How does CADA define its scope of cloud and AI?

Summary As proposed, the Cloud and AI Development Act (CADA) defines its scope by anchoring key terms to existing EU law — chiefly the NIS2 Directive and the AI Act — rather than inventing standalone definitions. Article 2 defines "cloud computing service" by reference to NIS2 and "AI system" by reference to the AI Act, while adding CADA-specific definitions for "frontier AI" and "AI agents" to target high-impact developments. A crucial boundary in Recital 10: when AI is delivered as a cloud service, only the delivery and making available of the AI system is in scope — the AI system itself and its underlying model are excluded from the cloud-service definition.

Detail

To understand what CADA would regulate, start with Article 2, which sets the boundaries through definitions. CADA is designed to sit alongside the EU's existing digital framework, so its definitions cross-reference the NIS2 Directive (Directive (EU) 2022/2555), the AI Act (Regulation (EU) 2024/1689), and the Cyber Resilience Act (Regulation (EU) 2024/2847).

Cloud computing services and providers

Article 2(1) defines a "cloud computing service" by reference to Article 6, point (30), of the NIS2 Directive — a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where those resources are distributed across several locations.

Recital 10 sets the boundary between the cloud service and the AI model. The definition encompasses on-demand access to AI systems hosted and operated remotely; however, "Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." So CADA would regulate the infrastructure and service layer that delivers AI, not the model weights or intellectual property, which remain in the AI Act's domain.

A "cloud computing service provider" is defined in Article 2(2) as a legal entity which provides a cloud computing service.

AI systems, frontier AI, and AI agents

Article 2(3) defines an "AI system" by reference to Article 3, point (1), of the AI Act, keeping CADA aligned with the AI Act's risk-based approach.

CADA adds its own definitions for emerging categories:

1. Frontier AI (Article 2(4)): "AI models or AI systems built upon such models that can perform a wide variety of tasks and that approach, reach or exceed the current state of the art." This is central to the proposal's support mechanisms for high-compute projects (see Articles 8 and 9).
2. AI agent (Article 2(5)): an AI system, or a coordinated set of AI systems, that can perceive and act upon their environment with a degree of autonomy, using tools as needed to achieve specific goals and adapt to changing inputs and contexts.

Other key definitions

Article 2 also defines terms that determine regulatory reach:

• Data centre: Article 2(10), by reference to point 2.6.3.1.16 of Annex A to Regulation (EC) No 1099/2008.
• Data centre operator: Article 2(11), by reference to Article 2, point (7), of Delegated Regulation (EU) 2024/1364.
• Data centre service: Article 2(12), by reference to Article 6, point (31), of the NIS2 Directive.
• Software and hardware: Article 2(13) and (14), by reference to the Cyber Resilience Act (Regulation (EU) 2024/2847). Note that, under Annex II, "software" within the meaning of the CRA falls within the scope of the assurance-level criteria, while "hardware" is outside that scope.
• Control: Article 2(21), by reference to Article 2, point (6), of Regulation (EU) 2021/697 — critical for the sovereignty framework, since it determines whether a provider is subject to third-country control.

How these definitions determine scope

Together, the definitions decide which entities fall under CADA's obligations. For example, the sovereignty framework (Title IV) applies to cloud-computing service providers seeking recognition for Union assurance levels. Because "cloud computing service" is defined via NIS2, any entity providing scalable, remote access to computing resources is potentially in scope — whether a hyperscaler or a niche provider. Likewise, the definition of "frontier AI" determines eligibility for specific support measures, such as the allocation of compute under Article 9.

What this means for you

For CTOs and architects, the key takeaway is that CADA would regulate the delivery mechanism, not the model. If you build an AI application, the AI Act governs the model and system's safety and fundamental-rights compliance, while CADA governs the cloud infrastructure that hosts and delivers it.

• For cloud providers: Assess whether your services meet the NIS2 definition of a cloud-computing service. If so, you are within CADA's sovereignty framework and may need audits to prove specific Union assurance levels for public-sector clients. The definition of "control" (Regulation 2021/697) would be scrutinised to confirm no third-country influence compromises operational autonomy.
• For AI developers: If your AI system is hosted remotely and accessed on demand, the hosting layer is a "cloud computing service" under CADA, but your model itself is not. Focus on the AI Act for model compliance, and ensure your cloud partners can meet the required assurance levels if you target public-sector contracts.
• For SMEs: The definitions avoid sweeping in small local deployments that do not involve scalable, remote cloud resources. If you do provide cloud services, you are in scope — but note that, under Article 17(3), an EU statement of conformity for Union assurance level 1 issued by an SME is directly and automatically recognised in all Member States, reducing administrative burden.

Common misconceptions

• "CADA defines AI systems." Not independently. CADA defers to the AI Act for the definition of an AI system (Article 2(3)); it only adds its own definitions for "frontier AI" and "AI agents."
• "The AI model is regulated by CADA." No. Recital 10 and Article 2(3) make clear the AI system and its underlying model are excluded from the cloud-service definition. CADA regulates the service of making AI available, not the AI itself.
• "Only hyperscalers are in scope." Not necessarily. The cloud-service definition is broad (based on NIS2), so any legal entity providing scalable, remote access to computing resources is a "cloud computing service provider" (Article 2(2)). In practice, the burden of sovereignty audits may fall more heavily on larger providers serving the public sector.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What is the territorial scope of CADA?
• CADA's two objectives vs its five measures: what's the difference?
• Is my organisation affected by CADA? How to check your scope
• How is CADA structured? An overview of its Titles
• Does CADA apply to SMEs and startups? Scope and reliefs explained

This is general information about a draft EU regulation, not legal advice.