Can a CADA authority ask for more information on a cross-border request?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a national competent authority of establishment may request additional information if a cross-border cooperation request is deemed insufficient. As proposed in Article 28(3), the standard two-month deadline for responding to such requests is suspended from the date the request for additional information is issued until the information is actually provided. This mechanism ensures that authorities have sufficient evidence to conduct a meaningful assessment of suspected non-compliance without being forced to rush a decision based on incomplete facts.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous framework for cross-border cooperation between national competent authorities to enforce the Union's cloud computing sovereignty framework. Central to this enforcement architecture is Article 28, titled "Cross-border cooperation." This article outlines the procedures for when a competent authority in a Member State (the "authority of destination") suspects that a cloud computing service provider, recognized in another Member State (the "authority of establishment"), no longer fulfills the requirements of the Union assurance levels set out in Annex II of the Regulation.

The Right to Request Additional Information

When a cross-border request for assessment or enforcement action is initiated, it must be "duly reasoned," as required by Article 28(3). However, the initial information provided by the requesting authority may not always be comprehensive enough for the authority of establishment to form a conclusive opinion or to justify specific investigatory measures. Sovereignty assessments under CADA involve complex criteria regarding data localization, personnel citizenship, cybersecurity certification, and third-country control. A superficial request may lack the specific evidence needed to trigger a formal investigation or to justify revoking a recognition.

Article 28(3) explicitly grants the authority of establishment the power to seek clarification. It states: "Where the competent authority of establishment considers that the information provided is insufficient, it may either request additional information." This provision recognizes the technical and legal complexity of cloud infrastructure audits. It empowers the authority of establishment to pause the procedural clock to ensure that any subsequent assessment is based on a complete factual matrix, thereby protecting cloud computing service providers from arbitrary or poorly substantiated enforcement actions.

Suspension of the Two-Month Deadline

A critical procedural consequence of requesting additional information is the impact on the statutory timeline. Under Article 28(4), the competent authority of establishment must generally communicate its assessment and any envisaged measures to the requesting authority and the European Commission "as soon as possible and in any event not later than two months after receipt of the request."

However, Article 28(3) introduces a specific suspension mechanism to prevent this deadline from becoming a barrier to thorough enforcement. The text mandates: "The period set out in paragraph 4 shall be suspended until that additional information is provided."

This suspension is not indefinite but is strictly tied to the receipt of the requested data. The clock stops running from the moment the authority of establishment issues the request for additional information and resumes only when the requesting authority provides the necessary details. This ensures that the authority of establishment is not penalized for delays caused by the incomplete nature of the initial request, while also preventing indefinite stalling by the requesting party. The mechanism balances the need for timely enforcement with the necessity of a robust evidentiary basis.

Ensuring Meaningful Assessment

The ability to request additional information serves a vital function in ensuring the quality and legal robustness of cross-border enforcement. The criteria for Union assurance levels are cumulative and stringent. For instance, verifying that personnel are Union citizens or that data remains exclusively within the Union requires specific documentary evidence. If a requesting authority submits a vague suspicion without supporting logs, contracts, or audit trails, the authority of establishment cannot legally or practically conduct a valid assessment.

By allowing the authority of establishment to pause the clock and demand more detail, Article 28 ensures that any subsequent assessment is based on a complete factual matrix. This protects the cloud computing service provider from arbitrary or poorly substantiated enforcement actions and ensures that the principle of proportionality is respected. The authority of establishment must "duly take into account" the initial request (Article 28(3)), but it retains the discretion to require further substantiation before committing to a final position or taking enforcement measures.

The Role of the Commission

It is important to note that the European Commission can also initiate requests under Article 28(2). The same procedural rules apply: if the Commission's request lacks sufficient detail, the authority of establishment may request additional information, suspending the two-month deadline. This reinforces the Commission's role as a supervisor of the internal market while maintaining the procedural safeguards for national authorities. The suspension mechanism applies equally whether the request originates from a Member State authority or the Commission, ensuring a level playing field in the information exchange process.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the interplay between Article 28(3) and the suspension of deadlines has several practical implications for managing regulatory risk and cross-border disputes.

1. Expect Potential Delays in Enforcement Timelines: If your provider is subject to a cross-border concern, do not assume the authority of establishment will respond within a strict two-month window. If they request additional information from the originating authority, the timeline pauses. This could extend the period of regulatory uncertainty for your organization, as the clock only resumes once the missing data is supplied.
2. Advocate for Completeness in Initial Requests: If your provider is the subject of a request initiated by another Member State, you may wish to engage with the authority of establishment to ensure that the requesting authority provides all relevant context. An incomplete request may lead to unnecessary administrative back-and-forth, prolonging the resolution of the issue.
3. Prepare for Detailed Scrutiny: The fact that authorities can pause the clock to get more information means that initial tips or complaints will likely be expanded into detailed inquiries. Ensure your internal documentation regarding compliance with Union assurance levels (e.g., audit reports, evidence of data localization, subcontractor due diligence, personnel citizenship records) is readily accessible and comprehensive.
4. Monitor the "Duly Reasoned" Requirement: While the authority of establishment can ask for more info, the initial request must still be "duly reasoned" under Article 28(3). If a request is fundamentally unreasoned or abusive, your provider may have grounds to challenge the procedural validity, though the primary duty to cooperate lies with the authorities.

Common misconceptions

Misconception 1: The two-month deadline is absolute. Many assume that authorities have exactly 60 days to respond to a cross-border request. This is incorrect. Article 28(3) explicitly allows for the suspension of this period if additional information is requested. The deadline is flexible and contingent on the completeness of the information exchange.

Misconception 2: The authority of establishment must accept the initial information as sufficient. There is a belief that once a reasoned request is made, the authority of establishment must proceed with an assessment based solely on that initial data. In reality, Article 28(3) empowers the authority of establishment to reject the sufficiency of the initial information and demand more. They are not bound by the completeness of the requester's initial submission.

Misconception 3: Suspension allows for indefinite delays. While the clock is suspended, it is not suspended indefinitely. It resumes only when the additional information is provided. If the requesting authority fails to provide the information, the process may stall, but the legal mechanism is designed to close the information gap, not to allow for open-ended procrastination. The authority of establishment is still expected to act "as soon as possible" once the information is received.

Related

• CADA Cross-Border Requests: What the Establishment Authority Must Report
• How long does a cross-border CADA request take?
• Can the Commission ask a CADA authority to investigate a provider?
• Can a Member State designate more than one CADA authority?
• Can a CADA authority share information with another country's authority?

This is general information about a draft EU regulation, not legal advice.