Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities are explicitly empowered to share information with counterparts in other Member States to enforce the cloud sovereignty framework. Article 27 establishes a mandatory mutual assistance mechanism that includes the direct exchange of data regarding specific cloud computing service providers. While CADA mandates that requests be complied with "as soon as possible," it sets a strict two-month deadline for authorities to inform the requesting body of the actions taken, ensuring coordinated cross-border oversight of sovereign cloud services. This framework prevents regulatory fragmentation and ensures that a provider's compliance status in one Member State is visible to all relevant authorities across the Union.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous, EU-wide framework for cloud computing sovereignty. This framework requires cloud providers to meet specific "Union assurance levels" to serve public sector bodies. Because cloud infrastructure is inherently borderless and data flows across jurisdictions, effective enforcement cannot be confined to a single Member State. CADA addresses this challenge through Title IV, Chapter I, Section 5, which outlines the principles of mutual assistance and cross-border cooperation.

The Scope of Mutual Assistance

Article 27(1) of the CADA proposal establishes the foundational duty of cooperation between national competent authorities and the European Commission. The text explicitly states that these bodies "shall cooperate closely and provide each other with mutual assistance to apply this Chapter in a consistent and efficient manner."

Crucially, the provision clarifies the scope of this cooperation: "Mutual assistance shall include the exchange of information." This creates a binding legal obligation for authorities to share data necessary for the supervision and enforcement of the cloud sovereignty rules. Without this mechanism, providers could potentially exploit regulatory gaps between jurisdictions, or a violation detected in one Member State might remain unknown to the authority of establishment responsible for the provider's primary recognition.

Requesting Specific Provider Information

The mechanism for obtaining specific data is detailed in Article 27(2). This article empowers a competent authority in one Member State to formally request another competent authority to provide "specific information in their possession relating to a specific cloud computing service provider."

This provision is designed to support the investigative powers granted under Article 26. For instance, if a competent authority in a destination Member State suspects a provider of non-compliance but lacks direct access to certain records held within another Member State, it can invoke Article 27(2) to request that information. The text notes that such requests are made "to exercise its investigative powers under Article 26 regarding specific information located in their Member State."

The regulation also acknowledges the complexity of the regulatory landscape. Article 27(2) states that "where appropriate, the competent authority receiving the request may involve other competent authorities or other public authorities of the Member State in question." This flexibility recognizes that information about a cloud provider's infrastructure, legal status, or cybersecurity posture may be held by various entities, such as national cybersecurity agencies, data protection authorities, or financial regulators, not just the primary cloud sovereignty supervisor designated under Article 25.

The Two-Month Compliance Window

Timeliness is critical in digital enforcement, where service disruptions or data breaches can have immediate cross-border impacts. Article 27(3) imposes a clear and strict deadline on the receiving authority to ensure that mutual assistance does not become a bureaucratic bottleneck.

The article mandates that the receiving authority "shall comply with such request and inform the competent authority of establishment about the action taken, as soon as possible and no later than two months after receipt of the request, unless duly justified."

This two-month window serves as a critical safeguard against administrative delays. It ensures that investigations into potential non-compliance with sovereignty assurance levelsβ€”such as unauthorized data transfers, lack of proper audits, or third-country control issuesβ€”are not stalled by procedural inertia. If a request cannot be fulfilled within this period, the receiving authority must provide a "duly justified" reason for the delay. This justification requirement prevents authorities from using vague excuses to withhold information, thereby maintaining the integrity of the Union-wide enforcement network.

Distinction from Cross-Border Cooperation

It is important to distinguish the mutual assistance mechanism under Article 27 from the cross-border cooperation provisions under Article 28. While Article 27 focuses on the proactive exchange of information and assistance in investigations (often initiated by a destination authority seeking data), Article 28 deals with specific enforcement actions when a "competent authority of destination" suspects a provider no longer fulfills the requirements of Annex II.

In the Article 28 scenario, the destination authority requests the "competent authority of establishment" to assess the matter and take necessary investigatory and enforcement measures. Both articles work in tandem: Article 27 facilitates the flow of information needed to identify issues, while Article 28 triggers the formal enforcement response from the authority with exclusive competence. Together, they ensure that a cloud provider recognized in one Member State remains compliant across the entire Union.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the mutual assistance provisions in CADA have significant operational implications:

  1. Unified Supervision, Not Fragmentation: CADA designates the "competent authority of establishment" (where the provider has its main establishment) as having exclusive competence for enforcement under Article 25(4). However, because this authority can request and receive information from other Member States under Article 27, you cannot assume that local issues in other jurisdictions will remain isolated. Information gathered by a French authority regarding your data handling practices could be shared with your primary regulator in Germany, potentially triggering a Union-wide review.
  2. Preparedness for Rapid Data Requests: The two-month deadline for authorities to act on information requests implies that investigations can move quickly. Compliance teams must ensure that records related to sovereignty assuranceβ€”such as audit reports, subcontractor agreements, data flow diagrams, and evidence of Union citizenship for personnelβ€”are organized, accessible, and up-to-date. Delays in providing information to your primary regulator could be exacerbated if that regulator is waiting for corroborating data from another Member State under the Article 27 mechanism.
  3. Consistency in Reporting: Since information is shared across borders, inconsistencies in how you report your compliance status to different national bodies could trigger scrutiny. Ensure that your EU statement of conformity (for Assurance Level 1) or audit reports (for Levels 2–4) are consistent across all Member States where you operate. A discrepancy noted by a destination authority could be rapidly communicated to your authority of establishment.
  4. Engagement with Multiple Authorities: While you primarily deal with your authority of establishment, Article 27(2) allows receiving authorities to involve other public bodies. Be prepared to engage with a broader range of regulators, including cybersecurity or data protection agencies, if they are involved in the mutual assistance process to gather specific information.

Common misconceptions

  • Misconception: "CADA allows authorities to share data with third-country (non-EU) regulators."
    • Reality: Article 27 specifically governs mutual assistance between Member States' competent authorities and the Commission. The text does not explicitly authorize the direct exchange of enforcement information with non-EU authorities under this specific article. Cross-border data sharing with third countries would be subject to other EU data protection and security laws, such as the GDPR, and the specific sovereignty criteria in Annex II.
  • Misconception: "The two-month deadline is for the provider to respond."
    • Reality: The two-month window in Article 27(3) applies to the receiving competent authority, not the cloud provider. It is the maximum time the authority has to comply with the request from another Member State and inform them of the action taken. Providers must still respond to their primary regulator within the timelines set by national investigative procedures, which may be shorter.
  • Misconception: "Only the primary regulator can access my data."
    • Reality: While the authority of establishment has exclusive enforcement competence, Article 27 allows other Member States to request and receive specific information about your service. This means your data and compliance records may be visible to multiple EU regulators through this cooperation mechanism, creating a de facto unified supervisory view.
  • Misconception: "Mutual assistance is optional if the information is sensitive."
    • Reality: Article 27(1) states that authorities "shall cooperate closely." While confidentiality obligations exist (e.g., regarding trade secrets), the obligation to exchange information is mandatory. The regulation requires authorities to share information necessary for consistent application of the rules, and any refusal to share must be "duly justified" under the strict timelines of Article 27(3).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.