Which CADA definitions are original and which are imported from other laws?

Summary As proposed, CADA defines its key terms in Article 2, mixing original definitions with imports from existing EU law for consistency. Terms original to CADA's new sovereignty and audit framework include "cloud computing service provider," "frontier AI," "AI agent," and the audit suite ("auditing organisation," "audited service," "audit criteria," "audit evidence"). Imported terms — including "cloud computing service," "AI system," "SME," "control," and "contracting authorities" — are drawn by reference from the NIS2 Directive, the AI Act, public-procurement law, and other instruments. The hybrid keeps CADA's novel mechanisms anchored to settled concepts.

Detail

Article 2 of the proposed CADA sets the definitions governing the Regulation. Knowing which are original and which are imported is practical, not academic: it tells you which interpretive lens and which source instrument apply.

Imported definitions: leveraging existing frameworks

CADA imports several terms by reference rather than redefining them:

• Cloud computing service: Article 2(1) — "as defined in Article 6, point (30), of Directive (EU) 2022/2555" (NIS2). Aligns CADA's scope with NIS2.
• AI system: Article 2(3) — "as defined in Article 3, point (1), of Regulation (EU) 2024/1689" (the AI Act).
• Data centre service: Article 2(12) — "as defined in Article 6, point (31), of Directive (EU) 2022/2555" (NIS2).
• SME: Article 2(8) — by reference to Article 2 of Annex I to Commission Recommendation 2003/361/EC.
• Software, hardware, component, manufacturer: Article 2(13)–(16) — each by reference to the Cyber Resilience Act (Regulation (EU) 2024/2847), Article 3 points (4), (5), (6), and (13) respectively.
• Data centre: Article 2(10) — by reference to point 2.6.3.1.16 of Annex A to Regulation (EC) No 1099/2008.
• Control: Article 2(21) — by reference to Article 2, point (6), of Regulation (EU) 2021/697. Pivotal to the sovereignty framework, since "control" bears on third-country influence.
• Contracting authorities: Article 2(22) — by reference to Article 2(1), point (1), of Directive 2014/24/EU.
• Open source licence: Article 2(25) — by reference to Article 2, point (12), of Regulation (EU) 2024/903.

(Article 2 also imports other administrative terms by reference, such as "public sector body," "Union entities," "small mid-cap," and "data centre operator.")

Original definitions: the sovereignty and audit framework

CADA defines natively the terms central to its new mechanisms:

• Cloud computing service provider: Article 2(2) — "a legal entity which provides a cloud computing service." The service is imported, but the provider is defined in CADA to attach the framework's obligations to specific entities.
• Frontier AI: Article 2(4) — "AI models or AI systems built upon such models that can perform a wide variety of tasks and that approach, reach or exceed the current state of the art." Underpins the recognition of frontier AI priority projects (Article 8).
• AI agent: Article 2(5) — "an AI system or a coordinated set of AI systems, that can perceive and act upon their environment, with a degree of autonomy, using tools as needed to achieve specific goals and adapt to changing inputs and contexts." Supports the operational objective on advanced platforms for large-scale deployment of AI agents.
• Audit-related terms:
  • Auditing organisation (Article 2(17)): "an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit."
  • Audited service (Article 2(18)): "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion."
  • Audit criteria (Article 2(19)): the criteria, pursuant to Annex II, against which the auditing organisation assesses whether the audited provider and its audited service comply with each cumulative criterion for recognition at Union assurance levels 2, 3, or 4.
  • Audit evidence (Article 2(20)): any information used to support the audit findings and conclusions and to issue an audit opinion, including data from documents, databases or IT systems, interviews, or testing.

Why the audit terms are defined natively

These terms are bespoke because they serve a new mechanism: the Union cloud computing sovereignty framework. Unlike general cybersecurity certification, CADA's assurance levels rest on a specific harmonised set of criteria (Annex II) and evidence (Annex III) focused on sovereignty, localisation, and absence of third-country control. Defining the terms in CADA lets it specify scope, ensure consistency across Member States, and support legal certainty in the recognition process (Article 17).

What this means for you

For in-house counsel and compliance officers, the split has practical effects:

• Cross-regulatory compliance. When CADA says "cloud computing service" or "AI system," you must read the NIS2 Directive and the AI Act for the full scope. CADA obligations may therefore layer onto services already governed by those instruments, calling for a consolidated approach.
• Sovereignty audits. The original "auditing organisation," "audit criteria," and "audit evidence" signal a new audit type — independent assessments going beyond technical cybersecurity to legal and operational sovereignty checks.
• Frontier AI and AI agents. The original definitions mark strategic-focus areas; developers may qualify for support under the leadership initiatives but should expect heightened scrutiny.
• Control and third-country influence. The imported "control" definition (Regulation (EU) 2021/697) is decisive for whether a provider is under third-country influence — map corporate structures and supply chains against it for the higher assurance levels.

Common misconceptions

• Misconception: "CADA redefines 'cloud computing service' to include AI models."
  • Reality: It imports the NIS2 definition. Recital 10 confirms the AI system itself and its underlying model are excluded; the service is the delivery mechanism.
• Misconception: "All CADA definitions are new."
  • Reality: Many key terms are imported for consistency; only terms tied to CADA's new sovereignty and leadership mechanisms are original.
• Misconception: "Audit criteria are the same as cybersecurity-certification criteria."
  • Reality: CADA's "audit criteria" relate specifically to the Annex II assurance-level requirements, which add sovereignty-specific elements (localisation, absence of third-country control) beyond a technical cybersecurity focus.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why does CADA borrow so many definitions from other EU regulations?
• Do CADA's definitions apply only within CADA or across other EU laws too?
• Which CADA definitions matter most for cloud providers?
• Which CADA definitions matter most for AI developers?
• Why does CADA skip definitions 23 and 24 in Article 2?

This is general information about a draft EU regulation, not legal advice.