Summary As proposed, managed hosting is a cloud computing service under CADA only if it provides on-demand, broad remote access to a scalable and elastic pool of shareable computing resources. Fixed-capacity, dedicated hosting without elasticity likely falls outside that definition and is instead treated as a data centre service. The distinction matters: only cloud computing services would be eligible for recognition at the Union assurance levels used in public-sector procurement.

Detail

Classification turns on a precise technical test, not the commercial label. To know whether your service falls under CADA's sovereignty framework, apply Article 2(1) of the proposal.

The legal definition: scalability and elasticity

Article 2(1) defines a "cloud computing service" by reference to Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive). Recital 10 sets out that definition: a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where distributed across several locations. In practice this points to three elements:

  1. On-demand administration: resources accessed without individual negotiation for each instance.
  2. Broad remote access: the service is reached over a network.
  3. Scalable and elastic pool of shareable resources: the decisive test — resources pooled and able to scale up or down elastically.

Recital 10 also clarifies that the definition encompasses on-demand access to AI systems hosted and operated remotely, but excludes the AI system itself and its underlying model — only the delivery of the AI system is part of the service. The decisive differentiator remains elasticity.

Managed hosting vs dedicated hosting

Many offerings are labelled "managed hosting," but classification depends on the architecture:

  • True cloud (within CADA): if customers can dynamically change CPU, RAM, or storage via self-service or API, drawing from a shared, virtualised pool that can be reallocated, it is a cloud computing service. Elastic scaling without physical hardware changes is the hallmark.
  • Fixed-capacity dedicated hosting (likely outside CADA): if the customer gets a dedicated physical server or a static VM that cannot be elastically scaled without manual intervention or hardware swaps, it lacks the elastic pool. Such offerings are typically data centre services, which CADA defines separately at Article 2(12) by reference to Article 6, point (31), of the NIS2 Directive.

Practical consequences for sovereignty recognition

The line between a cloud computing service and a data centre service has real consequences for access to the public-sector market:

  1. Framework eligibility: the Union cloud computing sovereignty framework in Title IV applies to cloud computing services. Only providers recognised at Union assurance levels 1–4 would be positioned for the procurement obligations. A non-elastic managed-hosting offering could not seek that recognition.
  2. Procurement obligations: Article 30 would require Union entities and public sector bodies to use recognised cloud computing services — at level 1 where activities are not public-order-relevant, and at level 2, 3, or 4 where a risk assessment under Article 29 identifies public-order relevance in the listed sectors. Misclassification cuts both ways for eligibility.
  3. Audit and compliance: cloud computing services seeking levels 2–4 would undergo independent third-party audits (Article 20) against Annex II criteria covering localisation, personnel, and supply-chain transparency. Data centre services are not subject to that specific audit regime, though they remain subject to other EU law (e.g. the Data Act, NIS2).

Why fixed capacity fails the test

Fixed-capacity dedicated hosting fails the NIS2 definition because it lacks elasticity. In a true cloud model, resources are abstracted from physical hardware and scale on demand. In fixed hosting, resources are tied to specific physical assets; adding capacity means provisioning new hardware or migrating workloads — not on-demand or elastic in the legal sense.

What this means for you

If you are a provider or data centre operator, audit your catalogue against the NIS2 definition:

  • Assess elasticity. Can customers scale resources automatically from a shared, virtualised pool? If yes, you are a cloud computing service provider under CADA.
  • Check AI integration. Offering on-demand access to remotely hosted AI systems reinforces cloud-service status (the model itself, though, is excluded from the service definition).
  • Prepare for the right path. Cloud providers would do a conformity self-assessment for level 1 (Article 19) or independent audits for levels 2–4. Ensure subcontractors meet the relevant Annex II criteria.
  • Align your contracts. Make your SLAs and marketing reflect whether you offer "cloud computing services" or "data centre services."
  • Track delegated and implementing acts. The Commission would specify methodologies and may update criteria via delegated/implementing acts; stay engaged on the technical detail.

Common misconceptions

  • "If I manage the server, it's cloud." Management alone does not make it cloud; the infrastructure must be elastic and scalable. Managed dedicated servers are still dedicated hosting.
  • "Private cloud is not cloud." A private cloud can be a cloud computing service if it uses virtualised, elastic, on-demand resources, even when dedicated to one organisation. The technology stack matters, not the tenancy model.
  • "Only hyperscalers are covered." CADA applies to any legal entity providing a cloud computing service, including SMEs. Under Article 17(3), the EU statement of conformity issued by SME providers at Union assurance level 1 would be directly and automatically recognised across all Member States, without prior recognition by the evaluating national competent authority.
  • "Data centre services are exempt from all rules." They are not exempt from EU law (Data Act, NIS2, energy-efficiency rules); they are simply outside CADA's specific cloud sovereignty assurance framework.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.