Summary As proposed, CADA distinguishes a data centre operator (a legal entity) from a data centre service (an activity). As proposed in Article 2, point (11), "data centre operator" is defined by reference to Article 2, point (7), of Delegated Regulation (EU) 2024/1364; as proposed in Article 2, point (12), "data centre service" is defined by reference to Article 6, point (31), of Directive (EU) 2022/2555 (NIS2). The distinction matters because, as proposed, the operator is the entity that bears the data-centre permitting and acceleration-zone obligations, while the service is the offering that is procured or shared within the EuroCloud Federation.
Detail
As proposed, applying CADA correctly starts with the definitions in Article 2, which assign legal responsibility, not just describe technical concepts.
The data centre operator: the legal entity
As proposed, Article 2, point (11), defines a "data centre operator" by reference to Article 2, point (7), of Delegated Regulation (EU) 2024/1364. In practice the operator is the legal person — company, foundation or public body — that owns or manages the data-centre facility. Under the proposal, the operator is the primary addressee of the data-centre (supply-side) rules in Title III, including:
- the regime for data centre acceleration zones (Articles 10–13);
- facilitated permitting within those zones, including the aggregated baseline permit and the cap on the permit-granting procedure (Article 13); and
- designation as a data centre strategic project (Article 14).
The data centre service: the offering
As proposed, Article 2, point (12), defines a "data centre service" by reference to Article 6, point (31), of Directive (EU) 2022/2555 (NIS2). A data centre service is not a person; it is the service of providing data-centre facilities and capabilities. As proposed, the service is what gets procured and what can be shared between members of the EuroCloud Federation under Articles 34–36.
Entity versus activity
The core distinction is entity versus activity, and it drives several practical points:
- Liability and enforcement. As proposed, recognition and penalties under the cloud sovereignty framework (for example, Article 24 on penalties for infringements by cloud computing service providers) are directed at legal entities, not at a "service." You enforce against the operator or provider.
- Permitting versus procurement. As proposed, the operator engages with national authorities on acceleration zones and permitting (Articles 10–13). The service is what a buyer evaluates and procures (Article 30 for cloud computing services).
- Strategic projects. As proposed, designation as a data centre strategic project under Article 14 attaches to projects (driven by operators), while it is service capacity that contributes to closing the EU compute gap.
Who bears which obligations
For compliance mapping:
| Area | Responsible party | Legal basis (as proposed) |
|---|---|---|
| Acceleration-zone conditions, including sustainability/energy aspects | Member States and operators within the zone | Articles 10–11 |
| Facilitated permitting (aggregated baseline permit; 12-month cap) | Member States / data centre operator | Article 13 |
| Strategic-project designation | Data centre operator (applicant) | Article 14 |
| Procurement of recognised cloud services | Contracting authority / public buyer | Article 30 |
| Sharing capacity in the EuroCloud Federation | Sharing entity (Union entity / public sector body) | Article 35 |
Note that, as proposed, the Union assurance levels (Article 16 and Annex II) attach to cloud computing services, not to data centre services as such — a point that matters when drafting tender requirements.
What this means for you
For compliance officers and in-house counsel, the distinction shapes your governance.
- Identify the operator. If your organisation owns or manages data-centre facilities, you are the operator and the Title III obligations (acceleration zones, permitting, strategic-project criteria) are addressed to you. As proposed, Member States must designate at least one acceleration zone within six months of entry into force (Article 10(1)) where data-centre capacity is being deployed, so monitor national designations.
- Separate your service definitions. As proposed, the Union assurance levels apply to cloud computing services (Article 16), not to raw data centre services. Make sure contracts and SLAs distinguish the underlying data centre service from any cloud computing service layered on top, because different parts of CADA apply to each.
- Procurement teams. As proposed, public buyers procure cloud computing services that meet the required Union assurance level (Article 30). You cannot specify a "Union assurance level" data centre service the way you can for a cloud service, because the sovereignty framework targets cloud computing services. The operator of the facility hosting that cloud service must still meet the applicable data-centre rules.
- Permitting timelines. As proposed, Article 13 provides for an aggregated baseline permit per acceleration zone and a permit-granting procedure that shall not exceed 12 months from a comprehensive application. Operators should track national acceleration-zone designations to benefit from these facilitations.
Common misconceptions
- "All data centre operators are cloud providers." Incorrect. An operator may provide bare-metal hosting or colocation (a data centre service) without offering the on-demand, elastic resources that define a cloud computing service (Article 2, point (1)). As proposed, the Union assurance level framework (Article 16) applies to cloud services; the operator still falls under the data-centre rules.
- "The 'service' is the building." Incorrect. The building and equipment are the infrastructure; the service is the offering of that infrastructure to customers. As proposed, CADA addresses the operator (entity) and the procurement of the service.
- "NIS2 and CADA are redundant." Incorrect. NIS2 (Directive (EU) 2022/2555, referenced in Article 2, point (12)) addresses cybersecurity resilience, while CADA, as proposed, addresses capacity, permitting, sustainability and cloud sovereignty. They are complementary.
Related
- Is a colocation provider a data centre operator or a data centre service provider under CADA?
- What is the difference between a data centre service and a cloud computing service under CADA?
- What is a data centre service under CADA?
- Does an edge site or server room count as a data centre under CADA?
- What is an audited service under CADA?
This is general information about a draft EU regulation, not legal advice.