Can a CADA fine and a periodic penalty be combined?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a national competent authority can impose both a fine and a periodic penalty payment on a cloud computing service provider simultaneously. These measures serve distinct legal purposes: a fine (Article 26(2)(b)) is a punitive sanction for a past infringement or failure to comply with an investigative order, whereas a periodic penalty payment (Article 26(2)(c)) is a coercive tool designed to compel the provider to terminate an ongoing infringement or comply with a specific order. The authority must apply these measures in a manner that is "effective, dissuasive and proportionate" under Article 26(3), ensuring the total financial burden reflects the nature, gravity, and duration of the violation.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) is designed to ensure robust compliance with the Union's cloud sovereignty framework. Central to this architecture are the investigative and enforcement powers granted to national competent authorities under Article 26. For legal practitioners and compliance officers, understanding the nuanced distinction between the two primary financial sanctions—fines and periodic penalty payments—is critical, as they operate on different legal timelines and serve different remedial goals.

The Legal Distinction: Punishment vs. Coercion

While both sanctions result in financial liability, Article 26(2) of the CADA proposal explicitly delineates their functions, preventing them from being treated as interchangeable.

1. Fines (Article 26(2)(b)): The competent authority has the power to "impose fines... for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1."

   • Nature: A fine is a punitive sanction. It addresses a completed violation or a specific failure to cooperate.
   • Trigger: It is levied for the act of non-compliance itself (e.g., operating infrastructure outside the Union in breach of Annex II, or refusing to provide data during an investigation).
   • Effect: Once imposed and paid, the fine concludes the sanction for that specific historical breach. It does not, by itself, force the provider to stop the ongoing violation.

2. Periodic Penalty Payments (Article 26(2)(c)): The authority also has the power to "impose a periodic penalty payment... to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders issued pursuant to paragraph 1."

   • Nature: A periodic penalty is coercive. It is not a punishment for the past but a lever to force future compliance.
   • Trigger: It accrues over time (e.g., per day, per hour) as long as the infringement persists or the order remains unfulfilled.
   • Effect: The payment continues to accumulate until the provider ceases the infringement or complies with the order. Its primary goal is to terminate the violation, not merely to punish it.

Can They Be Combined?

The text of Article 26 does not prohibit the simultaneous application of both measures. On the contrary, the structure of the article implies they are designed to be used in tandem to address the full spectrum of non-compliance: the historical breach and the ongoing state of violation.

Consider a scenario where a cloud provider is found to be operating infrastructure outside the Union, violating the criteria for a specific Union assurance level under Annex II. The competent authority issues an order requiring the immediate cessation of this non-compliant service (an order under Article 26(2)(a)). If the provider ignores this order, the authority may:

1. Impose a fine for the initial failure to comply with the Regulation and the subsequent refusal to heed the cessation order. This addresses the past breach and the defiance of the initial order.
2. Impose a periodic penalty payment that continues to accrue for every day the provider continues to offer the non-compliant service. This addresses the ongoing state of non-compliance and compels the provider to stop.

In this context, the dual approach ensures that the provider faces a one-time punitive consequence for the violation while simultaneously facing escalating financial pressure to rectify the situation immediately.

Proportionality and Enforcement Criteria

The combination of these sanctions is not arbitrary; it is strictly bounded by the principle of proportionality. Article 26(3) mandates that measures taken by national competent authorities must be "effective, dissuasive and proportionate."

When determining the severity of fines or the rate of periodic penalties, authorities must consider:

• The nature, gravity, recurrence and duration of the infringement or suspected infringement.
• The economic, technical and operational capacity of the service provider concerned.

Furthermore, Article 24 provides the broader framework for penalties applicable to infringements of the sovereignty chapter. It requires Member States to lay down rules for penalties that are "effective, proportionate and dissuasive." When imposing penalties, Member States must consider non-exhaustive criteria such as:

• The scale of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

These factors apply to the overall penalty regime, ensuring that a combination of fines and periodic penalties does not result in a total financial burden that is excessive relative to the violation.

Procedural Safeguards

The imposition of these sanctions is subject to strict procedural safeguards to protect the rights of the provider. Article 26(4) states that the exercise of these powers must be subject to adequate safeguards under applicable national law, complying with the general principles of Union law. This includes:

• The right to respect for private life.
• The rights of defense, including the right to be heard.
• The right to have access to the file.
• The right to an effective judicial remedy.

This ensures that while authorities have broad powers to combine sanctions, they must follow due process, and the provider has the opportunity to challenge the proportionality and legality of the measures.

What this means for you

For in-house counsel and compliance officers, the ability to combine fines and periodic penalties significantly raises the financial risk profile of non-compliance with CADA's sovereignty framework.

• Immediate Response to Orders: If a national competent authority issues an order to cease an activity or provide information, do not delay. A fine may be issued for the initial breach, but a periodic penalty will start ticking if you do not comply with the order. The cost of non-compliance escalates daily, potentially surpassing the cost of compliance very quickly.
• Documentation of Compliance: Maintain rigorous records of your compliance efforts. If you are facing an ongoing investigation, demonstrate any steps taken to mitigate harm or rectify the infringement. Under Article 24(2)(b), actions taken to mitigate or remedy damage are a criterion for imposing penalties and can help reduce the severity of fines.
• Risk Assessment: When evaluating the cost of migrating infrastructure or changing subcontractors to meet Annex II criteria, factor in the potential for both a one-time fine and ongoing periodic penalties. The latter can quickly become a significant liability if the infringement persists.
• Legal Review of Orders: If an order is received, seek immediate legal review to ensure you understand the scope of compliance required. Failure to comply with investigative orders (Article 26(1)) can also trigger both fines and periodic penalties, separate from the underlying sovereignty infringement.

Common misconceptions

"A fine is the end of the matter." Many assume that paying a fine resolves the regulatory issue. Under CADA, a fine punishes the past violation, but if the infringement continues, a periodic penalty can be added to force cessation. The regulatory relationship does not end with the fine; the obligation to comply remains.

"Periodic penalties are just another type of fine." They are legally distinct. A fine is a lump-sum punishment for a past act; a periodic penalty is a coercive mechanism that accrues over time to compel future action. Confusing them can lead to inadequate financial planning for ongoing non-compliance risks.

"CADA sets fixed fine amounts." CADA does not set fixed fine amounts for sovereignty infringements. Instead, it requires Member States to establish rules for penalties that are effective, proportionate, and dissuasive (Article 24(1)). The actual amount will depend on national implementation and the specific criteria in Article 24(2) and Article 26(3).

Related

• What is a periodic penalty payment under CADA?
• Can taking remedial action reduce a CADA penalty?
• Can a CADA fine be challenged in court? Judicial remedies explained
• Are CADA periodic penalty payments capped? Article 24 & 26 explained
• Who sets the penalty rules under CADA? Article 24 explained

This is general information about a draft EU regulation, not legal advice.