Summary As proposed, CADA Article 24 establishes a distinct liability regime for breaches of the cloud sovereignty framework: Member States would impose "effective, proportionate and dissuasive" penalties, and recipients of the service would have a right to seek compensation for damage. Unlike the GDPR's harmonised administrative fines (up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements), CADA would delegate penalty-setting to national authorities and add a civil-compensation track. The GDPR targets personal-data protection through supervisory authorities; CADA, as proposed, would target sovereignty and operational-autonomy failures, enforced by national competent authorities designated under Article 25.

Detail

The CADA proposal would introduce a new compliance layer for cloud computing service providers serving the EU public sector. To understand the enforcement landscape, distinguish the GDPR's data-centric administrative fines from CADA's sovereignty-centric penalty and compensation framework.

CADA's penalty and compensation framework (Article 24)

CADA Article 24 sets out the rules on penalties and compensation for infringements of the sovereignty chapter (Chapter I of Title IV). It operates on two tracks.

1. State-imposed penalties. Article 24(1) provides that Member States "shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented." Those penalties "shall be effective, proportionate and dissuasive."

CADA would not set a fixed EU-wide fine ceiling (such as a percentage of global turnover). Instead, Article 24(2) gives a non-exhaustive list of criteria Member States must take into account:

  • the nature, gravity, scale and duration of the infringement;
  • any action taken to mitigate or remedy the damage;
  • any previous infringements by the same party;
  • the financial benefits gained or losses avoided, insofar as they can be reliably established;
  • any other aggravating or mitigating factor;
  • the infringing party's annual turnover in the preceding financial year in the Union.

This leaves the calculation of fines to national discretion, which could produce variation across Member States — unlike the harmonised maximums in the GDPR.

2. Right to compensation. Article 24(3) introduces a direct civil-liability route: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter." This empowers public and private customers to claim damages if a provider fails to meet its sovereignty obligations (for example, unauthorised data access or loss of operational autonomy).

The GDPR's fine structure

The GDPR establishes a harmonised, two-tier administrative fine system enforced by national data protection authorities (DPAs):

  • Lower tier: up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for infringements such as record-keeping or controller/processor obligations.
  • Higher tier: up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for the most serious infringements (e.g. breaches of basic processing principles, lawful basis, or data-subject rights).

The GDPR also allows compensation claims by data subjects (Article 82), but the dominant enforcement pressure comes from the threat of administrative fines.

Comparison of enforcement regimes

Feature CADA (as proposed) GDPR
Primary focus Cloud sovereignty, operational autonomy, freedom from third-country control. Personal-data protection, privacy rights, lawful processing.
Penalty setter Member States (national discretion). EU-wide harmonised maximums.
Fine ceiling No EU-wide cap; based on national law and Article 24(2) criteria. Up to €20 million or 4% of global turnover (higher tier).
Enforcer National competent authorities (designated under Article 25). National data protection authorities (DPAs).
Civil liability Explicit right for recipients to claim compensation (Article 24(3)). Data subjects can claim compensation (Article 82).
Trigger Failure to meet the requirements of a Union assurance level, or misleading information about it. Breach of data-protection principles or obligations.

Who enforces what?

CADA enforcement. Under Article 25, Member States would designate one or more national competent authorities to enforce the sovereignty chapter. Article 25(4) provides that the Member State of the provider's main establishment has exclusive competence for enforcing that chapter — a single-authority approach. Under Article 26, those authorities would have investigative powers and enforcement powers, including ordering cessation of infringements, imposing fines, and imposing periodic penalty payments (in accordance with Article 24).

GDPR enforcement. GDPR enforcement is handled by independent DPAs in each Member State, with a one-stop-shop for cross-border cases. DPAs set fines using the criteria in GDPR Article 83.

What this means for you

For in-house counsel and compliance officers, CADA and the GDPR would create a dual-compliance burden with distinct risk profiles.

  1. Contractual risk management. Article 24(3) shifts significant risk to providers. Customers — especially public bodies and entities in critical sectors — will likely demand robust warranties and indemnities. Ensure cloud contracts expressly address compensation for sovereignty-related failures, not just data breaches.
  2. National penalty variance. Unlike the GDPR, where the maximum fine is predictable, CADA penalties would vary by Member State. Organisations operating across the EU should monitor national transposition to gauge exposure in each jurisdiction.
  3. Evidence preservation. For Union assurance levels 2–4, audits are rigorous and Article 21 governs the audit evidence to be established. The "financial benefits gained or losses avoided" criterion (Article 24(2)(d)) could be significant for large providers.
  4. Operational continuity as a legal obligation. GDPR fines often follow data leaks; CADA penalties may follow operational failures, such as service disruption or third-country access. Integrate sovereignty-risk assessment into continuity planning.

Common misconceptions

Misconception 1: CADA replaces the GDPR for cloud providers. It does not. CADA's explanatory memorandum states the proposal is consistent with the GDPR. Providers would have to comply with both — GDPR for personal-data processing and CADA for sovereignty obligations. A provider can be GDPR-compliant yet still fail a Union assurance level.

Misconception 2: CADA fines are as high as GDPR fines. CADA prescribes no percentage-of-turnover ceiling. While Member States must consider turnover (Article 24(2)(f)), there is no harmonised maximum, so fines could be lower or higher depending on national law. In practice the larger exposure under CADA may be civil compensation claims from customers (Article 24(3)), which turn on actual damages.

Misconception 3: Only public-sector bodies are affected by CADA penalties. The penalties in Article 24 apply to cloud computing service providers seeking recognition under the Union assurance levels. While CADA's mandatory procurement rules (Articles 29–30) target public buyers, the sovereignty framework — and provider liability — applies regardless of customer type once a provider is recognised. Private entities in high-criticality sectors may also carry out impact assessments under Article 31.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.