Do CADA's definitions apply only within CADA or across other EU laws too?

Summary As proposed, the definitions in Article 2 of the Cloud and AI Development Act (CADA) apply "for the purposes of this Regulation." CADA borrows terms from the NIS2 Directive, the AI Act and the Cyber Resilience Act to stay consistent, but those instruments keep their own independent definitions for their own purposes. In-house counsel should therefore treat CADA’s definitions as self-contained for CADA obligations, while still complying with the distinct definitions in the source legislation.

Detail

The reach of CADA’s definitions would be confined to the regulation itself. Article 2 opens with the standard chapeau: "For the purposes of this Regulation, the following definitions apply." That phrasing is legally significant — it limits these terms to CADA and does not amend, replace or supersede definitions in other EU instruments, even where the wording is identical.

CADA uses a "borrowing" technique to align with the existing digital single-market acquis. For example:

• Cloud computing service: Article 2(1) — the term defined in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2).
• AI system: Article 2(3) — the term defined in Article 3, point (1), of Regulation (EU) 2024/1689 (the AI Act).
• Software, hardware, component, manufacturer: Article 2(13)–(16) — by reference to Article 3 of Regulation (EU) 2024/2847 (the Cyber Resilience Act).

Despite the textual alignment, the legal effects would remain siloed. NIS2’s definition of "cloud computing service" governs NIS2 cybersecurity duties; CADA’s reference to it ensures a shared vocabulary, but it does not merge the regimes. A provider would have to comply with CADA’s sovereignty assurance levels (Title IV; the framework is established in Article 16) independently of its NIS2 risk-management duties.

This separation matters because the source laws can evolve. CADA’s definitions are written as references to the cited provisions, so a future amendment to the AI Act’s definition of "AI system" would flow through to CADA’s scope — but it would not retroactively change how the AI Act itself applied before the amendment. Conversely, CADA-specific terms such as "frontier AI" (Article 2(4)) and "AI agent" (Article 2(5)) do not exist in the AI Act. An entity could be a "frontier AI" developer for CADA purposes (relevant to the priority-project criteria in Article 8) without that status meaning anything under the AI Act.

CADA also creates definitions for concepts not covered elsewhere, such as "auditing organisation" (Article 2(17)) and "Union entities" (Article 2(7)) — strictly internal to CADA’s governance. The definition of "control" (Article 2(21)) is taken by reference from Article 2, point (6), of Regulation (EU) 2021/697; CADA uses it to assess third-country influence on cloud providers, and that assessment is specific to CADA’s sovereignty framework.

What this means for you

For in-house counsel and compliance officers, the siloed nature of these definitions would call for a dual-track approach. Do not assume that satisfying one definition discharges obligations under another, even where the terms look identical.

1. Map overlapping obligations: If you provide a "cloud computing service" as defined in CADA (via NIS2), you are likely also caught by NIS2. Maintain separate compliance views for CADA’s assurance levels and NIS2’s cybersecurity measures — the shared definition does not mean shared obligations.
2. Monitor the references: Because CADA defines "AI system" by reference to the AI Act, any amendment to that AI Act definition would shift CADA’s scope. Track the AI Act’s phased timeline — it entered into force on 1 August 2024, with prohibitions applying from 2 February 2025, GPAI rules from 2 August 2025, and most high-risk and governance obligations from 2 August 2026 — while noting CADA’s own application date would be set relative to its entry into force.
3. Distinguish CADA-specific terms: Treat "frontier AI" and "AI agent" as CADA-only. They trigger CADA opportunities (e.g. frontier AI priority projects under Article 8; AI agent support under operational objective 6 of Article 4) but carry no weight under the AI Act or NIS2.
4. Align audit processes: CADA’s "audit evidence" (Article 2(20)) and "auditing organisation" (Article 2(17)) are specific to its third-party audit framework for Union assurance levels 2–4. Ensure your audit approach maps to those CADA requirements (Annex II criteria, Annex III evidence), which are distinct from general ISO or SOC audits even where the underlying data overlaps.

Common misconceptions

• "CADA replaces the AI Act’s definitions." No. CADA references the AI Act’s definition of "AI system" but does not replace it. The AI Act remains the law for AI safety and fundamental rights; CADA addresses sovereignty and capacity. Both apply concurrently.
• "If a term is defined in NIS2, CADA adds nothing." The "cloud computing service" definition is borrowed, but CADA layers its own consequences on top — for example, the requirement to achieve specific Union assurance levels for certain public-sector contracts, which NIS2 does not impose.
• "CADA’s ‘control’ is the same as GDPR’s." CADA defines "control" by reference to Regulation (EU) 2021/697 (Article 2(21)), not the GDPR — and not DORA, as is sometimes assumed. The test is specific to assessing third-country influence on cloud providers, not data-processing roles.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Which CADA definitions are original and which are imported from other laws?
• Why does CADA borrow so many definitions from other EU regulations?
• How CADA definitions interact across the AI Act, NIS2 and the Cyber Resilience Act
• Why does CADA skip definitions 23 and 24 in Article 2?
• Which CADA definitions matter most for cloud providers?

This is general information about a draft EU regulation, not legal advice.