Can a reseller or broker be a cloud computing service provider under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a reseller or broker could be a cloud computing service provider (CSP) if it legally "provides" the service to the end user — typically by taking contractual responsibility or operational control — rather than merely connecting buyer and seller. The definition in Article 2(2) is functional: a CSP is "a legal entity which provides a cloud computing service." White-label resellers and managed service providers (MSPs) would often fall within it, while pure brokers who assume no service-delivery obligation often would not. The distinction matters because, as proposed, CSP status would trigger sovereignty assurance levels, audits and public-procurement restrictions.

Detail

Classifying resellers, aggregators and brokers under CADA turns on Article 2(2), which defines a CSP simply as "a legal entity which provides a cloud computing service." This broad, functional definition does not exclude intermediaries, so the answer would depend on the entity’s relationship with the end customer and the underlying infrastructure.

What it means to "provide" a service

CADA does not separately define "infrastructure owner" versus "reseller"; it relies on the general concept of "providing" the service. In EU digital law, an entity is generally treated as providing a service where it:

1. enters into a direct contractual relationship with the end user for the cloud service;
2. assumes responsibility for the service’s SLAs, security or continuity; and
3. acts as the primary point of contact for the service’s operation.

A reseller or aggregator meeting these criteria would be the "provider" under Article 2(2), regardless of who owns the hardware. That matters most for the sovereignty framework in Title IV, where the provider must demonstrate compliance with the Union assurance levels.

Resellers and aggregators

Resellers and aggregators often buy bulk cloud capacity and resell it. If a reseller presents the service as its own, manages the account, and is contractually liable for service failures, it would likely be a CSP. It would then seek recognition for a Union assurance level (1, 2, 3 or 4) under Article 17, undergoing a conformity self-assessment (Level 1, Article 19) or an independent audit (Levels 2–4, Article 20).

If, instead, the entity acts purely as a broker or marketplace — connecting user and infrastructure owner without taking on service-delivery liability — it may not be a CSP, and the underlying infrastructure owner would remain the provider. The differentiator is the allocation of risk and responsibility: if the end user looks to the broker for remedy, the broker is likely the provider.

White-label and MSP arrangements

White-label models pose a clear challenge. If Company A builds the infrastructure but Company B sells it under Company B’s brand, Company B would likely be the CSP because it "provides" the service to the end user. Company B would then need to ensure the underlying infrastructure meets the criteria for the assurance level it claims — which may mean treating Company A as a subcontractor within its own assessment or audit.

MSPs that add cloud management, security or deployment on top of underlying infrastructure must assess whether they offer merely ancillary services or a distinct cloud computing service. Where the MSP’s intervention is integral to delivering the on-demand, scalable resources captured by Article 2(1) (via NIS2), and is sold as part of the cloud offering, the MSP may be a co-provider or the primary provider, depending on the contract.

Implications for sovereignty assurance

Classification matters for the Union sovereignty framework in Title IV. A reseller claiming a Union assurance level would have to show that the whole service chain — including any subcontractors such as the underlying infrastructure provider — meets the criteria in Annex II. For Levels 2, 3 and 4, this would require independent third-party audits under Article 20. A reseller could not simply rely on the underlying provider’s recognition; its own delivery model, contracts and operational control would have to comply with the level it advertises.

What this means for you

If you resell or aggregate cloud services, determining your status is a prerequisite for compliance. Review your customer contracts to decide whether you "provide" the service under Article 2(2).

1. Contractual review: Do you assume liability for availability and security? If so, you are likely a CSP and should prepare for recognition under Article 17.
2. Subcontractor management: If you are a CSP on top of another provider’s infrastructure, treat them as subcontractors. For Levels 2–4, include them in your audit scope and ensure they meet the criteria in Annex II.
3. White-label clarity: Secure the audit rights and transparency from your underlying provider needed to evidence your own compliance — you cannot outsource your legal responsibility as a CSP.
4. Broker vs. provider: To stay outside CSP obligations, structure yourself as a genuine broker: make clear you are not the provider, assume no liability for performance, and have the end user contract directly with the infrastructure owner. Be aware regulators may look to substance over form if you exert real control.

Common misconceptions

Misconception 1: "I don’t own the servers, so I’m not a CSP." Ownership is not the test. Article 2(2) focuses on who "provides" the service. Many MSPs and resellers own no data centres yet would be CSPs because they sell and manage the cloud service.

Misconception 2: "Brokers are always exempt." Pure intermediaries may not be CSPs, but the line is thin. A broker that manages the service, enforces SLAs, or integrates providers into a single managed offering may be treated as providing a cloud computing service; contractual liability is a strong indicator.

Misconception 3: "The underlying provider’s recognition is enough for me." If you are a reseller claiming a Union assurance level, you would be responsible for the whole service chain. You would need your own self-assessment (Level 1) or audit (Levels 2–4), incorporating the underlying provider as a subcontractor, to show the entire service meets Annex II.

Related

• What is a cloud computing service provider (CSP) under CADA?
• Can a CADA provider audit its own cloud service?
• What is the difference between a data centre service and a cloud computing service under CADA?
• What is a cloud computing service under CADA?
• What does a cloud computing service mean for cloud providers under CADA?

This is general information about a draft EU regulation, not legal advice.