Summary No. Under the proposed Cloud and AI Development Act (CADA), a private company that supplies cloud services to government would not become a "public sector body." It would be a "cloud computing service provider." CADA defines status by what an entity is, not who its customers are: a public sector body is defined by its public-law governance and funding (Article 2(6)), while a provider is simply a legal entity that provides a cloud computing service (Article 2(2)). The two carry different duties — buyers run risk assessments; providers get their services recognised at an assurance level.

Detail

Under the proposal, the line between a public sector body and a cloud computing service provider is drawn by the entity's legal nature, not by the nature of its clients. A private company keeps its private-law status even if it serves only government contracts.

Definition of public sector body CADA defines a "public sector body" in Article 2(6) by cross-reference to "public sector body as defined in Article 2, point (1), of Directive (EU) 2019/1024" (the Open Data Directive). That directive's definition covers the State, regional and local authorities, bodies governed by public law, and associations of such authorities or bodies — where a "body governed by public law" is, broadly, one established to meet needs in the general interest not of an industrial or commercial character, with legal personality, and financed or supervised mostly by the State or other public authorities.

A standard private limited company does not meet that test merely by winning a public contract. Even a company supplying cloud infrastructure exclusively to a ministry remains a private commercial actor.

Definition of cloud computing service provider In this scenario the company is a "cloud computing service provider" — defined in Article 2(2) as "a legal entity which provides a cloud computing service." The duties attached to that role differ from those of a buyer. Public sector bodies and Union entities carry out risk assessments to determine the Union assurance level appropriate to their activities (Article 29); providers, by contrast, obtain recognition of their services through conformity self-assessment for Union assurance level 1 (Article 19) or independent third-party audit for levels 2, 3 and 4 (Article 20).

Implications for procurement and sovereignty This split runs through CADA's procurement and sovereignty provisions. Public sector bodies and Union entities are the buyers who assess their own risk and then procure recognised services at the required level (Articles 29 and 30). Private providers are the sellers who must demonstrate compliance to obtain recognition. A private provider does not perform a public-order risk assessment for its own governance; it submits to the conformity route appropriate to the level it seeks.

To be recognised at the higher levels, a provider must meet the cumulative criteria in Annex II — for example, that infrastructure, assets and (for levels 2-4) personnel are located in the Union, and that it is not subject to third-country control (with the narrow level 3 derogation). These are the provider's compliance obligations, distinct from the governance duties of a public body.

What this means for you

For public-sector procurement officers and legal teams, getting this distinction right matters when structuring contracts and allocating responsibility:

  1. Contractual clarity. Do not treat your cloud vendor as an extension of your administration. Identify it as a "cloud computing service provider" so that the burden of demonstrating compliance with the Union assurance levels sits with the provider, not with your authority.
  2. Risk-assessment responsibility. As a public sector body, you carry out the Article 29 risk assessment that determines which Union assurance level your activities require. You do not delegate that duty to the provider; the provider supplies the evidence — the audit report or EU statement of conformity — that lets you procure a recognised service.
  3. Audit cooperation. While the provider is not a public body, audited providers must cooperate with auditing organisations (Article 20(2)), and recognised providers must notify material changes that could affect their recognition (Article 23). Reflect these duties in your procurement documents.
  4. State-owned entities need a closer look. A state-owned company can still be a private-law legal entity. But if it meets the "body governed by public law" test in the Open Data Directive definition referenced by Article 2(6) — general-interest purpose without industrial or commercial character, plus public financing or supervision — it could be a public sector body. This is a case-by-case analysis of its statutes and funding.

Common misconceptions

"If we buy it, it becomes public infrastructure." The service remains a commercial offering from a private legal entity. The data may be public and the use case a public service, but the provider's legal status under Article 2(2) does not change.

"Private providers must follow the public-sector risk-assessment rules." Article 29 places risk assessments on Member States and Union entities. Private providers instead meet the Annex II criteria to obtain the assurance levels that public buyers will require. (Note that Article 31 lets certain private entities in NIS2 high-criticality sectors carry out similar assessments, and lets the Commission require impact assessments of some such entities — but that is distinct from being a public sector body.)

"All government contractors are public sector bodies." A contractor remains a private entity unless it specifically meets the Article 2(6) definition. Most cloud providers, even those with large government contracts, are commercial entities and fall under Article 2(2) as cloud computing service providers.

Related

This is general information about a draft EU regulation, not legal advice.