Can a business sue a cloud provider for breaching CADA?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a business can sue a cloud provider for damages if the provider breaches obligations under the Union cloud computing sovereignty framework. Article 24(3) explicitly grants recipients the right to seek compensation for "any damage or loss suffered" due to such infringements. However, this is not an automatic payout; it is a private right of action that must be pursued through national courts in accordance with applicable Union and national law, requiring the claimant to prove the infringement, causation, and actual damage.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dual enforcement mechanism for cloud computing service providers. While the primary focus of the regulation is on public enforcement—where national competent authorities impose administrative penalties and order the cessation of infringements—it also creates a distinct and critical pathway for private enforcement. This ensures that businesses relying on sovereign cloud services are not merely passive observers of regulatory compliance but have a direct legal recourse if a provider's failure causes them harm.

The Statutory Right to Compensation: Article 24(3)

The core of the private enforcement regime is found in Article 24, titled "Penalties and compensation." While paragraphs 1 and 2 of this article mandate that Member States establish effective, proportionate, and dissuasive administrative penalties (such as fines) for infringements, paragraph 3 carves out a specific civil remedy for service recipients.

The text of Article 24(3) states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision is significant for three reasons:

1. Direct Right: It creates a statutory right for the "recipient" (the business customer) to claim compensation directly from the provider.
2. Scope of Harm: It covers "any damage or loss," a broad phrasing intended to encompass both direct financial losses and potentially consequential damages, subject to national interpretation.
3. Trigger: The right is triggered specifically by an "infringement" of obligations "under this Chapter."

Scope: What Breaches Can Be Sued Over?

The right to sue is not unlimited; it is tethered to the specific obligations found in Title IV, Chapter I of the proposal, which establishes the "Union cloud computing sovereignty framework." This chapter covers the assurance levels (1–4) and the associated recognition, audit, and transparency obligations.

Consequently, a business can sue for breaches such as:

• False Recognition: A provider claiming to hold Union assurance level 3 or 4 without meeting the criteria in Annex II (e.g., failing the "substantial" or "high" cybersecurity certification, or having unauthorized third-country control).
• Audit Failures: A provider failing to undergo the required independent third-party audit for levels 2–4 (Article 20) or providing misleading audit evidence.
• Transparency Violations: A provider failing to notify authorities of material changes that affect their recognition status (Article 23), such as a change in third-country control or a breach of data localisation rules.
• Data Localisation Breaches: A provider processing or transferring customer data outside the Union in violation of the strict localisation criteria for the claimed assurance level (Annex II).

If a provider's failure to meet these specific sovereignty obligations results in tangible harm to a business customer—such as a forced migration due to a revoked assurance level, data exposure due to a lack of required security controls, or service disruption due to third-country interference—the recipient has a statutory basis to claim damages under Article 24(3).

The Role of National Law in Private Enforcement

A crucial aspect of Article 24(3) is the qualifying phrase: "in accordance with Union and national law." CADA does not create a standalone EU civil procedure code or a new EU court for these claims. Instead, it acts as a "gateway" provision that activates existing national legal frameworks.

This means:

• Jurisdiction: The claim must be brought before the competent national courts. Jurisdiction will likely be determined by standard EU rules (such as the Brussels I Regulation recast), typically allowing the claimant to sue in the Member State where the provider is established or where the damage occurred.
• Substantive Law: The definition of "damage," the rules on causation, the calculation of compensation, and the statute of limitations are governed by the national civil law of the Member State where the court sits. For instance, some Member States may have strict rules on proving "pure economic loss," while others may be more permissive.
• Burden of Proof: The business (the recipient) bears the burden of proving three elements:
  1. Infringement: That the provider breached a specific obligation under Title IV, Chapter I.
  2. Causation: That this breach directly caused the harm.
  3. Damage or Loss: That the business suffered actual, quantifiable financial loss or damage.

Interaction with Contractual Agreements

In practice, cloud services are governed by complex Service Level Agreements (SLAs) and Data Processing Agreements (DPAs). These contracts often contain liability caps, exclusions of indirect damages, or "force majeure" clauses.

Article 24(3) introduces a statutory floor that may override or interact with these contractual terms. While a contract might limit liability for "service interruptions," a statutory claim for damages arising from a regulatory breach (e.g., a provider falsely claiming sovereignty status) could be argued as a separate cause of action. However, the interplay between statutory rights and contractual limitations is complex and will ultimately be decided by national courts. Businesses should be aware that Article 24(3) provides a powerful tool to challenge contractual waivers that attempt to exclude liability for regulatory non-compliance.

Distinction from Public Penalties

It is vital to distinguish the private right to compensation from the public penalties described in Article 24(1) and Article 26.

• Public Penalties: These are administrative fines imposed by national competent authorities. These fines are paid to the state, not to the business. They are designed to punish the provider and deter future non-compliance.
• Private Compensation: This is a civil remedy where the money is paid directly to the injured business to make them whole. The existence of a public fine does not preclude a private claim, nor does a private claim prevent a public fine. They are parallel tracks.

What this means for you

For in-house counsel, compliance officers, and procurement teams, the existence of Article 24(3) fundamentally alters the risk management strategy for cloud adoption.

1. Enhanced Vendor Due Diligence Before signing a contract, verify the provider's status in the central repository established under Article 22. Do not rely solely on marketing materials. Check for valid audit reports (for levels 2–4) or a current EU statement of conformity (for level 1). A provider's failure to maintain this status is a breach of CADA that could trigger your right to compensation if it impacts your operations.

2. Contractual Safeguards Review your SLAs and DPAs carefully. Standard terms often cap liability at the amount of fees paid or exclude "consequential damages." You should negotiate clauses that:

• Explicitly preserve your right to seek compensation under Article 24(3).
• Clarify that liability caps do not apply to damages arising from regulatory breaches or misrepresentation of assurance levels.
• Include specific indemnities for costs associated with emergency migration if a provider loses their recognition status.

3. Evidence Preservation To succeed in a claim, you must prove damage and causation. If a provider fails to notify you of a material change (as required by Article 23) and this leads to a service disruption or a forced migration, document every step. Keep records of:

• Communications with the provider regarding the breach.
• Costs incurred for emergency migration, data recovery, or downtime.
• The specific regulatory obligation that was breached.

4. Incident Response Integration Update your incident response plans to include regulatory breach scenarios. If a cloud provider suffers a compliance failure that leads to an outage, treat it not just as an IT incident but as a potential legal claim. Preserve all audit trails and financial records related to the disruption immediately.

5. Strategic Leverage The threat of private litigation serves as a market-driven enforcement mechanism. Even if national authorities are slow to act, the prospect of a damages claim from a large enterprise can incentivize providers to maintain high standards of compliance and transparency.

Common misconceptions

Misconception 1: CADA imposes automatic financial penalties payable to the customer. Correction: CADA provides a right to seek compensation. It does not impose automatic fines payable to customers. The customer must actively pursue a claim through national courts or arbitration, proving damage and causation under national civil law.

Misconception 2: Any breach of CADA gives rise to a compensation claim. Correction: Article 24(3) specifically limits the right to compensation to infringements of obligations "under this Chapter" (Title IV, Chapter I). This primarily covers the sovereignty framework, recognition, and audit requirements. Breaches of other parts of CADA, such as data centre deployment rules (Title III) or leadership initiatives (Title II), do not automatically trigger this specific compensation right for service recipients, as those titles primarily impose obligations on Member States and project applicants.

Misconception 3: Compensation is limited to direct financial loss. Correction: The text states "damage or loss." While national laws vary, this phrasing is broad. Depending on the jurisdiction, this could potentially include indirect losses, business interruption, or reputational damage, provided they are provable and foreseeable under local civil code standards. Do not assume your national law limits this to direct costs only.

Misconception 4: The EU Commission handles compensation claims. Correction: The European Commission and national competent authorities handle public enforcement (fines, orders to cease). They do not adjudicate private compensation claims. Those are strictly matters for national judicial systems.

Related

• Can the Commission ask a CADA authority to investigate a provider?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities question a provider's staff?

This is general information about a draft EU regulation, not legal advice.