Can a CADA enforcement decision be enforced in another Member State?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no automatic mutual recognition of enforcement decisions across Member States. Instead, the regulation establishes a centralized enforcement model: the national competent authority of the Member State where the cloud computing service provider has its main establishment holds exclusive competence to enforce the sovereignty framework (Article 25(4)). Cross-border enforcement does not occur through direct action by the user's Member State; rather, it relies on mutual assistance (Article 27) and cross-border cooperation (Article 28), where the authority of the destination state requests the authority of establishment to investigate and take necessary measures.

Detail

The Principle of Exclusive Competence

The CADA proposal deliberately avoids a fragmented enforcement landscape where multiple national authorities could impose conflicting penalties on a single cloud provider. To ensure legal certainty and uniform application, Article 25(4) establishes a clear rule of exclusive jurisdiction.

The Member State in which the cloud computing service provider has its main establishment is the sole authority empowered to enforce the sovereignty framework (Title IV, Chapter I). The proposal defines "main establishment" strictly as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This means that if a cloud provider is established in Ireland, the Irish national competent authority is exclusively responsible for:

• Imposing penalties for infringements of the sovereignty criteria.
• Ordering the cessation of infringements.
• Revoking the recognition of a Union assurance level.
• Conducting investigations into suspected non-compliance.

Even if the cloud service is used by a public body in Poland, Spain, or Greece, the authorities in those Member States do not have independent power to fine the provider or revoke its recognition status. Their role is limited to identifying potential issues and triggering the enforcement mechanism in the provider's home state.

Mutual Assistance: The Information Exchange Mechanism

While enforcement power is centralized, the proposal acknowledges that infringements often have cross-border implications. Article 27 establishes a mandatory framework for mutual assistance to ensure the consistent application of the regulation.

Under Article 27(1), competent authorities and the Commission must cooperate closely and provide mutual assistance, which explicitly includes the exchange of information. This is not a voluntary courtesy but a statutory obligation.

Article 27(2) details the operational mechanics:

• A competent authority may request another competent authority to provide specific information in its possession relating to a specific cloud computing service provider.
• This request is typically made to exercise investigative powers under Article 26 regarding information located in the requested Member State.
• The receiving authority must comply with the request.
• The receiving authority must inform the authority of establishment about the action taken as soon as possible, and no later than two months after receipt of the request, unless duly justified.

This mechanism ensures that the authority of establishment has access to all necessary evidence, regardless of where the data or personnel are physically located within the EU, without needing to open its own investigation in every Member State where the provider operates.

Cross-Border Cooperation: Triggering Enforcement

Article 28 provides the specific mechanism for a Member State where a service is used (the "destination" state) to trigger enforcement action against a provider established elsewhere. This is distinct from mutual assistance, as it involves a formal request for investigatory and enforcement measures.

The process under Article 28 works as follows:

1. Suspicion: A competent authority of a destination Member State has reason to suspect that a cloud computing service provider no longer fulfills the requirements under Annex II (the Union assurance level criteria).
2. Request: The destination authority may request the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures to ensure compliance (Article 28(1)). The Commission may also make such a request.
3. Obligation to Act: The authority of establishment must assess the matter and take necessary measures.
4. Timeline and Reporting: The authority of establishment must communicate its assessment and any measures taken to the requesting authority and the Commission as soon as possible, and in any event not later than two months after receipt of the request (Article 28(4)).
5. Suspension: If the authority of establishment considers the information provided insufficient, it may request additional information. In this case, the two-month deadline is suspended until the additional information is provided.

This structure ensures that the destination state can effectively "flag" a provider for non-compliance, but the actual enforcement action (fines, revocation, orders) remains the exclusive domain of the authority of establishment.

No Automatic Mutual Recognition

It is critical to understand that CADA does not create a system of automatic mutual recognition for enforcement decisions. Unlike certain EU regulations where a judgment or administrative penalty in one Member State is automatically enforceable in another (e.g., under the European Enforcement Order or specific financial regulations), CADA relies on the exclusive competence model.

A penalty imposed by the authority of establishment is a national administrative or judicial act. If a provider fails to comply with a penalty order in the Member State of establishment, and the authority seeks to enforce that penalty against assets or operations in another Member State, it would generally need to rely on existing EU instruments for the mutual recognition of judicial or administrative decisions (such as the European Enforcement Order for uncontested claims or the Regulation on the recognition and enforcement of judgments in civil and commercial matters). These mechanisms are not detailed within CADA itself. CADA focuses on ensuring the correct authority acts, not on creating a unified EU-wide enforcement engine for the execution of penalties.

Powers of the National Competent Authorities

To fulfill their exclusive role, the authorities of establishment are granted robust powers under Article 26. These include:

• Investigative Powers: The power to require information from providers and subcontractors, inspect premises, and ask staff for explanations (Article 26(1)).
• Enforcement Powers: The power to order the cessation of infringements, impose remedies, impose fines, and impose periodic penalty payments to ensure compliance (Article 26(2)).

These measures must be effective, dissuasive and proportionate, taking into account the nature, gravity, recurrence and duration of the infringement, as well as the economic, technical and operational capacity of the service provider (Article 26(3)).

What this means for you

For legal counsel, compliance officers, and cloud service providers, the centralized enforcement model of CADA has profound strategic implications:

1. Identify Your "Authority of Establishment" Immediately: Your primary regulatory interface is determined by your corporate structure, not your customer base. You must identify the Member State where your head office or registered office exercises principal financial and operational control. This is the only authority that can impose fines or revoke your Union assurance level. Your compliance strategy must be tailored to the specific procedural rules and enforcement culture of that single Member State.

2. Prepare for Multi-Jurisdictional Information Requests: While only one authority can fine you, you may receive information requests from competent authorities in every Member State where you operate. Under Article 27, these authorities are obligated to share information with your authority of establishment. Ensure your legal team has a protocol for handling such requests, verifying their legitimacy, and coordinating responses with your primary regulator to avoid conflicting disclosures.

3. Monitor the "Two-Month" Clock: The cross-border cooperation mechanism under Article 28 imposes a strict timeline. If a destination state flags a potential infringement, your authority of establishment has a maximum of two months to respond (unless suspended for missing info). This creates a fast-paced enforcement environment. Internal investigations must be ready to launch immediately upon notification of a cross-border request to ensure your authority can meet its statutory deadlines.

4. Uniform Compliance is Non-Negotiable: Because the sovereignty criteria in Annex II apply uniformly across the Union, a failure in one Member State can trigger enforcement action by your home authority based on a request from another. You cannot argue that a practice is acceptable in one Member State but not another. Your compliance program must be robust and consistent across all EU operations to prevent "flagging" by destination authorities.

5. Civil Liability Remains Local: While administrative enforcement is centralized, Article 24(3) grants recipients of cloud computing services the right to seek compensation for damage suffered due to an infringement. This civil liability can be pursued in the Member State where the damage occurred or where the claimant is established, independent of the administrative penalty process.

Common misconceptions

"Each Member State can fine a provider for local non-compliance." Incorrect. CADA centralizes enforcement. Only the national competent authority of the provider's main establishment has the power to impose fines or order remedies under the sovereignty framework. Other Member States can only request assistance or trigger action by the home authority; they cannot issue their own penalties.

"Enforcement decisions are automatically enforceable across the EU." Incorrect. CADA does not create a system of automatic mutual recognition for enforcement decisions. A penalty imposed in one Member State does not automatically apply in another. Cross-border enforcement of penalties would rely on separate, existing EU legal instruments for the recognition of judicial or administrative decisions, which are outside the scope of CADA.

"The authority where the service is used has primary enforcement power." Incorrect. While the authority in the Member State where the service is used (the destination state) plays a crucial role in identifying potential infringements and requesting action under Article 28, it does not have direct enforcement power over the provider. It must rely on the authority of establishment to take investigatory and enforcement measures.

"Mutual assistance is optional or discretionary." Incorrect. Article 27 mandates that competent authorities cooperate closely and provide mutual assistance. Requests for information must be complied with, and the receiving authority must inform the authority of establishment about the action taken within strict timeframes (two months).

Related

• Can a Member State designate more than one CADA authority?
• Which Member State enforces CADA against a cloud provider?
• How do I find the CADA competent authority for my Member State?
• How do I appeal a CADA enforcement decision?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?

This is general information about a draft EU regulation, not legal advice.