Summary Under the proposed Cloud and AI Development Act (CADA), the definitions in Article 2 are the legal bedrock that would determine whether your organisation is a "cloud computing service provider," is subject to sovereignty audits, or is treated as under third-country "control." For cloud providers, the terms that would matter most are ‘cloud computing service’ (Article 2(1)), ‘cloud computing service provider’ (Article 2(2)), ‘control’ (Article 2(21)), and the audit terms in Article 2(17)–(20). As proposed, these definitions would set your eligibility for Union assurance levels, your obligations, and your liability in the EU market.
Detail
CADA is a proposal (COM(2026) 502 final), not yet in force. If adopted in its current form, it would establish a framework for the Union’s cloud and AI ecosystem. For cloud service providers and data centre operators, the starting point would not be the operational rules but the definitional scope in Article 2. These definitions act as gatekeepers: if you do not fit them, the rules may not apply; if you do, they determine which obligations you must meet.
Below are the defined terms that would matter most for cloud providers, with the source wording and why each one counts.
1. Who is the regulated entity? ‘Cloud computing service provider’
Definition: Article 2(2) defines a ‘cloud computing service provider’ as "a legal entity which provides a cloud computing service."
Why it matters: This is the primary hook for liability. CADA targets the legal entity that provides the service, not an individual product or software component. If your company is the legal entity contracting with customers for cloud services, you would be the ‘cloud computing service provider’ responsible for meeting the criteria. The obligation rests on the provider, not necessarily on a separate infrastructure owner — unless that owner is also providing the cloud computing service.
2. What is the regulated service? ‘Cloud computing service’
Definition: Article 2(1) borrows the definition in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2): a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where those resources are distributed across several locations.
Why it matters: This definition is broad and covers IaaS, PaaS and SaaS where they involve scalable, shareable computing resources. Recital 10 of the proposal adds that the definition "encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 ... hosted and operated remotely," but that "[o]nly the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." So CADA would regulate the cloud service that hosts the AI, not the AI model itself (which the AI Act governs). Offering remote, on-demand access to AI models via scalable cloud infrastructure would bring you within CADA’s framework.
3. The sovereignty pivot: ‘Control’
Definition: Article 2(21) defines ‘control’ by reference to Article 2, point (6), of Regulation (EU) 2021/697. CADA relies on that cross-referenced definition to determine whether a provider is subject to the influence of a third country; the underlying text is not reproduced in the proposal.
Why it matters: This is arguably the most consequential term for sovereignty eligibility. The Annex II criteria for higher Union assurance levels turn on whether a provider is, or is not, subject to third-country ‘control’. For the higher levels, providers would need to demonstrate they are not subject to such control (or meet stringent additional safeguards). If your ownership, voting rights, or strategic decision-making power falls within this definition of ‘control’ by a non-EU entity, your ability to offer high-assurance services to the EU public sector would be severely restricted. (Note: the reference is to Regulation (EU) 2021/697 — not the Cybersecurity Act and not DORA, as is sometimes assumed.)
4. The audit machinery: Article 2(17)–(20)
CADA would introduce independent third-party audits for Union assurance levels 2, 3 and 4. Four Article 2 terms define the actors and standards:
- ‘Auditing organisation’ (Article 2(17)): an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited provider has contracted to perform an independent audit.
- Why it matters: You could not audit yourself for Levels 2–4. You would contract an independent third party. Independence requirements would apply (Article 20).
- ‘Audited service’ (Article 2(18)): a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion.
- Why it matters: The audit scope is the service, not just the company. Each service seeking recognition would be assessed on its own.
- ‘Audit criteria’ (Article 2(19)): the criteria, pursuant to Annex II, against which the auditing organisation assesses whether the audited provider and service comply with each cumulative criterion for Union assurance levels 2, 3 or 4.
- Why it matters: Compliance would be cumulative — failing one criterion means failing the level.
- ‘Audit evidence’ (Article 2(20)): any information used to support the audit findings and opinion, including data from documents, databases or IT systems, interviews or testing.
- Why it matters: This defines what you must produce. Under Article 21, the evidence must be relevant, sufficient and reliable, and the specific evidence is listed in Annex III.
What this means for you
As a cloud service provider or data centre operator, you should not wait for the final text before reviewing your structures against Article 2 — these terms are the lens regulators would use.
- Map your legal entities: Identify which entities would be ‘cloud computing service providers’ under Article 2(2). Ensure the entity signing customer contracts is the one preparing for assessment.
- Audit your ‘control’ structure: Review ownership and governance against Article 2(21) (Regulation (EU) 2021/697). Non-EU veto rights, strategic decision power, or significant voting influence could disqualify you from the higher Union assurance levels.
- Prepare for independent audits: For services targeting the public sector, you would need an ‘auditing organisation’ (Article 2(17)). Identify qualified auditors and ready your ‘audit evidence’ now.
- Clarify your service scope: Align your service descriptions with Article 2(1). Where you offer AI, remember the model is not the cloud service, but the hosting infrastructure is — which determines whether CADA or the AI Act applies to which part of your stack.
Common misconceptions
- "We are an EU subsidiary, so we are not under third-country control."
- Reality: CADA would use ‘control’ (Article 2(21)), not just place of establishment. An EU subsidiary can still be under the ‘control’ of a non-EU parent through strategic decision-making power, veto rights, or significant voting influence.
- "CADA regulates AI models."
- Reality: Recital 10 confirms the ‘cloud computing service’ definition covers on-demand access to AI systems but excludes the AI system and its underlying model. CADA would regulate the infrastructure and service delivery; the AI Act regulates the model.
- "We can self-audit for all assurance levels."
- Reality: As proposed, only Union assurance level 1 allows a conformity self-assessment (Article 19). Levels 2, 3 and 4 would require independent third-party audits by an ‘auditing organisation’ (Article 2(17)) against the ‘audit criteria’ (Article 2(19)).
Official sources
Related
- Which CADA definitions matter most for AI developers?
- Which CADA defined terms matter most for public-sector buyers?
- Which CADA definitions are original and which are imported from other laws?
- Why does CADA skip definitions 23 and 24 in Article 2?
- Why does CADA borrow so many definitions from other EU regulations?
This is general information about a draft EU regulation, not legal advice.