Can a Member State designate more than one CADA authority?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a Member State may designate more than one national competent authority. Article 25(1) explicitly states that Member States shall designate "one or more national competent authorities" responsible for enforcing the cloud computing sovereignty framework. These authorities may be newly established bodies or, as the text permits, "existing authority or existing authorities." However, while multiple bodies can be designated, Article 25(4) establishes a strict "exclusive competence" rule: the authority in the Member State where the cloud provider has its main establishment holds sole enforcement power for that provider. This structure allows for administrative flexibility while preventing regulatory fragmentation through a "lead authority" model.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a harmonised Union framework for cloud sovereignty. A critical component of this framework is the enforcement mechanism, which relies on national competent authorities (NCAs). The rules governing the designation, composition, and powers of these authorities are detailed in Article 25 of the proposal.

Flexibility in Designation: "One or More"

The legislative text explicitly rejects a "one-size-fits-all" mandate for the number of supervisory bodies. Article 25(1) provides the primary rule:

"By [date of entry into force plus 1 year], Member States shall designate one or more national competent authorities responsible for enforcing this Chapter."

This phrasing grants Member States significant discretion. A Member State is not required to create a single, monolithic agency dedicated solely to CADA. Instead, it may distribute responsibilities across multiple entities if its national administrative structure warrants it. For example, a Member State might designate its data protection authority to handle aspects related to data sovereignty, its cybersecurity agency for technical security criteria, and its market surveillance body for conformity assessment procedures.

Leveraging Existing Authorities

To promote efficiency and avoid unnecessary bureaucratic duplication, the proposal encourages the use of pre-existing regulatory infrastructures. Article 25(1) clarifies:

"To that effect, Member States may designate an existing authority or existing authorities ('competent authorities')."

This provision allows Member States to integrate CADA enforcement into their current regulatory landscape. A Member State could designate its national cybersecurity centre, its competition authority, or its data protection authority, provided these bodies are granted the specific mandate to enforce the sovereignty framework. This approach aligns with the broader EU regulatory philosophy of building upon established expertise rather than creating entirely new silos for every new legislative instrument.

The "Exclusive Competence" Constraint

While the designation of multiple authorities is permitted, the proposal introduces a crucial constraint to ensure legal certainty and prevent conflicting rulings for cloud providers operating across borders. Article 25(4) establishes the principle of exclusive competence:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This creates a "lead authority" model similar to that found in the GDPR. Even if a Member State has designated three different authorities under Article 25(1), only one of them—the one located in the Member State of the provider's main establishment—has the power to enforce CADA against that specific provider. Other authorities within the same Member State, or in other Member States, cannot independently initiate enforcement actions or recognition decisions for that provider. They must defer to the lead authority.

Coordination Implications

The possibility of multiple designated authorities necessitates robust internal and cross-border coordination mechanisms to ensure the framework functions effectively.

1. Internal Coordination within Member States Where a Member State designates multiple authorities, it must establish internal protocols to ensure that the "exclusive competence" rule is respected. If Authority A and Authority B are both designated in Member State X, but the cloud provider's main establishment is in Member State X, the Member State must ensure that only the specific authority designated as the lead for that provider (or the authority with the relevant mandate) acts as the single point of contact. The text implies that Member States must manage the division of tasks to avoid internal conflict, ensuring that the authority with exclusive competence can effectively exercise its powers without interference from other domestic bodies.

2. Cross-Border Cooperation The proposal mandates extensive cooperation between authorities across the Union to support the lead authority model. Article 27 (Mutual Assistance) and Article 28 (Cross-border cooperation) require competent authorities to cooperate closely and provide mutual assistance.

• Information Exchange: Under Article 27, an authority may request specific information from another authority to exercise its investigative powers. If a Member State has multiple authorities, they must ensure seamless information sharing to support the lead authority's investigations.
• Cross-Border Enforcement: Under Article 28, if an authority in a destination Member State suspects a provider no longer meets the criteria, it must request the authority of establishment (the lead authority) to assess the matter. This ensures that enforcement remains centralized at the point of establishment, even when issues arise in other jurisdictions.

3. Transparency via the Public Register To provide legal certainty for cloud providers navigating this potentially complex landscape, Article 25(2) requires transparency:

"Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers. The Commission shall maintain a public register of those authorities."

If a Member State designates multiple authorities, this register must clearly delineate the specific roles, tasks, and powers of each. This allows providers to identify precisely which authority holds exclusive competence over them and which authorities may play a supporting or investigative role.

Resource and Impartiality Requirements

Regardless of whether a Member State designates one or multiple authorities, Article 25(3) imposes strict operational standards. Member States must ensure that their competent authorities:

• Perform tasks in an "impartial, transparent and timely manner."
• Have "all necessary resources," including sufficient technical, financial, and human resources, to adequately supervise all cloud computing service providers within their competence.

This means that if responsibilities are split among multiple bodies, each must be sufficiently resourced to handle its specific slice of the oversight burden. A Member State cannot designate multiple authorities and then underfund them, as this would violate the requirement to "adequately supervise" the market.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the flexibility in designating multiple authorities introduces specific strategic and operational considerations:

1. Verify the Lead Authority: Do not assume a single "CADA Authority" exists in a Member State. You must consult the Commission's public register (mandated by Article 25(2)) to identify the specific authority in the Member State of your main establishment that holds exclusive competence. Engaging with the wrong domestic authority could lead to procedural delays or invalid submissions.
2. Map the Regulatory Landscape: If your organization operates in multiple Member States, you may face different lead authorities in each jurisdiction. Ensure your compliance team can distinguish between the CADA lead authority and other national regulators (e.g., data protection authorities), even if they are housed within the same ministry or share a parent organization.
3. Prepare for Coordinated Investigations: Under Article 26, competent authorities have broad investigative powers, including the right to request information and conduct inspections. If a Member State has multiple designated authorities, your internal protocols must allow for rapid, coordinated responses to inquiries from the lead authority. Be aware that other domestic authorities may assist in investigations under the mutual assistance framework of Article 27, but the lead authority retains the decision-making power.
4. Monitor Resource Adequacy: If you encounter significant delays or inconsistencies in enforcement, consider whether the designated authority is meeting the resource requirements of Article 25(3). The Member State is legally obligated to ensure its authorities have sufficient technical, financial, and human resources to supervise the market effectively.

Common misconceptions

• Misconception: "If a Member State designates multiple authorities, I can choose which one to engage with for recognition."
  • Reality: No. Article 25(4) grants exclusive competence to the authority in the Member State of your main establishment. You must engage with the specific authority designated for that role, not any other domestic authority, regardless of how many are listed in the national designation.
• Misconception: "Multiple authorities mean I could face parallel enforcement actions from different bodies in the same country."
  • Reality: No. The exclusive competence rule prevents parallel enforcement. Other authorities must defer to the lead authority for recognition and enforcement decisions. While they may assist in investigations under Article 27, they cannot issue independent enforcement decisions against the same provider.
• Misconception: "Member States must create new, specialized CADA agencies to comply."
  • Reality: No. Article 25(1) explicitly allows the designation of "existing authority or existing authorities." Member States are encouraged to leverage current regulatory bodies to ensure efficiency and avoid bureaucratic duplication.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• When must Member States designate a CADA competent authority?
• How do I find the CADA competent authority for my Member State?
• Can a CADA enforcement decision be enforced in another Member State?
• Can a CADA authority ask for more information on a cross-border request?
• Which Member State enforces CADA against a cloud provider?

This is general information about a draft EU regulation, not legal advice.