Can a CADA authority involve other public authorities in an assistance request?

Summary Under the proposed Cloud and AI Development Act (CADA), a national competent authority receiving a mutual assistance request has the explicit power to involve other public authorities within its Member State to help execute that request. As proposed in Article 27(2), this flexibility allows the requested authority to engage additional public bodies "where appropriate" to secure specific information or evidence located in their jurisdiction. This mechanism is designed to streamline cross-border investigations into cloud computing service providers' compliance with the EU's sovereignty framework, ensuring that the designated competent authority can access the full spectrum of national expertise and powers required for effective enforcement.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous sovereignty framework for cloud computing services, requiring strict oversight by national competent authorities. Because cloud infrastructure, data flows, and supply chains are inherently cross-border, effective enforcement relies heavily on seamless cooperation between Member States. CADA addresses this through Title IV, Chapter I, Section 5, which outlines the principles of mutual assistance and cross-border cooperation.

The Role of Mutual Assistance and Involving Other Authorities

Article 27 of the CADA proposal mandates that competent authorities and the European Commission cooperate closely to apply the sovereignty chapter in a consistent and efficient manner. This cooperation fundamentally includes the exchange of information. Crucially, Article 27(2) provides the operational mechanism for this cooperation, explicitly authorizing the involvement of third parties:

"A competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud computing service provider to exercise its investigative powers under Article 26 regarding specific information located in their Member State. Where appropriate, the competent authority receiving the request may involve other competent authorities or other public authorities of the Member State in question."

This provision acknowledges a critical reality: the primary national competent authority designated under Article 25 may not hold all the necessary technical, legal, or operational expertise to gather evidence independently. Cloud sovereignty assessments often intersect with cybersecurity, data protection, and sector-specific regulations. By allowing the involvement of "other public authorities," CADA recognizes the fragmented nature of national administrative structures.

For example, a request from a foreign competent authority regarding a provider's cybersecurity measures might require input from a national cybersecurity agency, while a request regarding data protection compliance might require input from a national data protection authority. The phrase "where appropriate" grants the requested authority the discretion to determine which additional bodies are necessary to fulfill the request effectively. This ensures that the investigation is not bottlenecked by the limited scope or specific mandate of the designated competent authority alone.

Procedural Obligations and Deadlines

When a competent authority receives a request for assistance under Article 27(2), it is not merely permitted to act; it is legally obligated to comply. Article 27(3) establishes a strict timeline:

"The competent authority receiving the request pursuant to paragraph 2 shall comply with such request and inform the competent authority of establishment about the action taken, as soon as possible and no later than two months after receipt of the request, unless duly justified."

This creates a hard two-month deadline for the requested authority to act and report back. The phrase "unless duly justified" provides a narrow window for extension, implying that delays must be exceptional and substantiated. Importantly, the involvement of other public authorities does not reset this clock. The primary competent authority receiving the request remains the single point of accountability responsible for ensuring the request is fulfilled within the statutory timeframe, even if it delegates parts of the evidence gathering to other bodies.

Connection to Investigative Powers

The information sought under Article 27 is specifically tied to the investigative powers outlined in Article 26. These powers include the ability to require providers to provide information, inspect premises, and seize data. When evidence is located in a different Member State, the authority of establishment cannot directly exercise these powers abroad due to territorial limitations. Instead, it must rely on the authority in the Member State where the evidence is located.

The ability to involve other public authorities in that second Member State ensures that the investigation is robust. If the designated competent authority lacks the specific legal power to inspect a particular facility or access a specific database, it can involve the relevant public authority that does possess that power. This mechanism effectively bridges the gap between the requesting authority's needs and the domestic legal landscape of the requested Member State.

Distinction from Cross-Border Cooperation

It is vital to distinguish mutual assistance under Article 27 from cross-border cooperation under Article 28.

• Article 27 focuses on the exchange of information and assistance in gathering evidence. It is the primary tool for investigative support, and its flexibility to involve other public authorities is unique to this phase.
• Article 28, conversely, deals with situations where an authority suspects non-compliance and requests the authority of establishment to assess the matter and take enforcement measures.

While both provisions facilitate cross-border action, Article 27 is the specific legal basis for a competent authority to say, "We need help finding this evidence, and we will involve our national cybersecurity agency to get it."

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the ability of CADA authorities to involve other public authorities significantly expands the potential sources of regulatory scrutiny.

1. Broader Regulatory Reach

Previously, interactions might have been limited to a single designated competent authority. Under CADA, a single request for information can trigger involvement from multiple national bodies, including cybersecurity agencies, data protection authorities, and potentially sectoral regulators. You must be prepared to respond to inquiries that may originate from or be coordinated by authorities outside your primary point of contact. The "where appropriate" clause means that if your provider has complex data flows, the requested authority may involve multiple specialized bodies to dissect them.

2. Strict Timelines and Internal Pressure

The two-month deadline for authorities to respond to assistance requests (Article 27(3)) indirectly pressures providers to respond promptly to national inquiries. If a provider delays providing information to a national authority, that delay can cause the competent authority to miss its international deadline. Therefore, internal processes for responding to regulatory requests must be streamlined to avoid becoming the bottleneck in international cooperation. You cannot assume that the involvement of multiple authorities will grant you more time; the statutory clock starts ticking upon receipt of the request.

3. Consistency in Documentation

Because multiple authorities may be involved in gathering evidence, it is critical that your compliance documentation is consistent and readily accessible. Discrepancies between information provided to a cybersecurity agency versus a data protection authority could be flagged as inconsistencies during the mutual assistance process. Maintain a centralized repository of compliance evidence to ensure uniformity across all regulatory interactions.

4. Proactive Engagement

If your provider operates across multiple Member States, proactively engage with the designated competent authority in your state of establishment. Understanding how that authority collaborates with other public bodies can help you anticipate the scope and nature of potential requests. Knowing which "other public authorities" are likely to be involved in your specific sector can help you prepare the right evidence in advance.

Common misconceptions

Misconception 1: Only the designated competent authority can request information. While the designated competent authority is the primary point of contact, Article 27(2) explicitly allows for the involvement of other public authorities in the requested Member State. This means that while the formal request comes from the competent authority, the actual collection of evidence may be conducted by other national bodies. Providers should not assume that only the designated authority has the power to gather evidence or that they will only interact with that single entity.

Misconception 2: The two-month deadline is flexible. Article 27(3) sets a hard deadline of two months for the requested authority to comply and report back, "unless duly justified." This is not a guideline but a statutory obligation. Delays without proper justification could lead to scrutiny of the authority's performance and potentially impact the provider if the delay hinders an ongoing investigation. Providers should not expect extensions to be granted lightly, nor should they assume that involving multiple authorities will pause the clock.

Misconception 3: Mutual assistance replaces national enforcement powers. Mutual assistance under Article 27 is a tool for gathering information and evidence. It does not replace the enforcement powers of the competent authority of establishment under Article 26. The authority of establishment retains the power to impose penalties and order remedial actions. The involvement of other public authorities in the requested Member State is strictly for the purpose of assisting in the investigation, not for making final enforcement decisions.

Related

• Can a CADA authority refuse a mutual assistance request?
• Can a CADA authority delegate inspections to other public bodies?
• How do CADA authorities request information from each other?
• Can a CADA authority ask for more information on a cross-border request?
• What remedies can CADA authorities impose on providers?

This is general information about a draft EU regulation, not legal advice.