Summary The proposed Cloud and AI Development Act (CADA) elevates open source from a technical preference to a strategic imperative for the European Union's digital sovereignty. As proposed in COM(2026) 502 final, CADA mandates that Union entities and Member States encourage the use of open standards and open-source components when building cloud and AI ecosystems. Recital 81 explicitly links this approach to strengthening the Union's digital autonomy, noting that access to source code enables auditability, fosters collaboration, and crucially, reduces dependency on a single vendor. By embedding these requirements into Article 41, CADA aims to mitigate the risks of vendor lock-in, enhance security through transparency, and align public procurement with the broader EU Open Source Strategy. This creates a legal framework where public-sector digital infrastructure is resilient, transparent, and under European control, rather than dictated by proprietary, non-European agendas.

Detail

The Cloud and AI Development Act (CADA) represents a paradigm shift in the European Union's approach to digital infrastructure. Moving beyond the traditional regulatory model of merely setting market rules, CADA actively seeks to shape the technological stack itself to ensure long-term strategic autonomy. A central pillar of this strategy is the systematic promotion of open-source software and open standards. As proposed, CADA does not treat open source as a mere "best practice" or an optional alternative; it embeds it into the legal obligations of public bodies to safeguard the Union's technological sovereignty against external dependencies.

The Strategic Rationale: Autonomy, Security, and Independence

The core motivation behind CADA's open-source mandate is the urgent need to reduce critical external dependencies on non-European providers. The legislative text identifies a market landscape where a limited pool of third-country providers controls a significant share of the cloud market, exposing the EU to risks of operational discontinuity, extraterritorial legal access, and economic coercion.

Recital 81 of the CADA proposal provides the definitive rationale for this approach. It states that open source plays an important role in ensuring transparency, security, and efficiency in the use of digital technologies by the public sector. Crucially, the recital explains that "access to the source code enables auditability, fosters collaboration and reuse and reduces dependency on a single vendor, thereby limiting the risk of vendor lock-in."

This reduction in dependency is not merely an economic calculation; it is a matter of strategic security. Recital 81 further clarifies that "promoting the use of open source is therefore essential to support innovation, ensure better value for public expenditure and strengthen the Union's digital autonomy." In a geopolitical context where cloud computing markets are dominated by a few non-EU hyperscalers subject to third-country jurisdictions, open source serves as a critical counterbalance. It allows the EU to build a competitive, innovative, and autonomous ecosystem that is not dictated by the proprietary agendas, licensing restrictions, or potential legal overreach of external actors.

By mandating the use of open standards and components, CADA ensures that public administrations retain control over their digital destiny. It prevents the scenario where a public body becomes "locked in" to a specific vendor's proprietary ecosystem, unable to switch providers without prohibitive costs or technical barriers. This "vendor lock-in" is identified in the proposal as a key source of vulnerability that undermines the Union's ability to act autonomously.

Article 41: The "Open Source First" Principle

The legal mechanism translating this strategic vision into action is found in Article 41 of the proposed Regulation, titled "Promoting open source solutions and open source first." This article imposes specific, binding obligations on the Union and Member States regarding their public-sector entities.

Article 41 states:

"The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This provision establishes a clear, legally grounded preference for open-source solutions in public-sector procurement and development. However, it is critical to understand that this is not an absolute ban on proprietary software. The article explicitly requires decision-makers to take into account "functionalities, including security, total cost, and other relevant, duly justified objective criteria."

This ensures that the choice of technology remains rational, performance-driven, and evidence-based, rather than purely ideological. Nevertheless, the default position shifts decisively towards open source. Public bodies must actively consider and prioritize open standards and components. If a proprietary solution is chosen, the burden of justification lies with the authority to demonstrate that open-source alternatives were insufficient based on the specific, objective criteria outlined in the article. This "open source first" approach ensures that the public sector leads by example, driving market demand for European open-source alternatives and fostering a competitive ecosystem.

Alignment with the EU Open Source Strategy and Broader Sovereignty Agenda

CADA does not operate in a vacuum; it is deeply integrated with the EU's broader digital policy framework, particularly the EU Open Source Strategy. The explanatory memorandum accompanying the proposal explicitly notes that it "places a specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy which aims to promote open European alternatives across the European technology stack."

This alignment creates a cohesive policy environment where open source is recognized as a foundational element of the EU's industrial and research policy. The Cloud and AI Leadership Initiatives (Title II of CADA) are designed to foster the development of technologies relying on open standards, open specifications, and open source. Recital 15 elaborates on this, stating that the initiatives "should foster the work on open standards and specifications and the creation of open-source software foundations supporting the design, development and maintenance of open-source components."

Furthermore, the proposal aims to create a "catalogue of software tools including open source in order to enable federation with existing catalogues for the private and public sectors and to develop a one-stop-shop for open-source resources in the Union." This holistic approach ensures that open source is not just a procurement preference but a structural component of the EU's digital sovereignty agenda. It supports the broader goals of the Digital Decade Policy Programme and the Apply AI Strategy, reinforcing the Union's capacity to act autonomously in the face of global technological competition.

Security and Auditability: The "Black Box" Problem

A common misconception is that open source is inherently less secure than proprietary software. CADA explicitly challenges this notion by emphasizing the unique security benefits of transparency. Recital 81 notes that "access to the source code enables auditability." In the context of critical infrastructure and public-order-relevant services, the ability to independently verify the security of the underlying software is paramount.

Proprietary "black box" systems prevent such independent verification, creating potential blind spots for malicious code, backdoors, or vulnerabilities that only the vendor can see and patch. In contrast, open-source software allows for "many eyes" to scrutinize the code, leading to faster identification and remediation of security flaws. This collaborative maintenance model enhances the overall resilience of the digital ecosystem, a key objective of CADA.

Moreover, the proposal links this security benefit directly to the sovereignty agenda. By enabling independent audits, open source ensures that public bodies are not forced to trust the security claims of a third-country vendor without verification. This is particularly relevant given the risks associated with extraterritorial laws that might compel vendors to provide access to data or introduce vulnerabilities. Open source provides the technical means to mitigate these risks, ensuring that the EU's digital infrastructure remains secure and under European control.

Economic Efficiency and Innovation

Beyond security and sovereignty, CADA highlights the significant economic benefits of open source. Recital 81 mentions that promoting open source "ensures better value for public expenditure." By reducing or eliminating licensing fees and avoiding the high costs associated with vendor lock-in, public authorities can allocate resources more efficiently.

Furthermore, open source fosters innovation by allowing developers to build upon existing solutions rather than starting from scratch. This collaborative model accelerates the development of new technologies and services, contributing to the competitiveness of the EU's digital economy. The proposal envisions a scenario where public-sector bodies not only consume open-source solutions but also contribute to them, creating a virtuous cycle of innovation and reuse.

Implementation: Catalogues, Reuse, and OSPOs

CADA provides a robust framework for implementing the open-source mandate through specific mechanisms:

  1. The EU Open Source Solutions Catalogue (Article 43): The Commission is required to provide and maintain a centralised catalogue to access software made available for reuse by Union entities and public sector bodies. This catalogue, hosted on the Interoperable Europe portal, ensures that solutions are easily discoverable and reusable, preventing duplication of effort across different public bodies.
  2. Mandatory Reuse (Article 42): When Union entities or public sector bodies make software available for reuse under an open-source licence, they must do so using a catalogue or repository connected to the EU OSS Catalogue. This ensures that the public sector's investment in software development benefits the entire Union.
  3. Network of Open Source Programme Offices (Article 44): To facilitate effective implementation, the Commission will establish a network of Open Source Programme Offices (OSPOs). These offices will promote the exchange of information, experience, and best practices, helping public sector bodies navigate the technical, legal, and organisational challenges of adopting open source.

What this means for you

For public-sector procurement officers, IT decision-makers, and software developers within the EU, CADA introduces a new set of considerations and obligations when planning cloud and AI infrastructure projects.

  1. Shift in Procurement Criteria: You will need to actively evaluate open-source options alongside proprietary solutions. Article 41 requires you to take into account functionalities, security, total cost, and other objective criteria. This means that the lowest upfront cost or brand recognition of a proprietary vendor may no longer be the deciding factor. You must demonstrate that you have considered open-source alternatives and justify any decision to proceed with proprietary software based on "duly justified objective criteria."
  2. Focus on Total Cost of Ownership (TCO): While open-source software may have lower licensing fees, you must assess the total cost of ownership, including support, maintenance, integration, and training. CADA encourages a holistic view of cost, ensuring that the choice of technology delivers long-term value and sustainability.
  3. Reuse and Collaboration: If your organisation develops software, you are encouraged to make it available for reuse under an open-source licence and connect it to the EU Open Source Solutions Catalogue. This promotes collaboration and reduces duplication of effort across the public sector, aligning with the "open source first" principle.
  4. Security and Auditability: Prioritise solutions that allow for independent security audits. Open-source software provides the transparency needed to verify security claims, which is increasingly important for critical infrastructure and public-order-relevant services.
  5. Engagement with OSPOs: Utilise the network of Open Source Programme Offices (OSPOs) for guidance and best practices. These offices can help you navigate the technical and legal complexities of open-source adoption, ensuring compliance with CADA and other EU regulations.
  6. Documentation and Justification: Be prepared to document your decision-making process. If you choose a proprietary solution, you must be able to justify why open-source alternatives were not suitable based on the criteria outlined in Article 41. This documentation may be subject to review by national competent authorities.

Common misconceptions

Misconception 1: CADA bans proprietary software.

  • Reality: CADA does not ban proprietary software. Article 41 encourages the use of open source but allows for exceptions based on functionalities, security, total cost, and other relevant, duly justified objective criteria. Proprietary solutions can still be used if they offer superior performance, security, or cost-effectiveness in specific contexts, provided the decision is well-documented and justified.

Misconception 2: Open source is always cheaper.

  • Reality: While open-source software often has lower licensing costs, the total cost of ownership can be higher due to the need for specialized support, maintenance, and integration. CADA requires a holistic assessment of total cost, not just upfront licensing fees, to ensure the best value for public expenditure.

Misconception 3: Open source is less secure.

  • Reality: Recital 81 of CADA highlights that open source enhances security through auditability and transparency. The ability to independently verify the source code reduces the risk of hidden vulnerabilities or backdoors. Furthermore, the collaborative nature of open source allows for rapid identification and patching of security issues, often outperforming proprietary "black box" models.

Misconception 4: CADA is only about software.

  • Reality: CADA promotes open standards and components, which can include hardware designs, APIs, data formats, and protocols. The goal is to ensure interoperability and avoid vendor lock-in across the entire cloud and AI stack, not just the software layer.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.