Summary Under the proposed Cloud and AI Development Act (CADA), a "cloud computing service" is defined by reference to Article 6, point (30), of the NIS2 Directive — a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. As proposed, falling within this definition is the gateway to CADA's sovereignty framework: to serve Union entities and public sector bodies, providers would need recognition at a Union assurance level, which means a conformity self-assessment (level 1) or independent audits (levels 2–4), oversight by a national competent authority, and — at higher levels — strict data-localisation and personnel requirements.

Detail

The definition of "cloud computing service" is foundational to CADA. A provider outside it is generally outside the Regulation's core sovereignty and procurement rules.

The legal definition As proposed, Article 2(1) provides that "cloud computing service" means cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555 (the NIS2 Directive) — that is, "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

Scope: AI delivery in, AI model out The proposal's recitals clarify the boundary with AI. As proposed, the scope can include on-demand access to AI systems (within the meaning of the AI Act) that are hosted and operated remotely — but only the delivery and making available of the AI system forms part of the cloud computing service. The AI system itself, and its underlying model, are excluded from the cloud computing service. CADA thus addresses the service-delivery layer, while the AI Act governs the model and system.

Why this matters: the sovereignty framework Falling within the definition brings a provider into CADA's Union cloud computing sovereignty framework. As proposed in Article 16, this framework comprises four "Union assurance levels," set out in Annex II, that providers must meet to provide their services to Union entities and public sector bodies. The levels represent increasing degrees of localisation, control and personnel restriction.

What this means for you

If you are a cloud provider or data-centre operator, classification under this definition triggers a cascade of obligations.

1. Recognition and assurance levels To serve the EU public sector, your service must be recognised at a Union assurance level (Article 17).

  • Level 1: a conformity self-assessment (Article 19). You issue an EU statement of conformity demonstrating compliance with the Annex II level-1 criteria, and make it publicly available. As proposed, an EU statement of conformity issued by a provider that is an SME is directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)).
  • Levels 2, 3 and 4: independent third-party audits (Article 20). You engage an auditing organisation to verify compliance with stricter Annex II criteria — including software-supply-chain transparency, Union-citizen personnel (levels 3 and 4) and the no-third-country-control requirement.

2. Oversight by national competent authorities Recognition is granted by the national competent authority of establishment (Article 17). Member States must designate such authorities (Article 25), which have investigative powers (Article 26). You must notify the auditing organisation and the authority of any material change in circumstances affecting your audit opinion or recognition (Article 23).

3. Central repository The Commission maintains a publicly available central repository of recognised services (Article 22); a recognised service is registered there, making its assurance status visible to public buyers.

4. Penalties and compensation Under Article 24, Member States must lay down effective, proportionate and dissuasive penalties for infringements, and the Article addresses compensation.

5. Data and infrastructure localisation For higher assurance levels, the Annex II criteria are strict. At level 2, infrastructure, assets and personnel must be located in the Union. At levels 3 and 4, personnel must be Union citizens, and technical and operational support must be initiated and performed exclusively within the Union, by personnel that are Union residents and by third parties not subject to third-country control.

Common misconceptions

Misconception 1: "We only provide AI models, so CADA doesn't apply." Not necessarily. The AI model is excluded from the cloud-computing-service definition, but the delivery and making available of a remotely hosted AI system can be part of the service. If you offer remote, on-demand access to your model, the service-delivery layer can fall within CADA, while the AI Act governs the model.

Misconception 2: "NIS2 compliance means CADA compliance." No. NIS2 addresses cybersecurity risk management; CADA adds a separate sovereignty layer. A service can be cyber-secure yet fail CADA's criteria — for example, if it is subject to third-country control or its data leaves the Union without the public-sector body's agreement.

Misconception 3: "Private providers never need assurance levels." The mandatory procurement rules (Article 30) bind public buyers, but to win those contracts providers must obtain recognition. Separately, certain private entities in NIS2 sectors may carry out impact assessments under Article 31.

Misconception 4: "GDPR adequacy overrides CADA localisation." No. At higher assurance levels the Annex II criteria require customer data to remain exclusively within the Union unless the public sector body explicitly requires otherwise. GDPR adequacy decisions do not displace these sovereignty criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.