Why does CADA borrow so many definitions from other EU regulations?

Summary The proposed Cloud and AI Development Act (CADA) borrows many definitions from existing EU laws — among them the AI Act, the NIS2 Directive, and the Cyber Resilience Act — to ensure regulatory coherence and avoid conflicting interpretations. By cross-referencing these instruments in Article 2, CADA gives terms like "cloud computing service" and "AI system" a single, consistent meaning across the EU digital rulebook. For in-house counsel, this means CADA obligations cannot be assessed in isolation; they sit on top of the definitions, and often the obligations, of the laws CADA points to.

Detail

CADA is designed as a framework to strengthen Europe's cloud and AI ecosystem. A defining feature of the proposal is its heavy reliance on definitions from other EU instruments. This is deliberate: it keeps CADA consistent with an increasingly dense digital regulatory landscape.

The role of Article 2: definitions

Article 2 of the CADA proposal sets out the definitions for the Regulation. Rather than building a fresh lexicon, it frequently directs the reader to other existing EU laws — a cross-referencing technique that keeps CADA in harmony with the wider acquis.

Key examples, as proposed in Article 2:

• Cloud computing service (Article 2(1)): defined by reference to Article 6, point (30), of the NIS2 Directive (Directive (EU) 2022/2555). This aligns CADA's cloud scope with existing cybersecurity-resilience law.
• AI system (Article 2(3)): defined by reference to Article 3, point (1), of the AI Act (Regulation (EU) 2024/1689), so CADA captures the same set of systems already regulated for safety and fundamental rights.
• Software, hardware, and component (Article 2(13)-(15)): defined by reference to Article 3 of the Cyber Resilience Act (Regulation (EU) 2024/2847), linking CADA to the EU's horizontal cybersecurity standards for products with digital elements.
• Control (Article 2(21)): defined by reference to Article 2, point (6), of Regulation (EU) 2021/697. This is central to CADA's autonomy framework, since whether a provider is subject to third-country control is a key criterion for the higher Union assurance levels.
• Contracting authorities (Article 2(22)): defined by reference to Directive 2014/24/EU on public procurement, aligning CADA's procurement rules with existing public-buying obligations.

Imported versus original definitions

While CADA imports many definitions, it does introduce original ones for concepts specific to its new mechanisms. Knowing which terms are original matters, because these carry obligations that do not exist in the referenced laws.

Original CADA definitions in Article 2 include:

• Frontier AI (Article 2(4)): "AI models or AI systems built upon such models that can perform a wide variety of tasks and that approach, reach or exceed the current state of the art." Central to CADA's research and innovation initiatives.
• AI agent (Article 2(5)): "an AI system or a coordinated set of AI systems, that can perceive and act upon their environment, with a degree of autonomy, using tools as needed to achieve specific goals and adapt to changing inputs and contexts."
• Auditing organisation (Article 2(17)): an organisation, consortium, or combination of organisations contracted to perform an independent audit of a cloud computing service provider — a role created for CADA's assurance-verification mechanism.
• Audited service, audit criteria, and audit evidence (Article 2(18)-(20)): the building blocks of the third-party assessment used for Union assurance levels 2-4, with audit criteria tied to Annex II.

The concept of Union assurance levels (levels 1-4) is also an original CADA construct, established in Article 16 with criteria in Annex II. (By contrast, "Experience and Acceleration Centres for AI" are not defined in Article 2; they are established under Article 5.)

The principle of legislative coherence

The Commission uses cross-referencing to uphold legislative coherence — EU laws should not contradict one another and should build on existing frameworks.

1. Avoiding fragmentation: Had CADA invented a slightly different definition of "cloud computing service," providers could face conflicting classifications under NIS2 and CADA. A shared definition prevents that.
2. Reducing compliance burden: Reusing definitions means businesses already mapped to NIS2 or the AI Act do not need to re-classify their services under separate CADA definitions, supporting a "classify once" approach where possible.
3. Coherence over time: Cross-referencing keeps the meaning of borrowed terms tied to their source instruments rather than to a separate, potentially drifting CADA text.

Implications for autonomy and risk assessment

The choice of definitions feeds directly into CADA's core mechanism: the Union cloud computing sovereignty framework. The "control" definition (Regulation (EU) 2021/697) matters because the higher Union assurance levels turn on assessing third-country control, and reusing an established legal test makes those assessments more defensible. Likewise, anchoring "cloud computing service" to NIS2 ties CADA's autonomy obligations to entities already recognised under EU cybersecurity law.

What this means for you

For in-house counsel and compliance officers, the cross-referenced definitions mean compliance cannot be siloed.

• Holistic scoping: First determine whether your service falls within NIS2's "cloud computing service" or the AI Act's "AI system." If it does, CADA's relevant obligations may apply on top.
• Supply-chain due diligence: The "control" definition requires looking beyond direct ownership to indirect control and influence — relevant to whether a provider can qualify for higher Union assurance levels.
• Procurement strategy: As a contracting authority (per Directive 2014/24/EU), determine whether CADA's procurement rules apply, and the Union assurance level a risk assessment requires.
• Monitor linked instruments: Because CADA leans on other laws, changes to the AI Act, NIS2, or the Cyber Resilience Act can affect how CADA terms are read. Track amendments to those instruments.

Common misconceptions

• "CADA defines everything itself." It does not — it is deeply interconnected. Ignoring the NIS2 or AI Act definitions can lead to misclassifying a service.
• "Only CADA-specific terms matter." The imported definitions (e.g. "cloud computing service") set the initial scope. Miss the NIS2 definition and you may wrongly conclude CADA does not apply.
• "Regulation (EU) 2021/697 is the Data Governance Act." It is not. CADA's "control" definition points to Article 2(6) of Regulation (EU) 2021/697; the Data Governance Act is a separate instrument (Regulation (EU) 2022/868). Always check the regulation number, not the nickname.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Which CADA definitions are original and which are imported from other laws?
• Do CADA's definitions apply only within CADA or across other EU laws too?
• Why does CADA skip definitions 23 and 24 in Article 2?
• Why does CADA import software, hardware, component and manufacturer from the CRA?
• What distinguishes an AI agent from an ordinary AI system under CADA?

This is general information about a draft EU regulation, not legal advice.