Summary No, the proposed Cloud and AI Development Act (CADA) does not harmonise specific penalty amounts or maximum fine ceilings across the European Union. Under Article 24(1), the proposal explicitly requires each Member State to "lay down the rules on penalties" applicable to infringements by cloud computing service providers. While the regulation mandates a unified qualitative standard—that penalties must be "effective, proportionate and dissuasive"—it does not prescribe fixed monetary caps or percentage-based formulas. Consequently, while the legal framework is uniform, the quantitative financial consequences of non-compliance will vary significantly depending on the national legal traditions and specific implementing legislation of each Member State.

Detail

The enforcement architecture of the Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a distinct departure from the penalty regimes found in the General Data Protection Regulation (GDPR) or the AI Act. While those instruments establish harmonised maximum fines (e.g., percentages of global turnover), CADA adopts a decentralised approach to sanctions, reflecting the proposal's focus on sovereignty and the diverse legal landscapes of the Member States.

The Legislative Mandate: Member States Set the Rules

The core of the penalty regime is found in Article 24(1) of the proposal. This provision places the primary legislative burden on national authorities rather than the EU legislator. The text states:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented."

This wording confirms that the EU regulation does not create a direct, self-executing fine schedule. Instead, it acts as a framework directive in substance, requiring national parliaments and regulators to transpose the obligation to penalise infringements into domestic law. Member States are further required to notify the Commission of these rules and any subsequent amendments "as soon as possible," ensuring transparency but not uniformity in the final amounts.

The Unified Standard: "Effective, Proportionate and Dissuasive"

Although the specific numbers are not harmonised, the nature of the penalties is strictly defined. Article 24(1) imposes a mandatory triad of principles that all national penalty regimes must satisfy:

"The penalties provided for shall be effective, proportionate and dissuasive."

This standard is a cornerstone of EU internal market law, designed to prevent penalties from being merely symbolic or, conversely, excessively punitive.

  • Effective: The penalty must be capable of being enforced and actually reaching the infringing entity.
  • Proportionate: The sanction must be commensurate with the gravity of the infringement, considering the specific circumstances of the case.
  • Dissuasive: The penalty must be sufficiently severe to deter both the specific infringer and the wider market from repeating the violation.

This qualitative harmonisation ensures that while a fine in one Member State might be €500,000 and in another €2 million for a similar breach, both must meet the threshold of being a genuine deterrent under their respective national laws.

Guiding Criteria: The Role of Union Turnover

To assist Member States in applying the "proportionate and dissuasive" standard consistently, Article 24(2) provides a non-exhaustive list of criteria that must be taken into account when determining the penalty. These criteria include:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken to mitigate or remedy the damage.
  • Any previous infringements by the party.
  • Financial benefits gained or losses avoided due to the infringement.
  • Any other aggravating or mitigating factors.
  • The infringing party's annual turnover in the preceding financial year in the Union.

The inclusion of "annual turnover in the Union" is a critical distinction. Unlike the GDPR or the AI Act, which often reference "total worldwide annual turnover," CADA specifically limits this reference to the Union. This suggests that the financial exposure for providers under CADA is calibrated to their economic footprint within the EU single market, rather than their global revenue. However, it is vital to note that this is a criterion for consideration, not a cap. The final fine amount remains at the discretion of the national authority, provided it meets the "effective, proportionate and dissuasive" test.

Private Right of Action: Compensation for Recipients

Beyond administrative penalties imposed by public authorities, Article 24(3) introduces a private enforcement mechanism. It grants recipients of cloud computing services the right to seek compensation for damages:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a dual layer of liability. Even if a national authority decides not to impose a heavy administrative fine, a cloud provider could still face significant financial liability through civil litigation from customers (public sector bodies or private entities) who suffered loss due to a breach of the sovereignty framework. The phrase "in accordance with Union and national law" again underscores that the procedural and substantive rules for these claims will be governed by the legal system of the Member State where the claim is brought.

Enforcement Powers and Competent Authorities

The practical application of these penalties relies on the national competent authorities designated under Article 25. These authorities are granted specific investigative and enforcement powers under Article 26, including the power to order the cessation of infringements, impose remedies, and impose fines or periodic penalty payments. The exercise of these powers is subject to national procedural safeguards, including the right to be heard and access to the file, further embedding the enforcement process within national legal frameworks.

What this means for you

For legal counsel, compliance officers, and cloud service providers, the lack of harmonised penalty amounts in CADA necessitates a granular, jurisdiction-specific risk management strategy.

1. Jurisdiction-Specific Risk Mapping

You cannot rely on a single "EU-wide" fine estimate. You must map the penalty regimes of every Member State where you have a main establishment or provide services to public sector bodies. A violation of Article 16 (sovereignty framework) or Article 30 (procurement obligations) could result in vastly different financial exposures in Germany compared to Portugal. Monitor the transposition of Article 24 into national law closely once the proposal is adopted.

2. Strategic Use of Mitigation Criteria

Since Article 24(2) lists "mitigation efforts" as a key criterion, your response to a potential breach is as important as the breach itself. If an infringement occurs (e.g., a failure to maintain data residency), immediate remediation and transparent reporting can significantly reduce the penalty. Documenting these actions creates a robust defence against the "dissuasive" requirement, potentially lowering the fine to a level that remains "proportionate."

3. Managing Private Liability

Do not focus solely on administrative fines. Article 24(3) exposes providers to direct civil liability. Review your contracts with public sector bodies and other clients. While you may have contractual limitation of liability clauses, statutory rights to compensation for infringement may override these. Ensure your insurance coverage and indemnification clauses account for the risk of customer claims arising from sovereignty framework breaches.

4. Evidence as a Shield

The penalty regime is inextricably linked to the audit and recognition process. Maintaining rigorous audit trails (as required by Article 21) and adhering to transparency obligations (Article 23) is your primary defence. If a national authority investigates, the quality of your evidence regarding compliance with Annex II criteria will directly influence the "nature and gravity" assessment under Article 24(2).

Common misconceptions

"CADA sets a maximum fine of X% of turnover." This is incorrect. Unlike the AI Act (which sets fines up to 7% of global turnover) or the GDPR (up to 4% of global turnover), CADA does not establish a maximum percentage or a fixed monetary cap. The reference to "annual turnover in the Union" in Article 24(2) is merely one of several factors authorities must consider, not a formula for calculating a cap.

"Penalties will be the same across all EU countries." False. Article 24(1) explicitly delegates the power to "lay down the rules" to Member States. While the standard (effective, proportionate, dissuasive) is harmonised, the amounts and procedures will differ. A provider operating in multiple Member States must expect a fragmented penalty landscape.

"The EU Commission will impose the fines." Incorrect. The Commission does not have direct enforcement powers to impose fines under CADA. Enforcement is the exclusive competence of the national competent authorities designated by each Member State under Article 25. The Commission's role is limited to oversight, coordination, and ensuring Member States notify their rules.

"Only administrative fines apply." False. Article 24(3) creates a distinct right for recipients to seek compensation for damages. This means a provider could face both an administrative fine from a national authority and a civil lawsuit from a customer for the same infringement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.