Can a CSP be penalised even after correcting a disclosed change under CADA?

Summary Yes, a cloud computing service provider (CSP) can still be penalised under the proposed Cloud and AI Development Act (CADA) even if it corrects a disclosed change. While prompt disclosure and remediation are significant mitigating factors that authorities must consider when setting penalties, they do not grant automatic immunity from enforcement. The primary obligation under Article 23 is to notify the competent authority of material changes; failure to do so, or providing misleading information, remains an infringement subject to the penalty framework in Article 24, regardless of subsequent corrective actions. Remediation reduces the severity of the penalty, not the existence of the infringement.

Detail

Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers (CSPs) seeking recognition under the Union assurance levels face strict transparency obligations. These obligations are designed to ensure the integrity of the sovereignty framework and protect public order. The interplay between the obligation to disclose changes (Article 23) and the enforcement mechanisms for infringements (Article 24) creates a nuanced compliance landscape where remediation mitigates but does not necessarily eliminate liability.

The Obligation to Disclose Material Changes

Article 23 of CADA establishes the transparency obligations for recognised CSPs. Specifically, Article 23(1) mandates that a recognised CSP must, "as soon as possible," notify the auditing organisation and the national competent authority of establishment upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

This obligation is proactive and continuous. It is not limited to changes that ultimately result in a loss of recognition; it covers any material change that may affect the audit report or recognition status. The phrase "as soon as possible" implies an immediate duty to report, leaving little room for delay while internal investigations conclude, provided the provider has become aware of the potential impact. The regulation does not condition the duty to report on the provider's ability to fix the issue first; the duty to inform arises the moment the provider becomes aware of the material change.

The Penalty Framework and the Role of Remediation

Article 24 sets out the penalties and compensation rules applicable to infringements by CSPs. Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Crucially, Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties.

It is within this framework that remediation and disclosure play a critical role. Article 24(2)(b) explicitly states that Member States shall take into account "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement." This provision confirms that correcting a disclosed change is a legally recognised mitigating factor. If a CSP identifies a breach, discloses it promptly under Article 23, and takes effective steps to remedy the situation, the competent authority is obliged to consider this action when determining the severity of the penalty.

However, mitigation is not absolution. The existence of a mitigating factor does not negate the fact that an infringement occurred. The infringement is typically the failure to comply with the transparency obligations of Article 23 (e.g., late disclosure, incomplete disclosure) or the underlying failure to maintain the conditions for the Union assurance level. Even if the CSP corrects the technical or operational issue that triggered the material change, the initial failure to disclose or the delay in disclosure remains a distinct violation of the Regulation. The penalty regime is designed to be "dissuasive," meaning that even a remediated breach may attract a sanction to signal that the obligation was breached, albeit at a reduced level.

Distinction Between Infringement and Remediation

To understand why a CSP can be penalised after correcting a change, it is essential to distinguish between the substance of the change and the procedural obligation to report it.

1. The Underlying Change: If a CSP undergoes a material change that causes it to fall out of compliance with a specific Union assurance level criterion (e.g., a subcontractor begins processing data outside the Union in violation of Annex II criteria), the CSP must disclose this. If the CSP then fixes the issue (e.g., moves the data processing back into the Union), the service may remain compliant or return to compliance. However, the period during which the non-compliance existed, and the manner in which it was disclosed, are subject to scrutiny.
2. The Disclosure Failure: If the CSP delays the disclosure required by Article 23(1), it has infringed the Regulation. The subsequent correction of the underlying technical issue does not erase the fact that the competent authority was deprived of timely information. Article 24(2)(e) also allows authorities to consider "any other aggravating or mitigating factor," and Article 24(2)(d) considers "financial benefits gained or losses avoided." If a delay in disclosure allowed the CSP to avoid immediate market consequences or regulatory scrutiny, this could be viewed as an aggravating factor, potentially offsetting the mitigation gained from the eventual fix.

The Risk of Negligence or Intent

Article 17(11) of CADA provides that the evaluating national competent authority may revoke recognition if it finds that a CSP "intentionally or negligently, supplied incorrect or misleading information." This highlights that the quality of the disclosure is as important as the timing. A CSP that discloses a change but provides incomplete or misleading details, even if it later corrects the situation, may face revocation of recognition and penalties. The penalty regime in Article 24 applies to "infringements of this Chapter," which includes the transparency obligations of Article 23 and the recognition conditions of Article 17. Therefore, a negligent disclosure followed by a correction is still an infringement subject to penalty, albeit one where the corrective action will be weighed under Article 24(2)(b).

Furthermore, Article 23(2) and 23(3) establish a chain of notification: if the auditing organisation amends or revokes an audit report due to a material change, it must notify the competent authority; if the competent authority amends or revokes recognition, it must notify other Member States and the Commission. This chain ensures that the central repository (under Article 22) reflects the current status. A CSP that corrects a change but fails to trigger this chain correctly may still be liable for the initial failure to notify "as soon as possible."

What this means for you

For in-house counsel and compliance officers, the key takeaway is that remediation is a defense against severity, not against liability. You cannot assume that fixing a problem internally before or after disclosure shields the company from penalties. Instead, you must build a compliance protocol that treats disclosure and remediation as parallel, equally critical tracks.

1. Prioritise "As Soon As Possible" Disclosure Article 23(1) requires notification "as soon as possible." Develop internal triggers that mandate immediate legal and compliance review when a material change is identified. Do not wait until the root cause is fully resolved to begin the disclosure process. Early disclosure demonstrates good faith and maximises the mitigating effect under Article 24(2)(b). Delaying disclosure to "fix it first" risks converting a minor procedural breach into a significant infringement due to the duration of non-disclosure.

2. Document Remediation Actions Rigorously Since Article 24(2)(b) requires authorities to consider "any action taken... to mitigate or remedy the damage," your documentation of these actions is your primary evidence for mitigation. Keep detailed records of:

• The timeline of discovery (to prove the "as soon as possible" standard was met).
• The immediate steps taken to contain the issue.
• The technical or operational fixes implemented.
• The verification that the fix restored compliance with the Union assurance level criteria.
• Evidence that the notification was sent to both the auditing organisation and the competent authority.

3. Assess the "Materiality" Threshold Carefully Not every change requires disclosure. Only "material change[s] in circumstances that may affect the audit report and the 'positive' opinion" must be reported. Establish a clear internal matrix defining what constitutes a material change for your specific service architecture. Over-disclosure can create administrative burden, but under-disclosure risks penalties. When in doubt, err on the side of disclosure and document the rationale. The burden of proof regarding materiality often lies with the provider to demonstrate why a change was not reported.

4. Prepare for the "Non-Exhaustive" Criteria Remember that the criteria in Article 24(2) are non-exhaustive. While remediation is a mitigating factor, authorities may also consider the "nature, gravity, scale and duration of the infringement" (Article 24(2)(a)) and "any previous infringements" (Article 24(2)(c)). A first-time offender that remediates quickly will face a significantly lower penalty than a repeat offender with a history of disclosure failures, even if the technical fix is identical. The "financial benefits gained or losses avoided" (Article 24(2)(d)) can also be a significant factor if the delay in disclosure allowed the provider to continue operating under a false assurance level.

Common misconceptions

Misconception 1: "If we fix it before the auditor finds out, we are safe." This is incorrect. Article 23(1) requires the CSP to notify the authority and auditing organisation "on becoming aware" of the change. The obligation is self-reporting. If the CSP knows of the material change and fixes it silently, it has failed its disclosure obligation. This constitutes an infringement of Article 23, which is punishable under Article 24. The fact that the auditor did not detect it does not negate the violation of the transparency duty. The infringement is the failure to notify, not just the existence of the non-compliant state.

Misconception 2: "Remediation means no penalty." Article 24(2)(b) states that remediation is a criterion to be taken into account, not a bar to penalties. The penalty framework is designed to be "dissuasive." A penalty may still be imposed to signal that the obligation was breached, even if the harm was mitigated. The penalty amount may be reduced, but it is not automatically zero. The regulation explicitly requires penalties to be "effective, proportionate and dissuasive," which implies that a zero-penalty outcome for a breach, even a remediated one, might not meet the "dissuasive" threshold in all cases.

Misconception 3: "Only technical breaches matter; disclosure timing is flexible." The sovereignty framework relies on trust and transparency. Delays in disclosure undermine the authority's ability to protect public order. Article 24(2)(a) considers the "duration" of the infringement. A prolonged delay in disclosure, even if the underlying technical issue is minor, increases the duration of the infringement and can lead to higher penalties. The "as soon as possible" standard in Article 23(1) is a strict legal requirement, not a suggestion.

Related

• CADA Article 23: What happens if a CSP self-reports a change lowering its sovereignty tier?
• Can a cloud provider lose its sovereignty tier for not disclosing a change? | CADA
• CADA Central Repository: Who can access it and is it public?
• What examples of material changes must a CSP report under CADA?
• CADA Article 23: What happens when a material change is reported?

This is general information about a draft EU regulation, not legal advice.