Are CADA periodic penalty payments capped? Article 24 & 26 explained

Summary Under the proposed Cloud and AI Development Act (CADA), periodic penalty payments are not subject to a fixed EU-wide monetary cap. Instead, Article 24 requires Member States to establish national rules for penalties that are "effective, proportionate and dissuasive," leaving specific amounts and ceilings to national law. National competent authorities may impose these recurring payments under Article 26(2)(c) to compel compliance with orders, provided the measures remain strictly proportionate to the infringement and the provider's economic capacity under Article 26(3). Unlike the AI Act's turnover-based caps, CADA's enforcement relies on a case-by-case proportionality assessment.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) distinguishes sharply between punitive administrative fines and coercive periodic penalty payments. For legal counsel and compliance officers, understanding the interplay between Article 24 (Penalties and compensation) and Article 26 (Powers of the national competent authorities) is critical for accurate risk modelling and remediation planning.

No EU-Wide Statutory Cap

Unlike the EU AI Act, which explicitly sets maximum fines at percentages of global turnover (e.g., 7% for prohibited practices under Article 99), CADA does not prescribe a specific maximum amount or percentage of turnover for periodic penalty payments.

Article 24(1) mandates that "Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence." It further stipulates that these penalties must be "effective, proportionate and dissuasive." Crucially, the text does not define a numerical ceiling.

Article 24(2) provides a non-exhaustive list of criteria Member States must consider when determining penalty levels, including:

• The nature, gravity, scale and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

Because Article 24 delegates the definition of penalty structures to national legislators, the "cap" on periodic penalties is determined by the specific Member State where the cloud computing service provider has its main establishment. Some Member States may introduce statutory maximums in their transposition laws, while others may leave the amount to the discretion of the competent authority or the courts, bounded only by the general principle of proportionality.

The Mechanism of Periodic Penalty Payments

Periodic penalty payments serve a distinct legal function from standard administrative fines. While fines punish past non-compliance, periodic penalties are coercive tools designed to compel future compliance.

Article 26(2) outlines the enforcement powers of national competent authorities. Specifically, Article 26(2)(c) grants authorities the power "to impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders issued pursuant to paragraph 1."

This mechanism is triggered only when:

1. A competent authority has issued a specific order to cease an infringement or comply with an investigative request (under Article 26(2)(a) or 26(1)).
2. The cloud computing service provider fails to comply with that order.
3. The authority imposes a recurring payment (e.g., daily or weekly) that accrues until compliance is achieved.

Proportionality as the Primary Constraint

Although there is no fixed EU cap, the imposition of periodic penalties is strictly constrained by the principle of proportionality. Article 26(3) states that measures taken by national competent authorities "shall be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement to which those measures relate, and, where relevant, the economic, technical and operational capacity of the service provider concerned."

This provision is vital for compliance strategy. It implies that a periodic penalty cannot be set at a level that would be ruinous if the infringement is minor or if the provider lacks the technical capacity to comply immediately. However, for large hyperscalers, the "economic, technical and operational capacity" allows for significant penalty amounts to ensure the measure remains "dissuasive." The authority must balance the need to stop the infringement against the provider's ability to pay, but "proportionate" does not mean "low" for major market players.

Interaction with Administrative Fines

It is essential to distinguish periodic penalties from the administrative fines also mentioned in Article 26(2)(b). Article 26(2)(b) allows authorities "to impose fines... for failure to comply with this Regulation." These are likely one-off penalties for specific breaches.

Periodic penalties under Article 26(2)(c) are specifically tied to the continuation of non-compliance after an order has been issued. A provider could theoretically face both:

• A one-off administrative fine for the initial breach of the regulation.
• A periodic penalty for failing to stop the breach or provide information after being ordered to do so.

Both must adhere to the criteria in Article 24 and the proportionality test in Article 26(3).

What this means for you

For in-house counsel and compliance officers operating cloud services in the EU, the lack of a fixed cap on periodic penalties introduces significant financial uncertainty. You cannot rely on a standard EU-wide ceiling to model worst-case liability scenarios.

1. Monitor National Transposition: Once CADA is adopted, you must closely monitor the national laws of each Member State where you have a main establishment or significant operations. The "cap" will be defined in these national implementing measures, not in the Regulation itself.
2. Prioritize Remediation Orders: The trigger for periodic penalties is the failure to comply with an order from a competent authority. If your organization receives an order to cease an infringement or provide information, immediate compliance is the only way to avoid the accrual of periodic penalties. Deliberate delay or partial compliance will likely result in escalating costs.
3. Assess Economic Capacity: When negotiating with authorities or defending against penalty amounts, leverage Article 26(3). If a proposed periodic penalty is disproportionately high relative to your company's economic, technical, or operational capacity, or relative to the gravity of the infringement, you have a legal basis to challenge the amount.
4. Document Mitigation Efforts: Article 24(2)(b) requires authorities to consider "any action taken by the infringing party to mitigate or remedy the damage." Comprehensive documentation of remediation steps can influence both the initial fine and the severity of any periodic penalties.

Common misconceptions

Misconception 1: CADA has the same fine structure as the AI Act. No. The AI Act sets explicit maximum fines (e.g., 7% of global turnover under Article 99). CADA does not. It relies on Member States to define the penalty framework, subject to the principles of effectiveness and proportionality. Do not assume the AI Act's percentages apply to CADA.

Misconception 2: Periodic penalties are just another type of fine. No. Periodic penalties are coercive. They are intended to force compliance with a specific order. They continue until the infringement is terminated. Standard fines are punitive for past behavior.

Misconception 3: The EU Commission sets the penalty amounts. No. Article 25 establishes national competent authorities in the Member State of the provider's main establishment as having exclusive competence for enforcement. The Commission may coordinate or request information, but the imposition of penalties is a national authority function.

Misconception 4: Small providers are immune to significant penalties. While proportionality (Article 26(3)) protects against ruinous penalties, it also considers the "economic capacity" of the provider. For large providers, "proportionate" can still mean millions of euros per day if the infringement is severe and persistent. For smaller entities, the penalty must be calibrated to their capacity, but it remains "dissuasive."

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Who sets the penalty rules under CADA? Article 24 explained
• What is a periodic penalty payment under CADA?
• Do CADA inspections need a court order? Article 26 explained
• Can a CADA fine and a periodic penalty be combined?
• What is the right to compensation under CADA (Article 24)?

This is general information about a draft EU regulation, not legal advice.