Summary As proposed, Article 2 of the Cloud and AI Development Act (CADA) sets out the defined terms that establish the legal vocabulary for the EU's cloud and AI ecosystem. The published proposal text contains 23 explicitly numbered definitions: it numbers points (1) to (22) and then jumps to point (25), so points (23) and (24) do not appear in the proposal as published. Most terms are imported by reference from existing EU law (for example, NIS2, the AI Act and the Public Procurement Directive); a smaller set is defined originally within CADA itself.
Detail
As proposed, Article 2 provides the definitions needed to interpret the rest of CADA. These definitions would determine which providers and services fall under the regulation's procurement and sovereignty rules. Below is the full glossary of the defined terms in the proposal, noting whether each is imported from existing EU law or original to CADA.
A note on numbering: the published proposal numbers its definitions (1) to (22) and then (25). There is no (23) or (24) in the text. So although the highest number is 25, there are 23 defined terms. The list below follows the proposal's own numbering.
| # | Term | Source | Reference in Article 2 |
|---|---|---|---|
| (1) | Cloud computing service | Imported | Article 6, point (30), of Directive (EU) 2022/2555 (NIS2) |
| (2) | Cloud computing service provider | Original | "a legal entity which provides a cloud computing service" |
| (3) | AI system | Imported | Article 3, point (1), of Regulation (EU) 2024/1689 (AI Act) |
| (4) | Frontier AI | Original | self-contained definition in CADA |
| (5) | AI agent | Original | self-contained definition in CADA |
| (6) | Public sector body | Imported | Article 2, point (1), of Directive (EU) 2019/1024 (Open Data Directive) |
| (7) | Union entities | Original | EU institutions, bodies, offices and agencies set up by or under the EU Treaties |
| (8) | SME | Imported | Article 2 of Annex I to Commission Recommendation 2003/361/EC |
| (9) | Small mid-cap (SMC) | Imported | point 2 of the Annex to Commission Recommendation (EU) 2025/1099 |
| (10) | Data centre | Imported | point 2.6.3.1.16 of Annex A to Regulation (EC) No 1099/2008 |
| (11) | Data centre operator | Imported | Article 2, point (7), of Delegated Regulation (EU) 2024/1364 |
| (12) | Data centre service | Imported | Article 6, point (31), of Directive (EU) 2022/2555 (NIS2) |
| (13) | Software | Imported | Article 3, point (4), of Regulation (EU) 2024/2847 |
| (14) | Hardware | Imported | Article 3, point (5), of Regulation (EU) 2024/2847 |
| (15) | Component | Imported | Article 3, point (6), of Regulation (EU) 2024/2847 |
| (16) | Manufacturer | Imported | Article 3, point (13), of Regulation (EU) 2024/2847 |
| (17) | Auditing organisation | Original | self-contained definition in CADA |
| (18) | Audited service | Original | self-contained definition in CADA |
| (19) | Audit criteria | Original | self-contained definition (criteria in Annex II) |
| (20) | Audit evidence | Original | self-contained definition in CADA |
| (21) | Control | Imported | Article 2, point (6), of Regulation (EU) 2021/697 |
| (22) | Contracting authorities | Imported | Article 2(1), point (1), of Directive 2014/24/EU |
| (25) | Open source licence | Imported | Article 2, point (12), of Regulation (EU) 2024/903 |
A few definitions are worth keeping in mind because they drive the rest of the proposal:
- Cloud computing service (1): imported from NIS2 as a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. As proposed, the proposal's recitals clarify that this encompasses on-demand access to hosted AI systems, while excluding the AI system itself and its underlying model.
- Cloud computing service provider (2): defined originally and functionally as "a legal entity which provides a cloud computing service" β with no establishment or nationality requirement in the definition itself.
- Frontier AI (4): defined originally as AI models, or systems built on them, that "can perform a wide variety of tasks and that approach, reach or exceed the current state of the art."
- Auditing organisation (17), audited service (18), audit criteria (19), audit evidence (20): the audit vocabulary used by the conformity-assessment regime for the higher Union assurance levels (2, 3 and 4).
- Control (21): imported from Regulation (EU) 2021/697 (the European Defence Fund Regulation), central to assessing third-country influence in the sovereignty framework.
Note that "Union assurance level" is not a defined term in Article 2. As proposed, the four Union assurance levels and their criteria are established by Article 16 and Annex II, not by a definition in Article 2.
What this means for you
For public-sector and procurement readers, these definitions would be the foundation of how CADA applies.
- Procurement scope: As proposed, the imported NIS2 definition of "cloud computing service" is broad, covering on-demand, elastic, shareable resources (typically including IaaS, PaaS and SaaS), and reaching hosted AI services. Most digital services a public body procures could fall within scope.
- Assurance and audit: As proposed, the definitions of "auditing organisation," "audit criteria" and "audit evidence" support the independent-audit route for Union assurance levels 2, 3 and 4 (Articles 20β21 and Annex II), while level 1 relies on a conformity self-assessment (Article 19).
- New AI concepts: The original definitions of "frontier AI" and "AI agent" distinguish advanced, autonomous AI from ordinary software and feed the capacity-building initiatives in Title II.
- Open source: The imported definition of "open source licence" supports CADA's open-source provisions, so favouring open standards can align with the proposal's direction.
Common misconceptions
- "Article 2 defines 25 terms."
- Reality: As proposed, the numbering reaches (25), but it skips (23) and (24), so there are 23 defined terms in the published text.
- "Only hyperscalers are cloud computing service providers."
- Reality: As proposed, Article 2, point (2), defines a provider as any legal entity providing the service, regardless of size β SMEs and small mid-caps included.
- "CADA redefines 'AI system' differently from the AI Act."
- Reality: As proposed, CADA imports the AI Act's definition of "AI system" (Article 3, point (1), of Regulation (EU) 2024/1689); the two use the same concept.
- "Every advanced AI model is 'frontier AI'."
- Reality: As proposed, "frontier AI" requires both a wide variety of tasks and approaching, reaching or exceeding the current state of the art β a high, moving threshold most models do not meet.
Official sources
Related
- Why does CADA skip definitions 23 and 24 in Article 2?
- What is software under CADA? Article 2 definition explained
- What is audit evidence under CADA? Article 2(20) explained
- What is a component under CADA? Article 2 definition
- Which CADA defined terms matter most for public-sector buyers?
This is general information about a draft EU regulation, not legal advice.