Summary Under the proposed Cloud and AI Development Act (CADA), simply rebranding a third party’s hardware would generally not make you a "manufacturer," because CADA’s substantive sovereignty rules target cloud computing services, not physical hardware products — and Annex II expressly puts hardware outside the scope of the Union assurance levels. CADA’s ‘manufacturer’ definition (Article 2(16)) merely borrows the Cyber Resilience Act’s definition for cross-reference; it is the CRA, not CADA, that would impose manufacturer obligations if you market hardware under your own name. If your rebranded hardware underpins a cloud service you provide, you would instead be assessed as a cloud computing service provider.

Detail

The key is to separate the regulation of services (CADA’s focus) from the regulation of products (covered by the Cyber Resilience Act, the CRA). CADA (COM(2026) 502 final) is a proposal that would strengthen the EU cloud and AI ecosystem, but its sovereignty, assurance-level and procurement obligations would apply to cloud computing service providers, not to hardware manufacturers as such.

1. CADA targets services, not hardware manufacturers

CADA defines a ‘cloud computing service’ in Article 2(1) by reference to Directive (EU) 2022/2555 (NIS2), and a ‘cloud computing service provider’ in Article 2(2) as "a legal entity which provides a cloud computing service."

Critically, the criteria for the Union assurance levels exclude hardware. Annex II states that, for the purpose of the assurance-level criteria, "‘software’ within the meaning of Regulation (EU) 2024/2847, Article 3, point (4) falls within the scope of this Annex and Annex III ... [while] ‘Hardware’ within the meaning of Regulation (EU) 2024/2847, Article 3, point (5) is outside of the scope."

So CADA would not create a "manufacturer" regime for physical servers, switches or storage devices. It regulates the service delivered using that hardware. If you rebrand white-label servers and sell them as physical goods, CADA would not directly regulate you as their manufacturer.

2. When you become a ‘cloud computing service provider’ under CADA

If you rebrand hardware and use it to provide cloud computing services (hosting, IaaS, PaaS), you would be a cloud computing service provider under Article 2(2), subject to the Union assurance levels (Annex II).

You would not be the hardware’s "manufacturer" for CADA purposes, but you would be responsible for your service’s compliance. Because the assurance-level criteria cover software (not hardware), the software embedded in or running on that hardware — firmware and the like — would remain relevant to your service’s evidence (Annex III), even though the hardware unit itself is out of scope.

3. The role of the Cyber Resilience Act (CRA)

CADA does not regulate you as a hardware manufacturer, but the CRA can. CADA’s Article 2(16) defines ‘manufacturer’ by reference to Article 3, point (13), of Regulation (EU) 2024/2847 (the CRA). The CRA’s manufacturer concept turns on whether a person manufactures a product with digital elements, or has it designed or manufactured, and markets it under their own name or trademark.

Key takeaway: If you rebrand white-label hardware and sell it under your own name, you would likely be the manufacturer under the CRA, not under CADA — with CRA-side responsibilities such as conformity, technical documentation and cybersecurity. CADA borrows the CRA’s definition for cross-reference but does not attach its own assurance labels to the hardware itself.

4. Edge cases: OEM and white-label relabelling

  • Pure hardware reseller: If you only rebrand and sell physical servers without providing a cloud service, CADA would not apply to you; the CRA would govern you as a manufacturer of the product.
  • Cloud provider using rebranded hardware: If you provide cloud services on rebranded servers, you would be a cloud computing service provider under CADA and must identify which Union assurance level your service meets, including assessing the software components in your stack.
  • White-label AI hardware: If you rebrand AI accelerators or GPUs, the same logic applies: CADA would regulate the cloud or AI service you provide, not the hardware sale — though the hardware’s software supply chain may still affect your service’s evidence for higher assurance levels.

What this means for you

  • If you are a cloud service provider: You would be subject to CADA. Determine which Union assurance level your service meets, assessing the software components in your stack (the hardware unit itself is out of scope under Annex II).
  • If you are a hardware reseller/OEM: CADA would not regulate you as a manufacturer. But your customers (cloud providers) will likely ask you for supply-chain transparency on the software/firmware they need to evidence their own assurance level.
  • Compliance overlap: You may have two distinct roles — manufacturer under the CRA for the hardware, and cloud computing service provider under CADA for any service you run on it. Keep your internal processes clear on which hat you are wearing.

Common misconceptions

  • "CADA makes me a manufacturer if I rebrand servers."
    • Reality: CADA regulates cloud services. Its ‘manufacturer’ definition (Article 2(16)) only borrows the CRA’s. You would be a cloud service provider under CADA and, if you market the hardware under your name, a manufacturer under the CRA.
  • "Hardware is included in CADA’s sovereignty levels."
    • Reality: Annex II expressly places hardware (within the meaning of Article 3, point (5), of Regulation (EU) 2024/2847) outside the scope of the assurance-level criteria. Software is in scope; hardware is not.
  • "I don’t need to care about the hardware supply chain for CADA."
    • Reality: The hardware unit is out of scope, but the software associated with your service (including firmware-level software where it is a software component) remains relevant to your assurance-level evidence under Annex II and Annex III.

Related

This is general information about a draft EU regulation, not legal advice.