Can a CADA authority publish its enforcement decisions?

Summary The proposed Cloud and AI Development Act (CADA) does not explicitly mandate that national competent authorities publish their individual enforcement decisions, such as penalty rulings or investigative findings. While Article 25(3) requires authorities to perform their tasks in an "impartial, transparent and timely manner," this general principle does not create a specific statutory obligation to disclose the details of sanctions to the public. However, Article 22 requires the publication of the revocation of a cloud service's recognition status in a central repository. Consequently, while the outcome of a loss of status is public, the specific enforcement decision (including the reasoning and fine amount) remains largely at the discretion of Member States, subject to their national administrative laws.

Detail

The enforcement architecture of the proposed CADA is decentralized, relying on national competent authorities designated by each Member State. The question of whether these authorities must publish their decisions hinges on the specific wording of the proposal's enforcement chapter (Title IV, Chapter I, Sections 4 and 5) and the interplay between general transparency principles and specific publication mandates.

The General Transparency Principle: Article 25(3)

The primary transparency obligation for enforcement bodies is found in Article 25(3). The text states: "Member States shall ensure that their competent authorities perform their tasks under this Regulation in an impartial, transparent and timely manner."

In EU legislative drafting, a requirement to act "transparently" is a procedural standard. It ensures that the authority's processes are clear, that stakeholders understand the rules of engagement, and that decisions are not made arbitrarily. However, the proposal does not define "transparent" as requiring the proactive publication of every enforcement decision, penalty notice, or investigative report. Unlike regulations that explicitly state "decisions imposing penalties shall be published," CADA leaves the specific mechanism of disclosure to the discretion of Member States, provided the general principle of transparency is respected in the conduct of the authority.

Absence of Explicit Publication Duties in Articles 24–28

A systematic review of the enforcement provisions confirms the absence of a mandatory publication clause for individual decisions:

• Article 24 (Penalties and compensation): This article obliges Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." It requires Member States to notify the Commission of these rules and any subsequent amendments. Crucially, it grants recipients of services the right to seek compensation for damages. However, the text contains no requirement for the public disclosure of the penalties imposed on specific cloud computing service providers.
• Article 25 (National competent authorities): While Article 25(2) requires Member States to notify the Commission of the names of their competent authorities, and the Commission must maintain a "public register of those authorities," this register identifies who enforces the law, not what they decide. There is no parallel requirement in Article 25 to publish the decisions themselves.
• Article 26 (Powers of the national competent authorities): This section grants authorities the power to impose fines, order the cessation of infringements, and conduct inspections. It mandates that measures be "effective, dissuasive and proportionate" and subject to national safeguards, including the right to be heard. It does not include a provision requiring the publication of the resulting orders or fines.
• Articles 27 and 28 (Mutual assistance and cross-border cooperation): These articles focus on the exchange of information between competent authorities and the Commission to ensure consistent application of the law. They facilitate internal coordination rather than public disclosure.

The Central Repository: A Specific Exception for Status Revocation

It is vital to distinguish between the publication of an enforcement decision and the publication of a status change in the central repository. Article 22 establishes a "central repository of cloud computing services" maintained by the Commission.

Article 22(3) explicitly states: "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This creates a specific, limited transparency obligation: if an authority revokes a provider's Union assurance level (e.g., due to a breach of sovereignty criteria), that fact must be published in the repository. This serves the market's need to know which services are no longer compliant. However, the repository entry is a status flag; it does not necessarily include the full text of the enforcement decision, the specific legal reasoning, the amount of any fine imposed under Article 24, or the detailed findings of the investigation. The "decision" itself remains a national administrative act, while the "consequence" (loss of recognition) is a Union-wide public record.

The Commission's Role

The Commission's role in enforcement is supervisory and coordinative, not directly punitive in most cases. Under Article 25(4), the Member State where the provider has its main establishment has "exclusive competence for enforcing this Chapter." The Commission may intervene under Article 17(10) if national authorities disagree on a recognition decision, or under Article 28 if cross-border cooperation is needed. However, the proposal does not grant the Commission the power to publish a Union-wide list of penalized companies or to override national rules on the publication of administrative decisions.

What this means for you

For legal counsel, compliance officers, and cloud service providers, the lack of a mandatory publication duty for enforcement decisions has significant strategic implications:

1. Reputational Risk is Asymmetric: A provider fined under CADA may not automatically face a "public shaming" via an official EU or national press release, as the text does not mandate it. However, this does not guarantee confidentiality. Member States may have their own national administrative laws or freedom of information regimes that require the publication of certain sanctions. Providers must assess the transparency laws of their main establishment Member State.
2. The "Silent" Revocation is Visible: While the fine might remain confidential, the loss of status is not. If a provider is stripped of their Union assurance level, this revocation will appear in the central repository for five years. For public-sector buyers (who are mandated to procure only recognized services under Article 30), this is a critical commercial signal. A revocation effectively blocks access to the public market, regardless of whether the fine is public.
3. Litigation Creates a Public Record: Even if the authority does not publish the decision, the decision may become public if the provider appeals it. Judicial proceedings in national courts are generally public, and the judgment would likely detail the enforcement action. Competitors or civil society groups may also use freedom of information requests to access these documents.
4. Internal Preparedness: Since the investigative process under Article 26 is rigorous (including powers to inspect premises and seize data), providers should assume that their internal records will be scrutinized. Even if the final decision is not published, the internal compliance posture must be robust enough to withstand a public audit if the case eventually enters the judicial sphere.

Common misconceptions

• Misconception: "CADA requires all enforcement fines to be made public to ensure deterrence."
  • Reality: The proposal does not contain an explicit publication requirement for fines. Deterrence is intended to be achieved through the severity of the penalties (Article 24) and the commercial impact of losing recognition status (Article 22), rather than through mandatory public disclosure of every sanction.
• Misconception: "The Central Repository lists all penalties and enforcement actions."
  • Reality: The Central Repository (Article 22) lists services recognized at specific Union assurance levels and records the revocation of such recognition. It does not publish the detailed enforcement decisions, penalty amounts, or the specific legal infringements that led to the revocation.
• Misconception: "The Commission publishes a list of penalized companies."
  • Reality: The Commission maintains a public register of competent authorities (Article 25(2)), not a list of penalized companies. The Commission's role is largely coordinative, while enforcement is decentralized to national authorities.

Related

• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• CADA Enforcement: Authority of Establishment vs. Destination
• Can the Commission ask a CADA authority to investigate a provider?
• Can CADA enforcement be triggered by an audit finding?
• Can an existing regulator be designated as a CADA authority?

This is general information about a draft EU regulation, not legal advice.