Summary For CADA purposes, a "cloud computing service" is not defined from scratch. As proposed in Article 2, point (1), it means a cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2): a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. As proposed, the proposal's recitals clarify that this encompasses on-demand access to hosted AI systems — but the AI system itself and its underlying model are excluded from the definition.

Detail

The Cloud and AI Development Act (CADA) does not invent a new definition of cloud computing. As proposed, it anchors its scope in existing EU cybersecurity law for consistency.

The NIS2 definition As proposed, Article 2, point (1), provides that "cloud computing service" means cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2). As reflected in CADA's recitals, NIS2 defines a cloud computing service as:

"a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

In practice, services within scope tend to share the familiar cloud characteristics: on-demand self-service provisioning, broad network access, pooling of resources across multiple consumers, and rapid elasticity so that capacity scales up and down with demand. The reference to resources "distributed across several locations" means hybrid and multi-cloud architectures can fall within the definition.

The inclusion of hosted AI As proposed, the proposal's recitals state that the definition of "cloud computing service" "encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 ('Artificial Intelligence Act') ... hosted and operated remotely." In other words, if you provide an AI system via an API or web interface where the model runs on your infrastructure and the user accesses outputs remotely, that service is a cloud computing service for CADA purposes.

The exclusion of the model itself There is a critical limit. As proposed, the recitals state: "Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." So CADA, as proposed, would reach the cloud service that hosts and delivers the AI, not the model's weights, architecture or training data in isolation.

Contrast with traditional managed hosting Not all IT hosting fits this definition. Where a provider rents dedicated physical servers or fixed-capacity virtual machines without on-demand, elastic self-service, the offering may lack the "on-demand administration" and "scalable and elastic" characteristics central to the NIS2 definition. Such managed hosting or colocation may therefore fall outside the cloud computing service definition, even though the provider could still be subject to other rules.

What this means for you

For CTOs and architects, this definition determines whether your platform would trigger CADA's procurement and sovereignty obligations.

1. Sovereignty recognition for public-sector sales As proposed, if your service is a cloud computing service and you want to serve Union entities or public sector bodies, you would need recognition at a Union assurance level under Article 17, against the criteria in Annex II. This matters for AI-as-a-Service providers: even if your model was trained outside the EU, hosting it and providing on-demand access makes the service a cloud computing service in scope.

2. Procurement eligibility and assurance levels As proposed, public buyers run risk assessments (Article 29) to determine the required level. For non-public-order activities the baseline is Union assurance level 1; for public-order activities it is level 2, 3 or 4 (Article 30). The Annex II criteria for the levels cover, among other things, EU establishment, location of infrastructure and data in the Union, and — at the higher levels — personnel who are Union citizens and freedom from third-country control.

3. SMEs and a lighter level-1 route As proposed, Article 19 lets a provider self-assess conformity with the Union assurance level 1 criteria and issue an EU statement of conformity. By way of derogation in Article 17(3), an EU statement of conformity issued by a provider that is an SME is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This reduces administrative burden for smaller providers seeking level 1.

4. Hybrid and multi-cloud Because the definition covers resources "distributed across several locations," hybrid and multi-cloud architectures are within scope. If your service pools resources across multiple data centres or providers, you would need the whole offering to meet the criteria for the Union assurance level you target.

Common misconceptions

"CADA defines cloud computing from scratch." No. As proposed, CADA imports the NIS2 definition by reference (Article 2, point (1), pointing to Article 6, point (30), of Directive (EU) 2022/2555). The notable clarification is that hosted AI access is included while the model itself is excluded.

"If I provide an AI model, I'm regulated by CADA." Not necessarily. As proposed, CADA reaches the cloud service delivering the AI, not the model in isolation. A downloadable model for on-premises use is unlikely to be a "cloud computing service"; API access to a hosted model is.

"Managed hosting is always a cloud service." Not if it lacks on-demand self-service and elasticity. Fixed-capacity hosting or colocation may fall outside the NIS2 definition the proposal relies on.

"Only hyperscalers are affected." No. As proposed, Article 2, point (2), defines a provider as any legal entity providing a cloud computing service, including SMEs and specialised AI startups — though procedures such as the SME level-1 derogation may lighten the burden.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.