Hardware vs software vs component under CADA

Summary Under the proposed Cloud and AI Development Act (CADA), "hardware," "software" and "component" are not defined from scratch — Article 2 borrows each one from the Cyber Resilience Act (CRA), Regulation (EU) 2024/2847. CADA's Article 2(13) cross-refers to the CRA for software, Article 2(14) for hardware and Article 2(15) for component (the CRA's own Article 3 definitions). For architects, the distinction matters because CADA's sovereignty criteria would assess the whole stack — software, hardware and components alike — when a cloud service is audited for a Union assurance level.

Detail

CADA, as proposed, introduces new concepts such as Union assurance levels and data centre acceleration zones, but it does not coin fresh definitions for the basic building blocks of technology. To keep the EU's digital rulebook consistent, CADA instead borrows them from the Cyber Resilience Act (CRA), Regulation (EU) 2024/2847.

The legal source: Article 2 of the CADA proposal

Article 2 ("Definitions") incorporates the three terms by reference rather than restating them:

• Software — Article 2(13): "'software' means software as defined in Article 3, point (4), of Regulation (EU) 2024/2847."
• Hardware — Article 2(14): "'hardware' means hardware as defined in Article 3, point 5, of Regulation (EU) 2024/2847."
• Component — Article 2(15): "'component' means component as defined in Article 3, point (6), of Regulation (EU) 2024/2847."

CADA also borrows "manufacturer" from the CRA in the same way (Article 2(16) cross-refers to Article 3, point (13), of Regulation (EU) 2024/2847). This drafting technique means the definitions stay aligned with the CRA over time.

Code, physical systems, and integrated parts

Because CADA points to the CRA, the practical distinctions are the CRA's.

1. Software (code and instructions). Software, under the borrowed definition, is the code and instructions that tell hardware what to do — operating systems, applications and the like. In CADA's framework, software sits at the heart of a "cloud computing service," and several sovereignty criteria turn on who controls that software and whether it can be remotely tampered with.

2. Hardware (physical systems). Hardware is the physical machinery and devices — servers, processors, storage and networking equipment. For CADA, hardware matters because the Union assurance level criteria in Annex II require, among other things, that infrastructure and assets be located in the Union (for example, Annex II point 1.1(b) for Union assurance level 1; the higher levels require infrastructure, assets and personnel to be located in the Union).

3. Component (an integrated part). A component, under the CRA definition CADA adopts, is a part of hardware or software intended to be incorporated into a product. In CADA's context, the distinction matters for supply-chain criteria: the Annex II software-supply-chain requirements for the audited levels (for example, point 2.1(i) for Union assurance level 2) reference software components as defined in Article 3, point (6), of Regulation (EU) 2024/2847 and call for controls where those components are owned or licensed by a third-country entity.

How the three terms relate in CADA's framework

CADA primarily regulates the service layer — cloud computing services — which is software-defined but runs on hardware and components. For the audited Union assurance levels (2, 3 and 4), the cumulative criteria in Annex II reach across the whole delivery chain. As an illustration, Annex II requires (at the higher levels) that infrastructure, assets and personnel be located in the Union, that data localisation be maintained, and — under Audit criterion I in Annex III, assessed against the Annex II software-supply-chain criteria — that the provider supply a software bill of materials (SBOM) and implement controls over third-country software components.

The practical consequence: software and hardware compliance cannot be treated in isolation. A third-country-controlled component or a remotely-tamperable software dependency could undermine an audited service's compliance regardless of how robust the rest of the stack is.

What this means for you

For CTOs, architects and SMEs, CADA's reuse of CRA definitions has several practical effects:

1. One glossary, not two. If you already classify your stack for CRA purposes, you are largely prepared for CADA's hardware, software and component definitions. Document clearly which parts of your stack are hardware, software or components.
2. Supply-chain transparency. For audited assurance levels, Annex II and the corresponding Annex III audit evidence call for a complete SBOM and controls over third-country software components — including the ability to block remote features that could materially tamper with or disrupt a system, and source-code audits of security-relevant components from third-country manufacturers.
3. Hardware location. Even EU-developed software will not, on its own, satisfy the higher levels: Annex II requires the infrastructure, assets and (at levels 2-4) personnel involved in the service to be located in the Union.
4. Assess your dependencies. A third-party library is a "component" if it is incorporated into your product; if it is owned or licensed by a third-country entity, the Annex II software-supply-chain criteria for the audited levels would apply.

Common misconceptions

• "CADA defines hardware and software differently from the CRA." It does not. Article 2(13)-(15) adopt the CRA definitions by reference; there is no divergence.

• "Only software matters for cloud sovereignty." As proposed, the assurance levels impose controls over hardware and personnel too. Annex II requires that infrastructure, assets and (for levels 2-4) personnel be located in the Union.

• "Embedded components don't count." Components matter because they can be points of failure or tampering. The Annex II software-supply-chain criteria for the audited levels, assessed via the Annex III audit evidence, expressly address third-country-owned or -licensed components.

• "Cloud services are pure software, so hardware rules don't apply." CADA defines "cloud computing service" by cross-reference to the NIS2 Directive (Article 2(1)), and the underlying resources are physical hardware. The Annex II criteria assess the whole delivery chain, including the location and control of that hardware.

Related

• Why does CADA import software, hardware, component and manufacturer from the CRA?
• Is a GPU or AI accelerator hardware or a component under CADA?
• Audit criteria vs audit evidence under CADA: the difference
• What is the difference between an SME and a small mid-cap under CADA?
• What is the difference between a public sector body and a Union entity under CADA?

This is general information about a draft EU regulation, not legal advice.