Summary Yes β€” as proposed, an AI-as-a-service (AIaaS) offering would count as a cloud computing service under the Cloud and AI Development Act (CADA) where it provides on-demand, remote access to scalable computing resources. Article 2(1) (via the NIS2 Directive) plus Recital 10 make clear the definition "encompasses on-demand access to AI systems ... hosted and operated remotely," so a hosted model API is a cloud service for CADA purposes. The AI system and its underlying model are excluded from that definition β€” which is why an AIaaS provider would face layered obligations under both CADA and the AI Act.

Detail

To assess whether AIaaS falls within CADA’s scope, look at Article 2. CADA (a proposal, not yet in force) adopts a functional definition of cloud services broader than traditional IaaS or PaaS.

The cloud computing service definition Article 2(1) defines a "cloud computing service" by reference to Directive (EU) 2022/2555 (NIS2): a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. Recital 10 of the proposal extends the picture:

"This definition of β€˜cloud computing service’ encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 (β€˜Artificial Intelligence Act’) ... hosted and operated remotely. Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition."

So if you run an API giving users access to an LLM or vision model hosted on your servers, you would be providing a cloud computing service: the delivery and making available of remote, on-demand access to the resources executing the AI system. The "service" is the conduit and the infrastructure; the "AI system" is the model running within it.

The AI system definition Article 2(3) defines an "AI system" by reference to the AI Act. The offering therefore involves both a cloud service and an AI system.

AIaaS at the intersection When a provider offers a model via an API:

  1. As a cloud service: it manages the elastic compute pool, scales requests and provides the remote interface β€” engaging CADA.
  2. As an AI system: it (or the model’s developer) makes an AI system available β€” engaging the AI Act.

Recital 10’s exclusion of the AI system and its model from the cloud-service definition does not switch the AI Act off. Instead, CADA would regulate the infrastructure and delivery mechanism (sovereignty, data location, auditability of the cloud environment), while the AI Act regulates the system’s behaviour and risk (safety, transparency, fundamental rights).

Layered obligations for providers The dual classification would create a layered burden:

  • CADA sovereignty framework: If the AIaaS is procured by public sector bodies in scope, the cloud service would need to meet a Union assurance level (1–4) under the framework in Article 16 and Annex II β€” addressing matters such as where the infrastructure and data sit and personnel requirements at the higher levels. The audit (Annex III evidence, assessed under Article 21) focuses on the cloud environment’s sovereignty, not the model’s accuracy.
  • AI Act compliance: The AI system delivered via the service would have to comply with the AI Act. A high-risk system (per the AI Act’s classification in its Article 6 and Annexes) would face requirements such as risk management, technical documentation, transparency and conformity assessment under the AI Act. A general-purpose AI model would face the AI Act’s GPAI obligations, with additional duties where it presents systemic risk.

In short, you would need the container (cloud service) to be sovereign and auditable under CADA, and the content (AI system) to be safe and compliant under the AI Act.

What this means for you

If you are a cloud or AIaaS provider, you could not treat your offering as purely an "AI product" to escape CADA’s infrastructure rules. Providing on-demand, remote access to AI capabilities would make you a cloud computing service provider under CADA.

  1. Prepare for sovereignty audits: For Union assurance level 2 and above, expect independent third-party audits of infrastructure, data flows and access controls. The audit evidence is assessed under Article 21, with the specific evidence listed in Annex III (against the Annex II criteria).
  2. Run separate compliance tracks: Distinguish AI Act work (model cards, risk assessments, transparency) from CADA work (data residency, supply-chain sovereignty, infrastructure location).
  3. Public-sector procurement: To sell to in-scope EU public authorities for non-public-order activities, your service would need recognition at least at Union assurance level 1 (Article 30(2)); higher levels would apply for public-order activities. Recognised services are listed in the central repository (Article 22).
  4. Subcontractor management: CADA’s sovereignty criteria would extend across the service chain, so ensure subcontractors involved in delivering the AIaaS infrastructure meet the relevant level’s criteria.

Common misconceptions

  • "If I sell the AI model, not the infrastructure, CADA doesn’t apply." Incorrect for hosted access. A model accessed remotely and on-demand (e.g. via API) is a cloud computing service. Only a model supplied for purely local execution, without you providing the hosting infrastructure, might fall outside the cloud-service definition β€” though it would still be an AI system under the AI Act.
  • "CADA replaces the AI Act for AI services." Incorrect. They are complementary: CADA addresses sovereignty, infrastructure and market access; the AI Act addresses safety, fundamental rights and transparency. An AIaaS provider would need to satisfy both.
  • "Open-source models hosted on my cloud are exempt." Not necessarily. Even where an open-source model has reduced AI Act obligations, the cloud service hosting it would still be subject to CADA’s sovereignty framework when sold to in-scope public-sector buyers; the infrastructure’s location and control still matter.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.