Does my SaaS product count as a cloud computing service under CADA?

Summary As proposed, most SaaS products would qualify as cloud computing services under the Cloud and AI Development Act (CADA) if they meet the core definition: on-demand access to a scalable, shared pool of computing resources. CADA adopts the existing NIS2 definition, which turns on the delivery model rather than the product label. Bespoke, single-tenant deployments that do not draw on an elastic, shared pool may fall outside the definition, depending on how the "shareable pool" criterion is read.

Detail

To work out whether your SaaS product is a cloud computing service under CADA, look to Article 2(1) of the proposal. As proposed, it states that "cloud computing service" means a cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive).

CADA's Recital 10 sets out that NIS2 definition: a cloud computing service is

"a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

The SaaS test: on-demand, scalable, and shared

For a SaaS product to fall within this definition, it generally needs to satisfy the elements drawn from that text:

1. On-demand administration and broad remote access: The service is accessible remotely (typically over the internet) and administrable on demand. Most modern SaaS — accessed via browser or API — meets this.
2. Scalable and elastic: The underlying resources can scale up or down dynamically, so the provider absorbs varying load without the customer provisioning hardware.
3. A pool of shareable computing resources: This is the key technical filter. The service draws on shared resources (compute, memory, storage), typically in a multi-tenant architecture.

The edge case: bespoke single-tenant deployments

The line blurs with bespoke, single-tenant deployments. If a provider hosts one customer's instance on genuinely dedicated infrastructure that is not part of a shared pool, the "shareable pool" element is contestable.

On a strict reading of the NIS2 definition CADA adopts, a purely single-tenant deployment with no pooling or sharing may not be a "cloud computing service" under Article 2(1). But if that single-tenant instance still draws on a broader shared infrastructure managed by the provider (shared storage arrays, network backbones), it likely remains in scope.

CADA's scope here is also clarified by Recital 10 for AI delivery. It explains that the cloud computing service definition "encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 ... hosted and operated remotely," and that "[o]nly the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." So if your SaaS delivers AI capabilities remotely, the service layer would be in CADA's cloud scope, while the AI model itself is addressed under the AI Act.

Why the classification matters

Being a cloud computing service is what brings you within CADA's Union cloud computing sovereignty framework, established (as proposed) in Article 16 with criteria in Annex II. Providers wishing to serve public sector bodies at higher assurance levels would need to be recognised at the relevant Union assurance level — level 1 via conformity self-assessment (Article 19), and levels 2-4 via third-party audit (Article 20).

What this means for you

If you are a cloud service provider or data-centre operator potentially in scope, consider these steps:

1. Audit your architecture: Confirm whether your SaaS relies on a "shareable pool" of resources. Multi-tenant SaaS is almost certainly in scope. For single-tenant hosting, document whether the underlying infrastructure is still shared at a lower level.
2. Prepare for assurance assessments: As proposed, contracting authorities procuring cloud services must require at least Union assurance level 1, and levels 2-4 where a risk assessment finds public-order relevance (Article 30). If you target the public sector, plan for recognition against the relevant criteria in Annex II.
3. Monitor the legislative process: CADA is a proposal. The final text may clarify single-tenant and bespoke deployments. Engage through industry bodies so your reading of "shareable resources" tracks emerging guidance.

Common misconceptions

• "SaaS is just software, not cloud." Under CADA the classification turns on the delivery model, not the product type. Software delivered via on-demand access to a shared, scalable pool is a cloud computing service.
• "Single-tenant means exempt." Not necessarily. If the single-tenant instance still uses shared underlying infrastructure, it may still fall within the "pool of shareable computing resources."
• "CADA replaces the AI Act for my AI-SaaS." No. CADA addresses the cloud service delivering the AI; the AI Act addresses the AI system itself. Per Recital 10 the model is excluded from CADA's cloud definition, but the service making it available is included — both frameworks may apply.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Does an AI-as-a-service offering count as a cloud computing service under CADA?
• What is the difference between a data centre service and a cloud computing service under CADA?
• What is a cloud computing service under CADA?
• What is a cloud computing service provider (CSP) under CADA?
• What does a cloud computing service mean for cloud providers under CADA?

This is general information about a draft EU regulation, not legal advice.