Which CADA definitions come from the NIS2 Directive?

Summary The proposed Cloud and AI Development Act (CADA) does not create new definitions for its core infrastructure concepts. Instead, Article 2 of the proposal explicitly imports definitions from the NIS2 Directive (Directive (EU) 2022/2555). Specifically, CADA Article 2(1) adopts the NIS2 definition of a 'cloud computing service' (Article 6, point 30), and Article 2(12) adopts the definition of a 'data centre service' (Article 6, point 31). This legislative technique ensures that the scope of CADA's sovereignty and capacity-building measures aligns precisely with the Union's existing cybersecurity framework, preventing regulatory fragmentation for providers operating at the intersection of data resilience and cloud infrastructure.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by addressing dependencies on third-country providers and boosting domestic compute capacity. To achieve this without creating parallel, conflicting regulatory definitions, the proposal explicitly anchors its core terminology in the NIS2 Directive. This approach is detailed in Article 2 of the CADA proposal, which sets out the definitions applicable to the Regulation.

1. 'Cloud computing service' (Article 2(1) CADA)

CADA Article 2(1) defines a 'cloud computing service' by reference to external legislation:

"cloud computing service as defined in Article 6, point (30), of Directive (EU) 2022/2555"

Under the NIS2 Directive, Article 6(30) defines a cloud computing service as:

"a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations."

Why this matters for CADA: By adopting the NIS2 definition, CADA ensures that any entity classified as a cloud computing service provider under cybersecurity rules is subject to the same baseline definition for sovereignty and procurement rules. The CADA explanatory memorandum (Recital 10) clarifies that this definition "encompasses on-demand access to AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/1689 ('Artificial Intelligence Act'), hosted and operated remotely." However, it crucially notes that "Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." This distinction is vital for architects separating the infrastructure layer from the model layer.

2. 'Data centre service' (Article 2(12) CADA)

CADA Article 2(12) similarly imports the definition of a 'data centre service':

"data centre service as defined in Article 6, point (31), of Directive (EU) 2022/2555"

Under NIS2, Article 6(31) defines a data centre service as:

"a service that provides physical infrastructure for the processing, storage, or transfer of data, including the associated facilities and equipment."

Why this matters for CADA: This definition is central to Title III of CADA, which establishes data centre acceleration zones and strategic project designations. By using the NIS2 definition, the proposal ensures that the entities responsible for physical infrastructure resilience under cybersecurity law are the same entities navigating the permitting and sustainability requirements under CADA. This alignment simplifies compliance for operators who manage both the physical facility and the cloud services hosted within it.

3. Ensuring Consistent Scope Across Regimes

The deliberate reuse of these definitions serves a strategic legislative purpose. The CADA explanatory memorandum states that the proposal is consistent with the NIS2 Directive, which improves cybersecurity risk management for cloud computing service providers and data centres. However, it notes that NIS2 is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

By importing the definitions, CADA:

• Avoids Redefinition: Prevents the need to draft and debate new definitions for well-established concepts, speeding up the legislative process and ensuring legal certainty.
• Harmonizes Obligations: Ensures that a provider subject to NIS2 cybersecurity obligations is clearly within the scope of CADA's sovereignty framework if they offer cloud or data centre services.
• Clarifies the AI Boundary: As noted in Recital 10, while the NIS2 definition of cloud computing services includes on-demand access to AI systems, CADA carefully delineates that the AI system itself is not the cloud service. This prevents the AI Act's definitions from bleeding into the infrastructure-focused provisions of CADA, maintaining a clear separation between model governance (AI Act) and infrastructure sovereignty (CADA).

4. Other Related Definitions in Article 2

While the question focuses on NIS2, it is worth noting that CADA Article 2 also imports definitions from other instruments to maintain this ecosystem approach, creating a unified regulatory language across the EU's digital stack:

• 'AI system' (Article 2(3)): Defined by reference to Article 3(1) of the AI Act (Regulation (EU) 2024/1689).
• 'Public sector body' (Article 2(6)): Defined by reference to Article 2(1) of Directive (EU) 2019/1024 (Open Data Directive).
• 'Software', 'Hardware', 'Component', 'Manufacturer' (Articles 2(13)–2(16)): Defined by reference to the Cyber Resilience Act (Regulation (EU) 2024/2847).

This web of cross-references ensures that CADA operates as a layer within the broader EU digital regulatory architecture, rather than in isolation.

What this means for you

For CTOs, architects, and SMEs, the importation of NIS2 definitions into CADA has three practical implications:

1. Unified Compliance Strategy: If your organization is already classified as an essential or important entity providing cloud or data centre services under NIS2, you are automatically within the scope of CADA's definitions. You do not need to reassess whether you qualify as a "cloud provider" under a new, separate standard. Your NIS2 classification triggers CADA obligations.
2. Infrastructure vs. Model Separation: When designing your architecture, remember that CADA's sovereignty framework (e.g., Union Assurance Levels) applies to the cloud computing service (the infrastructure and delivery mechanism), not the AI model itself. However, the AI system used within that service is defined by the AI Act. This means you must comply with NIS2/CADA rules for the infrastructure's location, data residency, and operational autonomy, while separately complying with AI Act rules for the model's transparency and risk management.
3. Procurement and Sovereignty: For public sector buyers, the use of NIS2 definitions means that when they conduct risk assessments under CADA Article 29, they are evaluating the same service types they already monitor for cybersecurity risks. This allows for integrated due diligence: a provider's NIS2 compliance status can inform their suitability for CADA's Union Assurance Levels, though the criteria for assurance (e.g., data localisation, personnel citizenship) are distinct and stricter under CADA.

Common misconceptions

• "CADA creates a new definition of cloud service."
  • Correction: No. CADA explicitly references the existing NIS2 definition. There is no new legislative text defining what a cloud service is; it adopts the NIS2 standard verbatim.
• "If I provide AI models, I am a cloud computing service provider under CADA."
  • Correction: Not necessarily. Recital 10 clarifies that while cloud services can include on-demand access to AI systems, the AI system itself is excluded from the definition of cloud computing service. If you only provide the model API without the broader scalable, elastic pool of shareable computing resources defined in NIS2, you may not fall under the 'cloud computing service' definition, though you will fall under the 'AI system' definition from the AI Act.
• "NIS2 cybersecurity compliance equals CADA sovereignty compliance."
  • Correction: While the definitions align, the obligations do not. NIS2 focuses on technical cybersecurity risk management. CADA focuses on sovereignty, data localisation, and operational autonomy. A provider can be NIS2-compliant but fail to meet CADA's Union Assurance Level 2 or 3 criteria (e.g., if data is stored outside the EU or if personnel are not EU citizens).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Which CADA obligations stack with NIS2 obligations?
• How does CADA interact with the NIS2 Directive?
• Does CADA require a separate risk assessment from DORA and NIS2 risk management?
• Which existing EU certifications can be reused as CADA tier evidence?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer

This is general information about a draft EU regulation, not legal advice.