Does CADA define cloud differently from the EUCS scheme?

Summary No. As proposed, the Cloud and AI Development Act (CADA) does not define "cloud computing service" differently from the scope used by the European Cybersecurity Certification Scheme for Cloud Services (EUCS). CADA Article 2(1) adopts the definition in Article 6, point (30), of the NIS2 Directive (Directive (EU) 2022/2555) — the same baseline EUCS relies on. The point is to keep the sovereignty framework and the cybersecurity-certification regime pointed at the same set of services, avoiding fragmentation between the two.

Detail

The definition of a cloud computing service is the cornerstone of CADA's scope. Under Article 2(1) of the proposed Regulation, a "cloud computing service" means "cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555" — the NIS2 Directive.

Recital 10 of the proposal sets out the imported wording: a cloud computing service is a digital service that "enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations." Recital 10 also clarifies that this encompasses on-demand access to AI systems hosted and operated remotely, but that the AI system itself and its underlying model are excluded — only the delivery and making-available of the AI system forms part of the service.

This choice is deliberate. EUCS, developed under the Cybersecurity Act (Regulation (EU) 2019/881), uses the same NIS2 definition to fix its scope. As a result, the set of services that would fall under CADA's Union assurance levels is, by design, the same set eligible for EUCS certification.

Relationship with EUCS

CADA and EUCS share the same definition of the underlying service but serve different ends:

1. EUCS (cybersecurity focus): a certification scheme assessing the technical and organisational cybersecurity of a cloud service against defined assurance levels (basic, substantial, high).
2. CADA (sovereignty and resilience focus): as proposed, a framework under which cloud services used by Union entities and public sector bodies would be recognised at "Union assurance levels" 1–4 addressing data localisation, operational autonomy, and resilience against third-country interference.

Article 16(1) of CADA would establish the Union cloud computing sovereignty framework, comprising four Union assurance levels, with criteria set out in Annex II. Those criteria expressly tie in cybersecurity certification: for Union assurance level 2 (Annex II, Section 2.1(e)) and level 3 (Section 3.1(e)), the audited service would need a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881; for level 4 (Section 4.1(e)), at least 'high'. Until such a scheme is established and available, national cybersecurity certification schemes would apply where they exist; failing that, the provider would have to demonstrate compliance with the highest cybersecurity standards under applicable Union law.

Why the alignment matters

By reusing the NIS2 definition, CADA, as proposed, would ensure that:

• No service is left behind: any service treated as a "cloud computing service" for cybersecurity certification would also fall within CADA's sovereignty rules when used by the public sector.
• Consistency for providers: providers do not navigate two definitions of their core product.
• Compliance efficiency: an EUCS certificate (or equivalent) would serve as evidence for the cybersecurity component of CADA's higher assurance levels.

What this means for you

For in-house counsel and compliance officers, the shared definition simplifies scope mapping but layers on strict procedural obligations.

1. Scope assessment

Determine whether your services, or your suppliers', meet the NIS2 definition of "cloud computing service." If they do, they would be within CADA's scope. This spans IaaS, PaaS, and SaaS, provided they deliver on-demand, scalable, elastic access to shared resources.

2. Procurement obligations

Under Article 30, Union entities and public sector bodies whose activities are not identified as contributing to the preservation of public order would have to use cloud services recognised under Article 17 at Union assurance level 1. Where a risk assessment under Article 29 identifies public-order relevance in the listed sectors (NIS2 Annex I/II, plus national security, internal security, border management, defence, justice, law enforcement), they would only procure services recognised at level 2, 3, or 4.

3. Cybersecurity certification as a prerequisite

For Union assurance levels 2, 3, and 4, holding the relevant cybersecurity certificate (substantial for 2 and 3, high for 4), or the available national-scheme equivalent, would be a cumulative criterion. Without it, the sovereignty criteria cannot be met, so monitor the EUCS/scheme timeline against CADA's recognition deadlines.

4. Risk assessments and migration

Public sector bodies and Union entities would conduct risk assessments under Article 29 (within one year of entry into force, then every two years or as needed). Where a risk assessment requires migration to another service, Article 29(6) sets a reasonable transition period not exceeding 12 months, accounting for technical feasibility and data portability.

5. Penalties and enforcement

Article 24 would require Member States to lay down penalties that are effective, proportionate, and dissuasive for infringements by cloud providers. CADA does not set fine amounts; the non-exhaustive criteria include the nature, gravity, scale and duration of the infringement and the infringing party's annual turnover in the preceding financial year in the Union.

Common misconceptions

Misconception 1: CADA creates a new definition of cloud services.

• Reality: As proposed, it adopts the existing NIS2 definition by reference. There is no CADA-specific definition.

Misconception 2: EUCS certification automatically grants CADA recognition.

• Reality: A cybersecurity certificate is only one cumulative criterion for levels 2–4. Providers would also have to meet sovereignty criteria in Annex II (localisation, personnel, absence of third-country control). Recognition would be granted by the national competent authority of establishment under Article 17, not by a certification body.

Misconception 3: CADA applies to all cloud services in the EU.

• Reality: The procurement obligations primarily target services used by Union entities and public sector bodies. Private-sector entities in NIS2 sectors of high criticality are addressed separately through impact assessments under Article 31.

Misconception 4: The definition excludes AI services.

• Reality: Recital 10 confirms the definition encompasses on-demand access to remotely hosted AI systems; only the AI system itself and its underlying model are excluded. The service is the delivery mechanism.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How is frontier AI defined differently from a general-purpose AI model under CADA?
• Why does CADA import software, hardware, component and manufacturer from the CRA?
• Why does CADA borrow so many definitions from other EU regulations?
• Which CADA definitions are original and which are imported from other laws?
• What distinguishes an AI agent from an ordinary AI system under CADA?

This is general information about a draft EU regulation, not legal advice.