Can a CADA authority act on a tip from a competitor?

Summary As proposed, national competent authorities under the Cloud and AI Development Act (CADA) would have the explicit power to act on information provided by competitors. Article 26(1)(a) grants authorities the authority to require information from "any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement." This broad scope includes competitors who may possess technical or market insights into a rival's compliance status. However, this power is strictly bounded by procedural safeguards under Article 26(4), which mandates that all investigative measures respect the "right to respect for private life," the "rights of defence" (including the right to be heard and access to the file), and the "right of all affected parties to an effective judicial remedy."

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous enforcement framework to ensure compliance with the Union cloud computing sovereignty framework and data centre deployment rules. A critical component of this framework is the investigative capacity of national competent authorities, specifically detailed in Article 26. The question of whether an authority can initiate or advance an investigation based on a tip from a competitor is resolved by examining the scope of information sources permitted under the Regulation and the procedural limits imposed on how that information is processed.

Broad Scope of Information Sources under Article 26(1)(a)

Article 26(1)(a) of the CADA proposal grants national competent authorities of establishment the power to require information from a wide array of sources. The text explicitly states that authorities may require "any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation."

This phrasing is intentionally expansive. It does not limit the source of information to the audited provider itself, nor does it restrict it to public whistleblowers or internal employees. The term "any other persons" encompasses a diverse range of market participants, including direct competitors, subcontractors, former employees, industry analysts, or technical experts. If a competitor possesses information that relates to a suspected infringement—for example, evidence suggesting a rival is misrepresenting their Union assurance level, failing to meet data localisation requirements under Annex II, or operating infrastructure outside the Union contrary to their certification—they fall squarely within the category of persons who may be "reasonably expected to be aware of information relating to a suspected infringement."

Consequently, a national competent authority would be legally empowered to solicit and act upon such tips. The authority is not required to wait for a formal complaint; it may proactively request information from a competitor if the authority deems that person to be in possession of relevant data regarding a suspected breach of the Regulation.

The Obligation to Investigate Suspected Infringements

While the proposal does not explicitly state that authorities must investigate every single tip received, the structure of Article 26 implies a duty to act on credible suspicions to fulfill their mandate. The powers listed in Article 26(1) are triggered "Where needed to carry out their tasks under Article 17," which concerns the recognition of cloud computing service providers and the maintenance of the central repository of recognised services.

If a tip from a competitor provides reasonable grounds to suspect that a provider's recognition was obtained through misleading information, or that a provider no longer meets the cumulative criteria for their assurance level, the authority has the mandate to investigate. Article 26(1)(b) further supports this by allowing authorities to carry out, or request a judicial authority to order, inspections of any premises used for trade or business purposes. This power enables authorities to escalate from mere information requests to on-site or remote inspections if the initial tip suggests a substantive infringement.

Furthermore, Article 26(1)(c) empowers authorities to ask any member of staff or representative of the provider to give explanations regarding the suspected infringement. This creates a comprehensive investigative toolkit that can be deployed once a credible tip—whether from a competitor or another source—triggers a suspicion of non-compliance.

Procedural Safeguards under Article 26(4)

The power to act on competitor tips is not unlimited. Article 26(4) imposes strict safeguards to prevent abuse of power and protect the rights of the investigated party. It states that measures taken by national competent authorities in exercising their powers must be "effective, dissuasive and proportionate." Crucially, it mandates that the exercise of these powers is subject to "adequate safeguards under applicable national law in compliance with the general principles of Union law."

These safeguards are explicitly enumerated in Article 26(4):

1. Right to Respect for Private Life: Investigations must not disproportionately infringe on the privacy of individuals or the confidential business information of companies. Authorities must ensure that the collection of information does not violate fundamental rights.
2. Rights of Defence: The investigated provider has the "rights to be heard and to have access to the file." This is a critical protection. A competitor's tip cannot be the sole, unchallengeable basis for a penalty or a recognition revocation. The provider must be given a meaningful opportunity to respond to the allegations, review the evidence (subject to confidentiality protections), and present their case before a final decision is made.
3. Effective Judicial Remedy: The article guarantees the "right of all affected parties to an effective judicial remedy." Any party affected by an investigative measure or a final decision has the right to challenge the authority's actions in court.

Additionally, Article 26(3) requires that measures take into account the "nature, gravity, recurrence and duration of the infringement" and the "economic, technical and operational capacity of the service provider concerned." This proportionality test ensures that a minor, unsubstantiated, or malicious tip from a competitor does not trigger disproportionate investigative burdens or penalties.

Confidentiality and Competition Law Considerations

While the CADA proposal does not explicitly detail the specific mechanisms for handling confidential information received from competitors, the general principles of EU law and the specific mention of "rights of defence" in Article 26(4) imply that authorities must protect sensitive commercial information. The proposal's recitals also note that CADA is "without prejudice to the application of Articles 101 and 102 TFEU" (competition law).

Authorities must ensure that acting on a competitor's tip does not facilitate anti-competitive behaviour, such as collusion or the unlawful exchange of commercially sensitive data. The investigative process must be conducted in a way that prevents the authority from becoming a vehicle for competitors to gain unfair market advantages through the disclosure of trade secrets. The "access to the file" right for the accused provider is balanced against the need to protect the identity of the whistleblower or the confidential nature of the information provided, ensuring that the investigation remains fair and lawful.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the ability of authorities to act on competitor tips raises several strategic considerations:

1. Heightened Vigilance: Assume that competitors are monitoring your compliance with CADA's Union assurance levels. Any deviation from your stated assurance level, failure to meet Annex II criteria, or discrepancy between your public claims and technical reality could be reported. Maintain rigorous internal audits to ensure your public statements match your technical operations.
2. Preparation for Investigation: If you receive a request for information from a competent authority under Article 26(1)(a), it may stem from a third-party tip. Ensure your legal and technical teams are prepared to provide the "necessary information" promptly and accurately. Failure to cooperate can lead to penalties under Article 24 and may be viewed as an aggravating factor.
3. Asserting Rights: If an investigation is launched based on a competitor's tip, immediately invoke the safeguards in Article 26(4). Ensure you are granted access to the file (excluding confidential third-party information where appropriate) and exercise your right to be heard. Challenge any measures that appear disproportionate to the alleged infringement, citing Article 26(3).
4. Confidentiality Protections: When providing information to authorities, clearly mark confidential business information. While authorities have the power to require information, they are bound by confidentiality obligations under EU law. Ensure your internal protocols for sharing data with regulators are robust to prevent inadvertent disclosure to competitors.

Common misconceptions

Misconception 1: Authorities can act on any anonymous tip without verification. While Article 26(1)(a) allows authorities to require information from "any person," the measures must be "proportionate" under Article 26(3) and respect "rights of defence" under Article 26(4). Authorities are unlikely to launch full-scale, intrusive investigations based solely on unverified, anonymous claims without further corroborating evidence or a reasonable suspicion of an infringement.

Misconception 2: Competitors have a direct right to trigger an investigation. Competitors do not have a direct right to force an investigation. They can only provide information. The decision to investigate rests with the national competent authority, which must determine if the information reasonably suggests an infringement and if the investigation is necessary to carry out its tasks under Article 17.

Misconception 3: The source of the tip is always disclosed to the accused. Article 26(4) guarantees the right to access the file, but this is subject to the protection of confidential information. The identity of a whistleblower or competitor providing a tip may be protected to prevent retaliation, although the substance of the allegations must be disclosed to allow for a defence. The authority must balance the right to defence with the need to protect the source.

Related

• Can the Commission ask a CADA authority to investigate a provider?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities demand information from a cloud provider?
• Can CADA authorities act before an infringement is confirmed?
• Can CADA authorities act against a non-EU cloud provider?

This is general information about a draft EU regulation, not legal advice.