Summary Under the proposed Cloud and AI Development Act (CADA), Article 2(1) defines a "cloud computing service" by reference to Article 6, point (30) of Directive (EU) 2022/2555 (NIS2). The NIS2 definition is a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where those resources are distributed across several locations. As proposed, this is broad and technology-neutral, so IaaS, PaaS and SaaS offerings all fall within it. CADA does not coin its own meaning — and because this is a proposal, both the reference and the scope could change before adoption.

Detail

CADA's whole framework — the sovereignty assurance levels, the data-centre rules, the public-procurement obligations — applies to providers of "cloud computing services". Working out whether you offer such a service is therefore the threshold question, and the answer turns on a definition CADA imports rather than invents.

The legal definition: Article 2(1)

As proposed, Article 2(1) provides that "cloud computing service" means a cloud computing service as defined in Article 6, point (30) of Directive (EU) 2022/2555 — the NIS2 Directive. Recital 10 of the proposal confirms the intent: the CADA definition "should be the same as" the NIS2 one, which it describes as "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

Three elements characterise the service:

  1. On-demand administration — resources can be provisioned and managed with minimal interaction with the provider.
  2. Broad remote access — the service is reachable over a network from a range of client platforms.
  3. A scalable and elastic pool of shareable computing resources — storage, processing, memory and networking that can be rapidly scaled and are shared across customers, including where distributed across multiple locations.

By anchoring to NIS2, the proposal keeps CADA's scope aligned with the EU's wider cybersecurity and resilience regime rather than creating a competing definition.

What falls within scope

The definition is intentionally broad and covers the three layers that dominate today's market:

  • Infrastructure-as-a-Service (IaaS) — virtual machines, storage and networking rented on demand.
  • Platform-as-a-Service (PaaS) — runtimes, databases and middleware on which developers build applications.
  • Software-as-a-Service (SaaS) — applications delivered over the network on shared, scalable infrastructure.

All three rest on the same scalable, shared resource pool that the NIS2 definition describes, so all three are caught.

The boundary with AI

Recital 10 of the proposal makes an important clarification about AI. It states that the cloud computing service definition "encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 ('Artificial Intelligence Act') … hosted and operated remotely." But it then draws a line: "Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition."

In other words: the platform or API through which an AI system is delivered is a cloud computing service governed by CADA's infrastructure and sovereignty rules; the AI system and its model are regulated elsewhere, principally under the AI Act.

Why the definition is referential

Using the NIS2 definition is a coherence choice. It means the entities caught by CADA's sovereignty framework, data-centre rules and procurement requirements are, broadly, the same ones already recognised as significant for EU cybersecurity. A provider therefore sits within a single, joined-up regulatory picture rather than facing inconsistent "cloud" definitions across instruments.

What this means for you

If you are a cloud provider or data-centre operator, this definition decides whether the proposed obligations reach you.

1. Scope confirmation. If you offer on-demand access to shared, scalable computing resources — raw storage and compute, a development platform, or a hosted application — you are very likely providing a "cloud computing service" as proposed. That spans hyperscalers, regional providers and niche specialists alike.

2. Sovereignty framework. Once you are in scope, you may seek recognition at a Union assurance level under the framework the proposal introduces in Article 16. Serving public-sector customers would, as proposed, require demonstrating compliance with the relevant assurance criteria.

3. Data-centre rules. If you run the data centres behind those services, Title III of the proposal becomes relevant, including the acceleration-zone regime (Article 10) and associated sustainability and permitting conditions.

4. Public procurement. Public buyers would procure by Union assurance level. As a provider that means preparing for self-assessment (level 1) or independent third-party audit (levels 2–4). The breadth of the definition means SaaS providers who never thought of themselves as "infrastructure" are nonetheless in scope.

Common misconceptions

"Only IaaS is covered." The NIS2 definition expressly reaches PaaS and SaaS too. A hosted application delivered over a network on shared resources is a cloud computing service.

"The AI model is the cloud service." Recital 10 separates them: the delivery mechanism is the service (and falls under CADA); the AI system and its underlying model are excluded from the cloud-service definition and are governed chiefly by the AI Act.

"Purely internal systems count." The definition requires broad remote access and a shareable pool. A strictly internal, non-shared, non-remote system may fall outside it — though most commercial offerings, including industry-specific ones, use shared scalable resources and so are caught.

"CADA writes a new definition from scratch." As proposed it adopts the existing NIS2 definition, so there is no narrower CADA-specific test to fall back on.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.