Summary Article 2 is the definitions article of the proposed Cloud and AI Development Act (CADA), COM(2026) 502 final. It is the glossary that fixes the scope of the whole instrument: every obligation, assurance level and procurement rule keys off these terms. As proposed, the points run from (1) to (25), but the published text skips points (23) and (24), so there are 23 defined terms in practice. Many are borrowed wholesale from other EU laws (NIS2, the AI Act, the Cyber Resilience Act, the Open Data Directive, the SME Recommendation); a handful are original to CADA. The headline terms for counsel are "cloud computing service" (1), "cloud computing service provider" (2), "AI system" (3), "frontier AI" (4) and "AI agent" (5). Because this is a proposal, the text and numbering could change before adoption.

Detail

Article 2 opens with the standard formula: "For the purposes of this Regulation, the following definitions apply." It then lists the defined terms as numbered points. As proposed, the highest point number is (25), but the published text contains no point (23) and no point (24) — the sequence jumps from (22) "contracting authorities" straight to (25) "open source licence". So while the numbering reaches 25, there are 23 substantive definitions. It is worth stating the count carefully, because a casual reading ("25 points") overstates how many terms are actually defined.

The drafting strategy is deliberately referential. Rather than coin fresh meanings, CADA pins most terms to definitions that already exist elsewhere in EU law. This is consistent with the proposal's stated aim of fitting coherently into the existing acquis and avoiding regulatory fragmentation. The practical consequence for interpretation is that several CADA terms are only as stable as their source instruments: if the referenced article in NIS2, the AI Act or the Cyber Resilience Act is amended or interpreted by the Court, that reading would flow through into CADA.

The headline cloud and AI definitions

These five points carry most of the regulatory weight, because they identify the regulated technologies and the central regulated actor.

Cloud computing service — Article 2(1). Defined by reference to Article 6, point (30) of Directive (EU) 2022/2555 (NIS2). The NIS2 text describes a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where those resources are distributed across several locations. Recital 10 of the proposal adds that this definition encompasses on-demand access to AI systems hosted and operated remotely — but only the delivery and making available of the AI system forms part of the service; the AI system itself and its underlying model are excluded.

Cloud computing service provider — Article 2(2). "A legal entity which provides a cloud computing service." This is an original CADA definition, not imported, and it is the pivotal actor for the sovereignty framework.

AI system — Article 2(3). Defined by reference to Article 3, point (1) of Regulation (EU) 2024/1689 (the AI Act). CADA borrows the AI Act's term verbatim rather than coining its own.

Frontier AI — Article 2(4). "AI models or AI systems built upon such models that can perform a wide variety of tasks and that approach, reach or exceed the current state of the art." This is an original CADA definition with no fixed compute threshold, and it gates the frontier AI priority projects in Articles 8 and 9.

AI agent — Article 2(5). "An AI system or a coordinated set of AI systems, that can perceive and act upon their environment, with a degree of autonomy, using tools as needed to achieve specific goals and adapt to changing inputs and contexts." Also original to CADA; the AI Act has no equivalent defined term.

The supporting definitions

The remaining points provide the structural scaffolding for the public-sector, audit and supply-chain provisions:

  • Public sector body (6) — by reference to Article 2, point (1) of Directive (EU) 2019/1024 (the Open Data Directive).
  • Union entities (7) — the Union institutions, bodies, offices and agencies set up by or pursuant to the TEU, the TFEU or the Euratom Treaty.
  • SME (8) — by reference to Article 2 of Annex I to Commission Recommendation 2003/361/EC.
  • Small mid-cap / SMC (9) — by reference to point 2 of the Annex to Commission Recommendation (EU) 2025/1099.
  • Data centre (10) — by reference to point 2.6.3.1.16 of Annex A to Regulation (EC) No 1099/2008.
  • Data centre operator (11) — by reference to Article 2, point (7) of Delegated Regulation (EU) 2024/1364.
  • Data centre service (12) — by reference to Article 6, point (31) of Directive (EU) 2022/2555 (NIS2).
  • Software, hardware, component, manufacturer (13)–(16) — each by reference to Regulation (EU) 2024/2847 (the Cyber Resilience Act).
  • Auditing organisation, audited service, audit criteria, audit evidence (17)–(20) — original CADA definitions that frame the third-party audit regime for Union assurance levels 2, 3 and 4, with "audit criteria" tied to Annex II.
  • Control (21) — by reference to Article 2, point (6) of Regulation (EU) 2021/697 — central to assessing third-country influence.
  • Contracting authorities (22) — by reference to Article 2(1), point (1) of Directive 2014/24/EU.
  • Open source licence (25) — by reference to Article 2, point (12) of Regulation (EU) 2024/903 (the Interoperable Europe Act).

What this means for you

For in-house counsel, Article 2 is the first stop in any CADA scoping exercise — these definitions are the triggers for substantive obligations elsewhere in the proposal.

  1. Scope determination. Establish whether your organisation is a "cloud computing service provider" (2) or a "public sector body" (6) or "Union entity" (7). A provider must then ask whether its services need recognition at a Union assurance level under the framework introduced by Article 16; a public-sector buyer must run the risk assessment under Article 29 and procure at the assurance level it dictates under Article 30.
  2. Inherited definitions, inherited interpretation. Because so many terms are cross-references, CADA compliance is tied to the source instruments. Whether something is an "AI system" is settled by the AI Act, not by CADA; what counts as a "cloud computing service" is settled by NIS2. Align your CADA analysis with your existing NIS2, AI Act and Cyber Resilience Act classifications rather than building parallel definitions.
  3. Frontier AI and AI agents. These two terms (4 and 5) are original to CADA and have no AI Act equivalent. They matter for the supply-side support measures (notably the frontier AI priority projects in Articles 8 and 9), not for restriction.
  4. Watch the numbering. As a proposal, both the wording and the point numbers may shift through the legislative process. Pin any compliance memo to "the version as proposed in COM(2026) 502 final" and re-check on adoption.

Common misconceptions

  • "Article 2 contains 25 definitions." As proposed, the points are numbered up to (25), but the text omits (23) and (24), so there are 23 defined terms. Cite the point number, not a head count.
  • "CADA defines AI systems independently." It does not. Article 2(3) defers entirely to Article 3(1) of the AI Act. If something is not an AI system under the AI Act, it is not one under CADA.
  • "All these definitions are CADA's own." Most are cross-references to other EU instruments. The genuinely original ones include cloud computing service provider (2), frontier AI (4), AI agent (5) and the audit-related terms (17)–(20).
  • "Frontier AI is just marketing language." Under the proposal it is a precise defined term (4) tied to performance "at or beyond the current state of the art", and it is the gateway to compute support under Articles 8 and 9.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.