Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission is solely responsible for providing and maintaining the EU Open Source Solutions Catalogue. As established in Article 43(1), this centralised catalogue serves as the single access point for software made available for reuse by Union entities and public sector bodies. The Commission also acts as the gatekeeper, deciding which external catalogues or repositories can connect to and be accessed through the central EU OSS Catalogue based on objective criteria.

Detail

The EU Open Source Solutions Catalogue (EU OSS Catalogue) is a cornerstone of the Cloud and AI Development Act's (CADA) strategy to promote open-source software within the European public sector. Its primary purpose is to solve the critical problem of discoverability: currently, public administrations often release software into isolated, fragmented repositories, making it difficult for other bodies to find, verify, and reuse these assets. CADA addresses this by mandating a unified, centralised hub.

Who provides and maintains the catalogue? Article 43(1) of the CADA proposal explicitly states: "The Commission shall provide and maintain an EU Open Source Solutions Catalogue ('EU OSS Catalogue') as a centralised catalogue to access software made available for reuse by Union entities and public sector bodies."

This provision places the operational, technical, and legal responsibility squarely on the European Commission. The Commission is not merely a passive host; it is the active maintainer. This implies that the Commission is responsible for:

  • Developing and deploying the technical infrastructure of the catalogue.
  • Ensuring its continuous operation, availability, and uptime.
  • Updating the system to reflect technological advancements and policy changes.
  • Managing the data flows and metadata from connected national and Union-level repositories.

The role of the Commission as gatekeeper While the Commission maintains the central catalogue, it does not necessarily host every piece of software code directly. Instead, the catalogue functions as a federated access point. Public sector bodies and Union entities may maintain their own local catalogues or repositories. However, to ensure visibility across the Union, these local repositories must connect to the central EU OSS Catalogue.

Article 43(3) grants the Commission the authority to decide on these connections. It states: "The Commission shall, on the basis of objective and relevant criteria, decide on the request of any Union entity or public sector body owning or maintaining a catalogue or repository to have that catalogue or repository connected to and made accessible through the EU OSS Catalogue."

This makes the Commission the gatekeeper. It defines the "objective and relevant criteria" for connection. This ensures that the central catalogue maintains high standards for data quality, interoperability, and security. A public body cannot simply unilaterally link its repository; it must request connection and meet the Commission's standards. This prevents fragmentation and ensures that the EU OSS Catalogue remains a trusted, high-quality resource for procurement officers and developers.

Integration with the Interoperable Europe Portal To avoid creating another siloed digital platform, the CADA proposal integrates the EU OSS Catalogue into existing EU digital infrastructure. Article 43(2) specifies that "The EU OSS Catalogue shall be hosted on the Interoperable Europe portal referred to in Article 8 of Regulation (EU) 2024/903."

The Interoperable Europe Act (IEA) already establishes a portal for sharing interoperability solutions. By hosting the OSS Catalogue there, the Commission leverages existing technical frameworks, user authentication systems, and search functionalities. This ensures that the catalogue is "accessible electronically free of charge," as required by Article 43(2). For users, this means a single entry point for both interoperability assets and open-source software, reducing administrative friction and aligning with the "once-only" principle.

Why this structure matters for sovereignty The centralised maintenance by the Commission is not just an administrative detail; it is a sovereignty measure. By controlling the central catalogue and the connection criteria, the Commission ensures that the EU's open-source ecosystem is coherent and secure. It prevents a scenario where incompatible national standards undermine the ability to share and reuse software across borders. The Commission's role ensures that the "open-source first" principle promoted in Article 41 of CADA is backed by a robust, centrally managed discovery mechanism, reducing dependency on non-EU platforms for public-sector software discovery.

What this means for you

For public-sector procurement officers, digital transformation leads, and open-source programme offices (OSPOs), understanding who maintains the EU OSS Catalogue is critical for compliance and efficiency.

  1. Compliance with Reuse Obligations: If your organisation develops software and decides to make it available for reuse under an open-source licence, you are required by Article 42 of CADA to do so through a catalogue or repository connected to the EU OSS Catalogue. You cannot simply publish it on a private GitHub account or an unconnected national portal if you wish to comply with CADA's reuse mandates. You must ensure your repository meets the Commission's connection criteria.
  2. Procurement and Discovery: When sourcing software for your organisation, you should use the EU OSS Catalogue as a primary search tool. Because the Commission maintains it as a centralised hub, it aggregates solutions from across the Union. This reduces the need to start from scratch and allows you to leverage existing, vetted open-source solutions developed by other public bodies.
  3. Engagement with the Commission: If your organisation maintains a significant repository of open-source software, you may need to engage with the Commission to request connection to the central catalogue. Be prepared to demonstrate that your repository meets the "objective and relevant criteria" the Commission will establish. This may involve technical interoperability standards, metadata requirements, and security checks.
  4. Monitoring Criteria Changes: Since the Commission decides on connection criteria, these standards may evolve. Procurement officers should monitor Commission communications regarding the EU OSS Catalogue to ensure their local repositories remain compliant and connected.

Common misconceptions

Misconception 1: The EU OSS Catalogue is a new, standalone website. Many assume the Commission will build a completely separate website from scratch. In reality, Article 43(2) mandates that it be hosted on the existing Interoperable Europe portal. This means it is part of a broader ecosystem, not an isolated tool. Users will likely access it through the same interface used for other interoperability solutions.

Misconception 2: Any public body can automatically connect their repository. Some believe that simply publishing open-source software makes it visible in the EU OSS Catalogue. This is incorrect. Article 43(3) gives the Commission the power to decide on connection requests. There is a gatekeeping process. Your repository must meet specific criteria set by the Commission to be linked. Automatic or open access for all repositories is not guaranteed.

Misconception 3: Member States maintain their own separate central catalogues. While Member States may have national open-source strategies and local repositories, the EU OSS Catalogue itself is a Union-level tool maintained by the Commission. National catalogues do not replace the EU catalogue; they feed into it. The Commission does not delegate the maintenance of the central EU catalogue to individual Member States.

Misconception 4: The Commission writes the software for the catalogue. The Commission "provides and maintains" the catalogue, but this does not necessarily mean it writes every line of code internally. It may use existing technologies, open-source platforms, or contracted services to build and maintain the infrastructure. The key point is that the Commission holds the responsibility and authority, not that it employs the developers directly.

Related

This is general information about a draft EU regulation, not legal advice.