States take necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence. This obligation applies specifically when building their "cloud and AI ecosystem or stack." Crucially, the article requires that decisions be based on objective criteria. When choosing between open source and proprietary solutions, entities must consider "functionalities, including security, total cost, and other relevant, duly justified objective criteria." As proposed, this formalizes an "open source first" mindset, ensuring that proprietary solutions are not selected by default without a documented, objective justification.

2. Sharing and Reuse of Software (Article 42) Article 42 addresses the lifecycle of software developed by the public sector. It stipulates that when a Union entity or public sector body holds intellectual property rights to software and voluntarily decides to make it available for reuse under an open source licence, it must do so using a catalogue or repository that is "connected to, and made accessible through, the EU Open Source Solutions Catalogue." This provision prevents the fragmentation of public software across disconnected internal repositories. It ensures that any software released for reuse is discoverable by other public administrations, thereby maximizing the value of public expenditure and reducing duplication of effort.

3. The EU Open Source Solutions Catalogue (Article 43) Article 43 creates the central infrastructure for this ecosystem. The Commission is required to provide and maintain the EU Open Source Solutions Catalogue (EU OSS Catalogue).

  • Function: It serves as a centralized catalogue to access software made available for reuse by Union entities and public sector bodies.
  • Hosting: The catalogue must be hosted on the Interoperable Europe portal (referenced in Article 8 of Regulation (EU) 2024/903).
  • Access: It must be accessible electronically free of charge.
  • Connectivity: The Commission decides on requests from any Union entity or public sector body to connect their existing catalogue or repository to the EU OSS Catalogue, based on "objective and relevant criteria."

4. Network of Open Source Programme Offices (Article 44) To ensure consistent implementation and knowledge sharing, Article 44 mandates the establishment of a Network of Open Source Programme Offices (OSPO Network).

  • Scope: The network brings together OSPOs established by public sector bodies at local, regional, or national levels, as well as those established by Union entities.
  • Tasks: The network is tasked with facilitating the exchange of information and best practices (particularly regarding licensing, security, and procurement), promoting the sharing and reuse of software, and contributing to the development of guidance and templates on a voluntary, non-binding basis.
  • Governance: The Commission supports and coordinates the network, convening meetings of its members at least twice a year.

Context from the Explanatory Memorandum

The rationale for these measures is detailed in the CADA explanatory memorandum, specifically in Recitals 81 through 84. The Commission argues that open source plays a critical role in ensuring "transparency, security and efficiency" in the public sector.

  • Auditability and Lock-in: Recital 81 notes that access to source code enables auditability, fosters collaboration, and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in.
  • Fragmentation: Recital 83 highlights a key problem: while many entities share software, it is often scattered across different repositories, "hampering searchability, discoverability and, ultimately, reuse."
  • Solution: The memorandum frames the EU OSS Catalogue and the OSPO Network as the solution to this fragmentation. By centralizing access and coordinating expertise, the proposal aims to "maximise the value of public expenditure, reduce duplication costs and foster innovation across the Union."

What this means for you

For in-house counsel, CIOs, and compliance officers in the public sector or Union entities, these provisions would introduce specific operational changes:

  • Procurement Strategy Updates: You must integrate open source considerations into your cloud and AI procurement strategies. Under Article 41, you cannot default to proprietary solutions. You must document an evaluation based on security, total cost of ownership, and functionality. If you choose a proprietary solution, you must be prepared to justify it against these objective criteria.
  • Software Asset Management (SAM): If your organization develops software and holds the IP, you must review your release strategy. If you choose to release software under an open source licence, you cannot simply host it on an internal server. You must ensure it is listed in a repository connected to the EU OSS Catalogue. This requires coordination between legal (licensing), IT (technical integration), and procurement teams.
  • OSPO Establishment or Engagement: You should identify or establish an Open Source Programme Office (OSPO) within your organization. This body will be responsible for managing open source risks, ensuring license compliance, and engaging with the EU-wide OSPO Network. While participation in the network is voluntary, it is the primary channel for accessing Union-level guidance and templates.
  • Timeline: As proposed, CADA would enter into force 20 days after publication and apply one year later. Compliance officers should begin preparing their software inventories and licensing frameworks immediately to meet the application deadline.

Common misconceptions

"Open Source First means mandatory open source." No. Article 41 uses the language "encourage" and "facilitate." It does not impose an absolute ban on proprietary software. However, it creates a procedural hurdle: open source must be considered, and choosing proprietary software requires a justification based on objective criteria (security, cost, functionality).

"All public software must be open sourced." No. Article 42 applies only to software that an entity voluntarily decides to make available for reuse. There is no blanket obligation to open source all internally developed software, particularly if it contains sensitive data or is not intended for reuse. However, if the decision to share is made, the method of sharing is regulated.

"The EU OSS Catalogue is a new development platform." No. The catalogue is a discovery and access tool, not a development environment. It connects existing repositories to a central portal (the Interoperable Europe portal) to improve findability. It does not host the code itself but indexes where it can be found.

Related

This is general information about a draft EU regulation, not legal advice.