What is the difference between a data centre service and a cloud computing service under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service is defined by its delivery model — on-demand, remote access to a scalable, elastic pool of shared resources — while a data centre service is defined by the infrastructure and facilities provided, such as colocation or hosting. Both definitions are borrowed from the NIS2 Directive. As proposed, CADA applies its Union assurance-level (sovereignty) framework to cloud computing services, while addressing data centre services mainly through capacity measures such as acceleration zones and monitoring.

Detail

To understand CADA's structure, it helps to separate two foundational concepts: cloud computing services and data centre services. Casual usage blurs them, but CADA draws a sharp legal line, anchored in existing EU law.

The legal definitions

CADA does not invent new definitions here; it incorporates the NIS2 Directive (Directive (EU) 2022/2555) for consistency across the EU digital rulebook.

Cloud computing service. As proposed, Article 2(1) defines a "cloud computing service" as the term defined in Article 6, point (30), of Directive (EU) 2022/2555 (NIS2). Per CADA's Recital 10, that is "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations." Recital 10 adds that this encompasses on-demand access to remotely hosted AI systems, while "[t]he AI system itself and its underlying model are excluded from the scope of this definition."

Data centre service. As proposed, Article 2(12) defines a "data centre service" as the term defined in Article 6, point (31), of Directive (EU) 2022/2555 (NIS2). This concerns the provision of infrastructure and facilities — colocation, hosting, and related services — focusing on the physical layer: the buildings, power, cooling, and connectivity that house IT equipment.

Technical distinction: elasticity vs facilities

The core difference is what is being sold and at what level of abstraction.

A cloud computing service is characterised by elasticity and scalability. The user does not manage the underlying hardware; they consume compute, storage, or network resources as a utility, with the provider allocating from a shared pool. This abstraction enables rapid scaling and underpins burstable AI workloads.

A data centre service is characterised by physical presence and facility management. The customer typically leases space (colocation) for its own servers, or has the provider host specific hardware. Capacity is not inherently "elastic" in the software-defined sense; the provider's responsibility is the physical environment rather than a virtualised compute pool.

Why both are regulated, but differently

CADA addresses both because both are critical to EU digital autonomy and capacity, but with different mechanisms.

1. Cloud computing services: the autonomy framework. As proposed, the principal framework for cloud computing services is the Union cloud computing sovereignty framework in Title IV — established in Article 16, with criteria in Annex II. Because cloud services abstract the location of data and the identity of the ultimate controller, they raise specific concerns:

• Data location: where data is physically stored and processed;
• Operational autonomy: whether a third-country provider could remotely disrupt or degrade the service;
• Legal exposure: whether the provider is subject to laws permitting third-country access to data.

CADA's four Union assurance levels respond to this. As proposed, contracting authorities must procure services at least at level 1, and at levels 2-4 where a risk assessment finds public-order relevance (Article 30). The higher levels address dependence on providers that may be subject to extraterritorial laws (such as the US CLOUD Act).

2. Data centre services: capacity and deployment. As proposed, data centre capacity is addressed in Title III. The focus is the physical availability and sustainability of infrastructure rather than the legal autonomy of the software stack. Measures include:

• Data centre acceleration zones: as proposed, Article 10 requires Member States to designate zones where deploying data centre capacity is facilitated, with conditions and streamlined permitting in Articles 11-13.
• Strategic projects: as proposed, Article 14 lays down a mechanism for designating data centre strategic projects.
• Capacity monitoring: as proposed, Article 15 establishes a mechanism for the Commission to monitor compute capacity, demand, and the capacity gap.

Although data centre services do not have their own assurance levels, they are linked to the cloud framework: a cloud service seeking a higher Union assurance level would need to show its underlying infrastructure meets the relevant location, personnel, and control criteria in Annex II. The physical layer must support the legal guarantees of the service built on top of it.

What this means for you

For CTOs, architects, and SMEs, the distinction shapes compliance and planning.

1. Procurement and compliance. Determine whether you are procuring a "cloud computing service" or a "data centre service."

• Buying IaaS, PaaS, or SaaS means buying a cloud computing service — verify the provider's Union assurance level. If your activities are deemed public-order-relevant, you may be required to procure only services at levels 2, 3, or 4.
• Leasing colocation space means buying a data centre service — not directly subject to the assurance levels, but you should still weigh location and energy sustainability for sensitive workloads.

2. Architecture and autonomy. When designing sovereign AI stacks, align the physical layer (data centre service) with the legal layer (cloud service). A provider cannot credibly claim a high assurance level if the underlying facilities or personnel do not meet the Annex II criteria.

3. SME opportunities. SMEs offering data centre services (e.g. niche colocation) can focus on the sustainability and permitting criteria under Title III to benefit from acceleration zones. SMEs offering cloud services should prepare for the conformity self-assessment for level 1 (Article 19) or third-party audits for levels 2-4 (Article 20) to access public sector contracts.

Common misconceptions

"All data centres are cloud services." Not true. A data centre is a physical facility; a cloud service is a logical, scalable resource delivered over a network. A private data centre may offer no cloud services, while a cloud service may span many data centres. CADA regulates the service model for autonomy and the facility for capacity.

"Data centre services are not subject to any sovereignty rules." They have no assurance levels of their own, but they are intertwined with the cloud framework: a cloud provider cannot reach a higher assurance level if its underlying data centre services fail the location, personnel, and control criteria in Annex II.

"The definitions are new to CADA." They are borrowed from NIS2 (Article 6, points (30) and (31)). What is new is CADA's application of an autonomy-and-capacity framework to these defined terms — the novelty is in the rules, not the definitions.

Related

• Data centre operator vs data centre service under CADA
• What is a data centre service under CADA?
• Is a colocation provider a data centre operator or a data centre service provider under CADA?
• What is the difference between an SME and a small mid-cap under CADA?
• What is the difference between a public sector body and a Union entity under CADA?

This is general information about a draft EU regulation, not legal advice.