Summary Under the proposed Cloud and AI Development Act (CADA), Article 2(2) defines a "cloud computing service provider" as "a legal entity which provides a cloud computing service." This is an original CADA definition — unlike "cloud computing service" itself (Article 2(1)), which is imported from NIS2, the provider definition is written fresh for this Regulation. The CSP is the central regulated actor for the sovereignty framework: it is the entity that would seek recognition at a Union assurance level, undergo audits and bear penalties for infringement. As this is a proposal, the wording could change before adoption.

Detail

To know who is bound by CADA's obligations on cloud providers, you first have to know who counts as a "cloud computing service provider" (CSP). The proposal sets out a deliberately spare definition that then carries the weight of the sovereignty framework.

The legal definition

As proposed, Article 2(2) states:

"'cloud computing service provider' means a legal entity which provides a cloud computing service".

Two features stand out. First, the test is functional: it turns on the act of providing a cloud computing service (as defined in Article 2(1) by reference to NIS2), not on size, architecture or business model. Second, the actor must be a legal entity — a recognised legal person — so an individual or an informal grouping would generally fall outside the definition unless constituted as a legal entity under national law.

An original CADA definition

This is one of the definitions CADA writes for itself rather than importing. The contrast is instructive: Article 2(1) borrows the meaning of "cloud computing service" from Article 6, point (30) of the NIS2 Directive, but Article 2(2) does not borrow a provider definition from NIS2 or elsewhere. Coining a standalone definition lets CADA apply its sovereignty and procurement rules uniformly to any legal entity offering cloud services, regardless of how that entity might be classified under other instruments such as the Data Act or NIS2.

The CSP as the central regulated actor

The CSP sits at the centre of CADA's supply-side design. The proposal's aim is to reduce dependence on non-European providers and to give public buyers access to services with verifiable sovereignty characteristics. That places several proposed obligations on CSPs:

  1. Union assurance levels. A CSP would seek recognition that its services meet the criteria for one of the four Union assurance levels introduced by the framework in Article 16, with the criteria set out in Annex II.
  2. Audit and recognition. For the higher levels, recognition would follow an independent third-party audit; the proposal routes recognition through the national competent authority of the provider's establishment (Article 17).
  3. Transparency. The transparency provisions of the proposal (Article 23) would require providers to be open about the basis on which a service is recognised at a given level.
  4. Penalties. Article 24 makes CSPs directly subject to penalties for infringements of the relevant obligations, which Member States must set at levels that are effective, proportionate and dissuasive.

Scope and applicability

The definition reaches any legal entity providing cloud computing services within CADA's scope — IaaS, PaaS or SaaS, and (per Recital 10) the on-demand delivery of AI systems, though not the AI systems or models themselves. It draws no distinction by place of establishment: a third-country entity can be a CSP. What differs is the assurance level such a provider can credibly achieve, since the higher tiers turn on establishment, infrastructure location and freedom from third-country control.

What this means for you

If you run a cloud business, this definition is your entry point to the framework.

  • Check your legal form. The definition requires a legal entity. If you operate as an unincorporated venture, recognition under the framework as proposed would presuppose a legal person.
  • Map your services. If your offering meets the Article 2(1) cloud computing service definition (on-demand administration, broad remote access, a scalable shared resource pool), you are a CSP.
  • Prepare for sovereignty assessment. To serve the public sector, plan to document infrastructure locations, data flows, personnel and subcontracting, and to engage auditing organisations for the higher levels.
  • Manage your supply chain. The assurance level you can claim depends in part on your subcontractors, so build visibility into that chain.
  • Identify your competent authority. Recognition as proposed runs through the national competent authority of your Member State of establishment.

Common misconceptions

  • "CSP means only the hyperscalers." No — Article 2(2) covers any legal entity providing cloud services, of any size. SMEs are CSPs too, though the proposal contemplates some lighter-touch procedures for them.
  • "CADA uses the NIS2 definition of a CSP." It does not. CADA imports the NIS2 definition of "cloud computing service" (Article 2(1)) but writes its own definition of the provider (Article 2(2)). Do not assume NIS2 provider obligations map across.
  • "Only EU companies can be CSPs." A non-EU legal entity can be a CSP. What it cannot easily do is reach the highest assurance levels, which turn on establishment, infrastructure location and absence of third-country control.
  • "A CSP is just a technical host." As proposed the CSP is a regulated legal actor responsible for recognition, audits, transparency and the sovereignty assurances it makes to customers — not merely the operator of the hardware.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.