Can a cloud provider negotiate remedies with a CADA authority?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers cannot freely "negotiate" the legal standards, Union assurance levels, or final penalty caps with a national competent authority. However, the proposal explicitly creates procedural channels where a provider's remedial actions and cooperation directly influence the enforcement outcome. Authorities are legally required to impose remedies that are "proportionate to the infringement and necessary to bring the infringement effectively to an end" under Article 26(2)(a). Furthermore, Article 24(2)(b) mandates that authorities consider "any action taken by the infringing party to mitigate or remedy the damage" when calculating penalties. Finally, providers possess a statutory right to be heard under Article 26(4) before any enforcement measure is finalized, allowing them to challenge the factual basis of an infringement and propose alternative, less burdensome solutions.

Detail

The enforcement framework established by the proposed Cloud and AI Development Act (CADA) is designed to ensure the integrity of the Union's cloud sovereignty framework while respecting the rights of defence of cloud computing service providers. While the legislation does not permit open-ended commercial-style negotiations regarding the definition of compliance obligations or the statutory criteria for Union assurance levels, it establishes a structured dialogue mechanism during the enforcement phase. This dialogue is governed by strict legal principles found in Title IV, Chapter I (the sovereignty framework and penalties), specifically Articles 24 and 26.

Proportionate and Necessary Remedies

When a national competent authority identifies an infringement of the CADA sovereignty framework, its primary objective is corrective rather than purely punitive. Article 26(2)(a) explicitly grants competent authorities the power to "order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end."

This statutory language is critical for cloud providers seeking to influence the scope of enforcement actions. It establishes that any remedy imposed by the authority must satisfy two strict legal criteria:

1. Proportionality: The remedy must be scaled appropriately to the nature, gravity, and duration of the breach. An authority cannot impose a remedy that is excessive relative to the infringement.
2. Necessity: The remedy must be the minimum action required to effectively terminate the infringement. If a less intrusive measure would achieve the same result, the authority is legally bound to consider it.

This creates a factual basis for dialogue. While the authority retains the final decision-making power to order cessation, a provider can argue that a proposed remedy is not "necessary" if their own remediation plan effectively ends the breach with less operational disruption. The authority must assess whether the provider's proposed solution meets the statutory threshold of ending the infringement effectively. If it does, the authority's power to impose a more burdensome remedy is constrained by the principle of proportionality.

Mitigation and Penalty Reduction

While providers cannot negotiate the statutory maximums for penalties, they can significantly influence the final financial outcome through proactive remedial action. Article 24 sets out the rules for penalties and compensation applicable to infringements by cloud computing service providers. Specifically, Article 24(2) lists non-exhaustive criteria that Member States must take into account when imposing penalties.

Crucially, Article 24(2)(b) requires authorities to consider "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement." This provision creates a direct financial incentive for cloud providers to act swiftly once an infringement is suspected or identified. If a provider voluntarily identifies a compliance gap, implements corrective measures, and mitigates any resulting damage before the authority finalizes its penalty decision, this action becomes a mandatory consideration for a penalty reduction.

This is not a negotiation in the traditional sense of bargaining over a price, but rather a structured mechanism where the provider's conduct is a variable in the penalty calculation formula. The authority must weigh the mitigation against other factors, such as the nature, gravity, scale, and duration of the infringement (Article 24(2)(a)) and any financial benefits gained by the infringing party (Article 24(2)(d)). However, the explicit inclusion of mitigation as a criterion ensures that proactive remediation is recognized and rewarded with a lower penalty.

The Right to Be Heard

Before any enforcement measure is finalized, procedural safeguards protect the cloud provider. Article 26(4) mandates that measures taken by national competent authorities "shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file."

This right to be heard is a fundamental procedural guarantee that transforms the enforcement process from a unilateral decision into a contested administrative procedure. It means that before an authority issues a final order for cessation, imposes a fine, or mandates a specific remedy, the provider must be given a formal opportunity to present its case. This includes:

• Access to the file: The provider can review the evidence and documentation held by the authority that forms the basis of the suspected infringement.
• Right to present arguments: The provider can submit their own analysis, technical evidence, and proposed solutions.

This stage is the primary opportunity for a provider to "negotiate" the factual basis of the infringement and the appropriateness of the proposed response. By presenting technical evidence that a proposed remedy is disproportionate or that alternative measures would be equally effective, a provider can shape the authority's final decision within the bounds of the law. The authority is required to take due account of the provider's comments before finalizing its decision.

Limits of Negotiation

It is essential to distinguish between procedural dialogue and substantive negotiation. CADA does not allow providers to negotiate the definition of sovereignty criteria, such as the specific requirements for Union assurance levels 1 through 4, which are fixed in Annex II. A provider cannot bargain to accept a lower assurance level for a specific public sector contract if the risk assessment under Article 29 dictates a higher level. Similarly, the requirement to undergo independent audits for higher assurance levels is mandatory and cannot be waived through negotiation.

The "negotiation" space is strictly confined to the application of enforcement powers: how an infringement is characterized based on the evidence, what specific technical steps are required to cure it in a proportionate manner, and how much the provider's cooperation and remediation reduce the financial penalty. The legal standards themselves remain immutable.

What this means for you

For cloud service providers and data centre operators, understanding these provisions is essential for effective risk management and compliance strategy during an enforcement investigation.

1. Document Remedial Actions Rigorously: Maintain detailed logs of any compliance issues identified internally and the specific steps taken to resolve them. If an authority investigates, this documentation is your primary evidence for invoking Article 24(2)(b) to seek a penalty reduction. Prove that you acted quickly and effectively to mitigate damage.
2. Engage Early in Enforcement: If an authority initiates an investigation, do not wait for the final decision. Use the right to be heard under Article 26(4) proactively. Present your own analysis of the infringement and propose specific, proportionate remedies that effectively end the breach. Show that your proposed solution meets the "necessity" test.
3. Challenge Disproportionate Orders: If an authority proposes a remedy that seems excessive, cite Article 26(2)(a). Argue that the proposed measure is not "necessary" or "proportionate" to end the infringement, and offer a technically equivalent but less burdensome alternative. The authority must consider whether your alternative achieves the same result.
4. Prepare for Access to File: Ensure your legal and compliance teams are ready to review the authority's file promptly. The right to be heard is only effective if you have sufficient time and access to the evidence to craft a robust response. Challenge any evidence that is inaccurate or incomplete.

Common misconceptions

Misconception 1: Providers can bargain for lower assurance levels. Some providers believe they can negotiate with authorities to accept a lower Union assurance level (e.g., Level 2 instead of Level 3) for a specific public sector contract. This is incorrect. The assurance level required is determined by the risk assessment conducted by the contracting authority under Article 29, based on the fixed criteria in Annex II. A cloud provider cannot negotiate these criteria with the competent authority.

Misconception 2: Cooperation eliminates penalties entirely. While mitigation under Article 24(2)(b) reduces penalties, it does not automatically eliminate them. The authority must still consider the nature, gravity, scale, and duration of the infringement (Article 24(2)(a)) and any financial benefits gained (Article 24(2)(d)). Proactive remediation is a mitigating factor, not a complete defense against liability.

Misconception 3: The right to be heard is a formality. Some view the right to be heard as a box-ticking exercise. In reality, under Article 26(4), it is a substantive right that can alter the outcome of enforcement. Authorities must take due account of the provider's comments. A well-prepared submission demonstrating technical constraints or proposing effective alternative remedies can significantly influence the proportionality of the final order and the final penalty amount.

Related

• Can the Commission ask a CADA authority to investigate a provider?
• Can a CADA authority impose both fines and remedies at once?
• What remedies can CADA authorities impose on providers?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Can CADA authorities seize a cloud provider's data?

This is general information about a draft EU regulation, not legal advice.