RSS

The EU Cloud and AI Development Act: What It Gets Right, and What It Still Needs

Tomte1 pts0 comments

The EU Cloud and AI Development Act: What It Gets Right, and What It Still Needs | SUSE Communities

Back to Blog

The EU Cloud and AI Development Act: What It Gets Right, and What It Still Needs

June 3, 2026 |<br>By:<br>Andreas Prins

Share

Share

Today, the Commission published its proposals in the EU Tech Sovereignty Package, which includes, among other policies, the EU Open Source Strategy and the EU Cloud and AI Development Act (CADA). One of the most highly anticipated policy efforts in years, perhaps decades, when it comes to the European tech sector. We’ve been digesting it in the hours since it was published. There is still a lot to process, but some things are already clear. First, what we got is the most ambitious commitment to open source by the Commission ever:

“Open source first” appears as a named principle in operative law, not buried in a recital

The establishment of a EU Public Sector OSPO Network , giving open source expertise an institutional home with a role in procurement guidance

A structured cloud sovereignty certification framework with four assurance levels, creating legal categories that distinguish genuine sovereignty from contractual arrangements

A EUR 2 billion investment envelope for the open source strategy , including a dedicated Open Source Maintenance Instrument for critical shared infrastructure

The explanatory memorandum formally names “autonomy across the cloud stack ” as one of its four core strategic objectives. This gives the EU’s technology independence agenda a legal mandate that extends beyond data residency into the full infrastructure layer

Operational Objective 2 of the Cloud and AI Leadership Initiative (Article 4) mandates the development and piloting of “secure, resilient and performant open cloud computing stacks covering on-device edge, connectivity, data and AI tools, backend and service layers for strategic sectors” — describing, in architectural terms, exactly the stack that open source infrastructure providers already deliver today

Every EU Member State is now legally required to include in its national cloud strategy “measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty” (Article 7(2)(g)) — elevating open stack infrastructure from a procurement preference to a national policy obligation

Supply chain trustworthiness is becoming a legal standard. The proposed Cybersecurity Act revision explicitly targets the hardware and software ICT supply chain, reinforcing the same trustworthiness criteria the Cloud and AI Development Act establishes for cloud sovereignty. Open source infrastructure, where every component is inspectable and every dependency is declared, is structurally positioned to meet that bar in a way proprietary software stacks cannot.

These eight points clearly prove that big portions of SUSE’s vision of sovereignty has just been validated by the European Commission.

But our big test for CADA is simple: does it include a binding and enforceable Open Source First requirement or not? Simply put – are we getting words, or action?

This is what we got:

Article 41: Promoting open source solutions and open source first

“The Union and Member States shall take the necessary measures to encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack, taking into account functionalities, including security, total cost, and other relevant, duly justified objective criteria.”

The EU open source strategy, published today alongside CADA, makes clear that the Commission understands what is at stake and the direction Article 41 points in is right.

However, in our view, the legislative framing falls short of our “binding and enforceable” test.

Open source can’t just be a procurement preference to be weighed against others such as cost and functionality.

What we need (and aren’t getting yet) is a clear procedural requirement:

Before public money is spent on proprietary software, the contracting authority must determine whether a qualified open source solution exists.

That assessment must be documented and auditable.

The burden of justification should attach to the choice that creates dependency, not the choice that avoids it

Open source is the only architectural condition under which European sovereignty becomes real. It is foundational.

The signal is there but the structure, and commitment to action, needs to follow.

Our open letter to the Commission, now approaching a hundred signatories, sets out what filling it properly requires.

Share

(Visited 1 times, 1 visits today)

Category: Digital Sovereignty, Government, SUSE Blog

This entry was posted Wednesday, 3 June, 2026 at 4:53 pm

You can follow any responses to this entry via RSS.

-->

Related Articles

Feb 13th, 2025

Linux Conversations | Episode...

open source cloud sovereignty development commission

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.