What is hardware under CADA? Definition and scope explained

Summary Under the proposed Cloud and AI Development Act (CADA), "hardware" is not given a new, standalone definition. As proposed, Article 2(14) defines hardware by reference to Article 3, point (5), of Regulation (EU) 2024/2847 — the Cyber Resilience Act (CRA) — which defines hardware as "a physical electronic information system, or parts thereof". For CTOs and architects, this means CADA's sovereignty and procurement provisions, where they touch the physical layer, would attach to the same physical infrastructure the CRA already covers: servers, processors, accelerators, storage and networking equipment.

Detail

CADA is a Commission proposal (COM(2026) 502 final) designed to strengthen Europe's cloud and AI ecosystem by addressing capacity gaps, promoting sovereignty and streamlining data-centre deployment. Its operative terms are set out in Article 2, and several of them — including hardware — are imported from existing EU law rather than defined afresh.

The legal definition

As proposed, Article 2(14) states:

"'hardware' means hardware as defined in Article 3, point 5, of Regulation (EU) 2024/2847;"

Regulation (EU) 2024/2847 is the Cyber Resilience Act (CRA), the horizontal EU regulation on cybersecurity requirements for products with digital elements. Under the CRA's Article 3(5), hardware means "a physical electronic information system, or parts thereof". By cross-referencing the CRA, CADA would keep a single, consistent understanding of hardware across EU digital legislation.

CADA also imports two neighbouring CRA terms: Article 2(13) defines "software" by reference to Article 3, point (4), of the CRA, and Article 2(15) defines "component" by reference to Article 3, point (6). Together, hardware, software and component describe the full technology stack CADA's measures can reach.

Why the definition matters for compute capacity

CADA places significant weight on increasing the Union's compute capacity. Its data-centre measures include "data centre acceleration zones" and provisions for designating "strategic projects". A clear notion of hardware underpins these incentives, because the streamlined treatment targets the physical deployment of electronic systems.

The proposal's leadership-initiative objectives, set out in Article 3 and the following provisions, include advancing the Union's capabilities in advanced data-centre technologies and cloud computing stacks that support the Union's technological autonomy. Processors and accelerators sit squarely within the CRA's hardware definition, reflecting CADA's stated aim of reinforcing the Union's data-centre and cloud capacity and reducing dependence on third-country suppliers.

Relevance to sovereignty and supply-chain controls

CADA's sovereignty framework (Article 16 and Annex II) establishes four Union assurance levels for cloud computing services. The detailed criteria in Annex II focus heavily on the software supply chain — for example, requiring a complete software bill of materials (SBOM), controls on remote features in third-country software components, and effective legal, technical and organisational separation between a Union parent company and any third-country subsidiary (Annex II, Level 3, point (k)).

Hardware is not the primary object of these software-specific criteria, but the physical layer is the foundation on which they operate: controls that block remote tampering or prevent third-country access must ultimately be enforced on real systems. Where the audited service relies on critical computing, storage and networking hardware, that hardware is what those controls run on.

Hardware in public procurement

The clearest place hardware origin appears in CADA's own text is procurement. Article 32 ("Union added value") would require contracting authorities, in procurement of innovative cloud computing services and AI systems, to apply non-price award criteria that evaluate, among other things, the extent to which the tenderer contributes to strengthening the Union's digital technology supply chain — including the use of software or hardware designed or manufactured in the Union (Article 32(3)(a)) — and the extent to which the service is delivered through critical computing, storage and networking hardware components designed and/or manufactured in the Union (Article 32(3)(d)).

What this means for you

For CTOs, architects and SMEs, the hardware definition has practical consequences for planning, procurement and compliance.

1. Procurement positioning: Where you bid for public-sector cloud or AI contracts, Article 32 would let contracting authorities reward EU-designed or EU-manufactured hardware as a non-price award criterion. Being able to document the EU origin or design of your critical hardware could become a competitive advantage — though, as proposed, these criteria must be ancillary and not decisive in the award.
2. Supply-chain documentation: Because CADA borrows the CRA's hardware definition, the physical electronic systems in your stack are the same ones the CRA's cybersecurity requirements address. Maintaining clear records of your hardware supply chain — processors, accelerators, networking — supports both regimes.
3. Data-centre strategy: If you plan to deploy data centres, CADA's acceleration-zone and strategic-project measures could offer streamlined treatment. Sustainable and innovative hardware choices may influence whether a project qualifies for such support.
4. Sovereignty levels: For Union assurance levels 2, 3 and 4, the detailed Annex II criteria target software supply chains, but the controls they require are enforced at the hardware layer. You should be able to show that third-country entities cannot remotely access or disrupt the infrastructure serving the audited service.

Common misconceptions

• Misconception: CADA creates a new, unique definition of hardware.
  • Reality: As proposed, CADA imports the definition from the Cyber Resilience Act via Article 2(14). This is deliberate, to keep EU digital legislation consistent.
• Misconception: Hardware is the focus of CADA's sovereignty criteria.
  • Reality: Annex II's detailed assurance-level criteria are largely about the software supply chain. Hardware appears most directly in the procurement award criteria of Article 32, where EU-designed or EU-manufactured hardware can be rewarded.
• Misconception: Only large hyperscalers need to think about the hardware definition.
  • Reality: As proposed, SMEs and startups providing cloud or AI services are also within CADA's scope, particularly when bidding for public contracts where hardware origin can affect award criteria under Article 32.

Related

• What is software under CADA? Article 2 definition explained
• Why does CADA's frontier AI definition have no fixed compute threshold?
• Why does CADA import software, hardware, component and manufacturer from the CRA?
• Hardware vs software vs component under CADA: what's the difference?
• What is audit evidence under CADA? Article 2(20) explained

This is general information about a draft EU regulation, not legal advice.