Can a CADA authority delegate inspections to other public bodies?

Summary As proposed, the Cloud and AI Development Act (CADA) does not grant national competent authorities the power to unilaterally "delegate" their statutory enforcement responsibilities to other public bodies. Instead, Article 26(1)(b) establishes a specific mechanism where the competent authority may request other public authorities to carry out inspections, or request a judicial authority to order them. This distinction is critical: the competent authority retains the lead role and legal responsibility for the investigation, while leveraging the operational capacity or coercive powers of other state entities (such as police or customs) to execute the physical inspection. This ensures coordination and legal enforceability without abdicating the authority's core duties.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) relies heavily on the investigative powers of national competent authorities to verify compliance with the Union cloud computing sovereignty framework. These authorities are tasked with ensuring that cloud service providers meet the rigorous criteria for Union assurance levels. To do this effectively, the proposal grants them specific investigative powers under Article 26, titled "Powers of the national competent authorities."

The Specific Mechanism of Article 26(1)(b)

Article 26(1) explicitly lists the investigative powers that competent authorities of establishment must possess to carry out their tasks under Article 17 (Recognition of cloud computing service providers). The text of Article 26(1)(b) is precise regarding the execution of inspections:

"to carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium;"

This provision creates a tripartite framework for inspections:

1. Direct Execution: The competent authority may carry out the inspection itself.
2. Judicial Order: The authority may request a judicial authority to order the inspection.
3. Request to Other Public Authorities: The authority may request other public authorities to carry out the inspection.

The use of the term "request" rather than "delegate" or "transfer" is legally significant. In EU administrative law, delegation often implies a transfer of decision-making power or statutory responsibility. Here, the proposal maintains that the competent authority remains the primary actor. The "request" mechanism is an operational tool designed to overcome practical or legal hurdles that a specialized cloud regulator might face, such as the need for physical force, entry into secure facilities, or the seizure of hardware.

Why "Request" and Not "Delegate"?

The distinction serves two primary purposes within the CADA framework:

1. Operational Leverage and Specialization National competent authorities designated under Article 25 may be specialized bodies focused on digital markets or cloud sovereignty. They may not possess the physical infrastructure, personnel, or specific legal mandates to conduct complex on-site raids, seize hardware, or enter premises that require police powers. By allowing the authority to request other public authorities (e.g., national police, customs, or specialized security forces) to perform the physical act, CADA ensures that inspections can be executed effectively without requiring every Member State to build a dedicated "cloud police" force. The other public bodies act as the operational arm, but the legal mandate originates from the CADA authority's request.

2. Judicial Oversight and Fundamental Rights The proposal explicitly links inspections to judicial oversight where necessary. If a provider resists an inspection, or if the nature of the premises requires a warrant under national law, the competent authority can request a judicial authority to order the inspection. This aligns with fundamental rights protections, ensuring that intrusive measures are subject to independent judicial review. The text allows the authority to bypass the "request other public authorities" route if the situation demands a direct court order, or to combine both (e.g., requesting a court order that empowers the police to execute the search).

Coordination with Other Regulators

The CADA proposal emphasizes a coordinated approach to enforcement, recognizing that cloud sovereignty intersects with other regulatory domains. Recital 59 states that Member States should ensure their competent authorities cooperate closely with other relevant national authorities, including Data Protection Authorities and Cybersecurity Authorities.

While Article 26(1)(b) focuses on the execution of inspections, Article 27 (Mutual assistance) and Article 28 (Cross-border cooperation) provide the framework for information sharing and joint investigations. If an inspection reveals issues spanning multiple Member States or overlapping with GDPR or NIS2 obligations, the competent authority is expected to coordinate. However, the power to initiate and direct the inspection under CADA remains with the designated competent authority. The "request" to other public bodies is a procedural step to facilitate this coordination, not a transfer of the CADA mandate itself.

Enforcement Consequences

The ability to inspect is the foundation for the enforcement powers outlined in Article 26(2). If an inspection reveals an infringement, the competent authority can:

• Order the cessation of infringements.
• Impose remedies proportionate to the infringement.
• Impose fines or periodic penalty payments.

The effectiveness of these penalties relies entirely on the evidence gathered during inspections. Therefore, the mechanism in Article 26(1)(b) is not merely procedural; it is the essential link between the detection of non-compliance and the imposition of sanctions. For providers, this means that an inspection conducted by a police officer acting on a request from the CADA authority carries the same legal weight as one conducted by the authority's own staff. Refusal to cooperate with such a requested inspection could trigger the enforcement measures in Article 26(2)(b) and (c).

What this means for you

For in-house counsel, compliance officers, and legal teams, understanding the nuance of Article 26(1)(b) is crucial for preparing inspection protocols and risk management strategies.

1. Prepare for Multi-Agency Inspections

Do not assume that inspectors will solely be staff from the designated national competent authority. Under the proposed framework, the inspection team may include, or be entirely composed of, personnel from other public bodies (e.g., police, customs, or national security agencies) acting on a formal request. Your internal protocols must authorize cooperation with any official acting on the valid request of the competent authority. Verify the chain of command: the other body is acting for the CADA authority, not in their own independent capacity.

2. Verify the Legal Basis of the Request

While cooperation is mandatory, you have the right to verify the legal basis of the inspection.

• If other public authorities are involved: Request to see the formal request or mandate from the competent authority that authorized their presence.
• If a judicial order is involved: Verify the court order. This verification protects your organization from unauthorized searches while ensuring you remain compliant with CADA. The text of Article 26(1)(b) implies that the inspection must be "in order to examine... information relating to a suspected infringement," so the scope should be clearly defined.

3. Coordinate with Data Protection Officers (DPOs)

CADA inspections may involve accessing data, IT systems, and potentially personal data. Recital 59 highlights the need for cooperation with Data Protection Authorities. An inspection under CADA may trigger parallel considerations under the GDPR. Ensure that your DPO is present or consulted during the inspection to ensure that any data seized or examined is handled in accordance with both CADA and data protection laws. The inspection power is broad ("any form, irrespective of the storage medium"), but the handling of personal data remains subject to GDPR constraints.

4. Document Interactions Rigorously

Keep detailed records of all interactions during an inspection. This includes:

• The identities and roles of all inspectors.
• The specific authority under which they are acting (e.g., "acting on request of [Authority Name] under Article 26(1)(b)").
• The specific data, premises, or hardware accessed.
• Any refusals or objections raised. This documentation is vital if you need to challenge the scope, legality, or proportionality of the inspection later, or if the inspection leads to a penalty.

Common misconceptions

"CADA authorities can delegate their entire enforcement role to the police."

• Reality: Article 26(1)(b) allows authorities to request other bodies to carry out inspections, but it does not transfer the statutory responsibility for enforcement. The competent authority remains the lead body responsible for the investigation, the decision to sanction, and the imposition of penalties. The other bodies are operational assistants, not replacements.

"Only the CADA competent authority can enter premises."

• Reality: Other public authorities (e.g., police, customs) can enter premises if requested by the competent authority or if ordered by a judicial authority. Compliance officers must be prepared to deal with a range of officials, not just digital regulators.

"Judicial orders are always required for inspections."

• Reality: Article 26(1)(b) provides two distinct paths: requesting other public authorities or requesting a judicial authority to order inspections. A judicial order is not automatically required for every inspection, but it is available if administrative powers are insufficient, if resistance is anticipated, or if national law requires it for the specific type of intrusion.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Can a CADA authority involve other public authorities in an assistance request?
• Can the Commission ask a CADA authority to investigate a provider?
• Can an existing regulator be designated as a CADA authority?
• Can a Member State designate more than one CADA authority?
• Can a cloud provider negotiate remedies with a CADA authority?

This is general information about a draft EU regulation, not legal advice.