Can a CADA authority impose both fines and remedies at once?

Summary Yes, as proposed, a national competent authority under the Cloud and AI Development Act (CADA) can impose both remedial measures and financial penalties for the same infringement. Article 26(2) explicitly grants authorities the power to order the cessation of infringements, impose fines, and levy periodic penalty payments. These powers are cumulative, meaning an authority does not have to choose exclusively between stopping the violation and fining the provider; it can apply both simultaneously. However, Article 26(3) mandates that all measures taken must be "effective, dissuasive and proportionate" to the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a robust enforcement regime for the Union cloud computing sovereignty framework. A critical component of this regime is the discretion granted to national competent authorities to tailor their enforcement responses to the specific circumstances of a non-compliance event. The proposal explicitly allows for the combination of corrective actions and financial sanctions to ensure that infringements are not only penalized but also effectively terminated.

Cumulative Enforcement Powers under Article 26

Article 26(2) of the CADA proposal outlines the specific enforcement powers available to the national competent authority of establishment. These powers are listed as distinct options, but the structure of the regulation and the explicit language used indicate they are not mutually exclusive. The provision states that competent authorities shall have the following enforcement powers:

1. Cessation and Remedies: The power to "order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end." This power may be exercised directly by the authority or by requesting a judicial authority in the Member State to do so [Article 26(2)(a)].
2. Fines: The power to "impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation." This includes fines for failure to comply with investigative orders issued pursuant to Article 26(1) [Article 26(2)(b)].
3. Periodic Penalty Payments: The power to "impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 24." This specific tool is designed to ensure that an infringement is terminated in compliance with an order issued under point (a) (cessation/remedies), or for failure to comply with investigative orders [Article 26(2)(c)].

The ability to impose a periodic penalty payment specifically to ensure the termination of an infringement implies a sequential or concurrent application of remedies and penalties. For instance, an authority may issue an order to cease an infringement (remedy) and simultaneously impose a fine for the period the infringement already occurred, while also threatening periodic penalties if the cessation order is not followed. The text does not suggest an "either/or" choice; rather, it provides a toolkit where multiple tools can be deployed to achieve the regulatory objective.

The Proportionality Constraint

While the powers are cumulative, they are not unlimited. Article 26(3) imposes a strict proportionality test on the exercise of these powers. It states that measures taken by national competent authorities in exercising the powers listed in paragraphs 1 and 2 "shall be effective, dissuasive and proportionate."

The authority must consider several factors when determining the appropriate mix of remedies and fines:

• The nature, gravity, recurrence and duration of the infringement or suspected infringement.
• The economic, technical and operational capacity of the service provider concerned.

This means that while an authority can impose both a fine and a remedy, it must justify why both are necessary to achieve the goals of effectiveness and deterrence without being overly punitive relative to the provider's capacity and the severity of the breach. The cumulative nature of the powers is therefore bounded by the requirement that the total enforcement package remains proportionate.

Distinction from Article 24

It is important to distinguish the enforcement powers in Article 26 from the penalty criteria in Article 24. Article 24 requires Member States to lay down the rules on penalties applicable to infringements by cloud computing service providers. Article 24(2) lists non-exhaustive criteria for imposing penalties, such as the nature, gravity, scale, and duration of the infringement, any action taken to mitigate damage, and the financial benefits gained or losses avoided by the infringing party.

Article 26 provides the mechanism for the competent authority to apply these penalties alongside remedial orders. The two articles work in tandem: Article 24 defines the parameters and criteria for the financial sanction (ensuring penalties are "effective, proportionate and dissuasive"), while Article 26 empowers the authority to levy that sanction alongside other enforcement tools like cessation orders and periodic penalty payments.

Practical Enforcement Combinations

In practice, this cumulative power allows for a nuanced enforcement strategy that addresses both past misconduct and future compliance. For example:

• Immediate Cessation + Retrospective Fine: An authority may identify a cloud service provider that has been operating without the required Union assurance level recognition. The authority can immediately order the cessation of the service (remedy) to protect public order or data sovereignty, while simultaneously imposing a fine for the period the service was illegally provided. The fine addresses the past violation, while the cessation order prevents future harm.
• Remedy + Periodic Penalty: If a provider is slow to implement a required remedy, the authority can impose a periodic penalty payment to pressure compliance. This ensures that the remedy is not just an empty order but has "teeth." The periodic penalty continues to accrue until the provider complies with the cessation or remedial order.
• Investigative Non-Compliance: If a provider fails to cooperate with an investigation (an investigative order under Article 26(1)), the authority can impose a fine for that specific failure (under Article 26(2)(b)) while continuing to pursue the underlying substantive infringement. This ensures that obstruction of justice is penalized independently of the substantive breach.

This approach ensures that enforcement is not just punitive but also corrective, aiming to restore compliance while penalizing past misconduct and deterring future violations.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the cumulative nature of CADA's enforcement powers means that a single non-compliance incident can trigger multiple financial and operational impacts simultaneously.

1. Dual Exposure: Do not assume that paying a fine resolves the enforcement action. An authority can impose a fine for the past infringement while also mandating immediate operational changes (remedies) and levying daily penalties if those changes are not implemented swiftly. The financial liability can be compounded by the duration of non-compliance.
2. Remediation Speed is Critical: Because periodic penalty payments are available to enforce cessation orders, the speed at which your organization implements remedial measures directly affects your total financial liability. Delaying compliance with a remedy order can lead to escalating costs that may exceed the initial fine.
3. Proportionality Defenses: When facing enforcement, focus your defense on the proportionality requirement in Article 26(3). Demonstrate your organization's economic and technical capacity, and highlight any mitigating factors, such as good faith efforts to comply, the minor nature of the infringement, or the lack of actual harm caused. Argue that a combination of a high fine and a strict remedy might be disproportionate given these factors.
4. Investigative Cooperation: Ensure strict compliance with investigative orders (Article 26(1)). Non-cooperation is a separate infringement that can attract additional fines, compounding the penalties for the original substantive violation. The authority can fine you for the obstruction even if the underlying issue is still being investigated.
5. Documentation: Maintain detailed records of all remedial actions taken. This documentation is crucial for demonstrating that you have complied with cessation orders, thereby avoiding periodic penalty payments and potentially mitigating the severity of fines.

Common misconceptions

• Misconception: "If we pay the fine, the case is closed."
  • Reality: Under CADA, a fine is a penalty for the infringement, not a buy-out of the obligation to comply. Authorities can and will order the cessation of the infringement and impose further penalties if the service continues to be provided in violation of the Regulation. Paying the fine does not grant immunity from remedial orders.
• Misconception: "Remedies and fines are alternative options."
  • Reality: Article 26 lists these powers cumulatively. Authorities have the discretion to apply both to ensure the infringement is effectively ended and that the provider is dissuaded from future violations. The text does not require an election between stopping the breach and punishing it.
• Misconception: "Proportionality means the fine must be small."
  • Reality: Proportionality under Article 26(3) refers to the overall enforcement package (remedies, fines, periodic penalties) relative to the infringement's gravity and the provider's capacity. A large fine may still be proportionate if the infringement is severe, the provider is large, and the violation poses significant risks to public order or data sovereignty. The constraint is on the totality of the measures, not just the monetary amount.

Related

• What remedies can CADA authorities impose on providers?
• Can CADA authorities impose fines on cloud providers?
• Can a cloud provider negotiate remedies with a CADA authority?
• Can the Commission ask a CADA authority to investigate a provider?
• Can an existing regulator be designated as a CADA authority?

This is general information about a draft EU regulation, not legal advice.