Summary Yes, under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider can be penalised for obstructing an investigation or failing to comply with investigative orders. Article 26(2) of the proposal explicitly empowers national competent authorities to impose fines and periodic penalty payments for such failures. Obstruction directly undermines the authority's ability to verify compliance with Union assurance levels, triggering escalating financial consequences designed to force cooperation. As proposed, these penalties apply even if no underlying sovereignty breach is ultimately proven; the failure to cooperate itself constitutes an infringement.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous framework to ensure the sovereignty and security of cloud computing services used by the public sector and critical infrastructure. Central to this framework is the ability of national competent authorities to verify that providers meet the specific "Union assurance levels" required for their services. To do this effectively, authorities must have unfettered access to information, premises, and personnel. The proposal treats obstruction not as a procedural nuisance, but as a substantive infringement that threatens the integrity of the entire sovereignty regime.

Investigative Powers and the Duty to Cooperate

Article 26 of the CADA proposal outlines the specific powers of national competent authorities designated by Member States. Paragraph 1 details the investigative powers, which are essential for the enforcement of the Regulation. These powers include the authority to:

  • Require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession (including auditing organisations), to provide information as soon as possible (Article 26(1)(a)).
  • Carry out, or request a judicial authority to order, inspections of any premises used for trade or business purposes to examine, seize, take or obtain copies of information relating to a suspected infringement (Article 26(1)(b)).
  • Ask any member of staff or representative of those providers to give explanations in respect of any information relating to a suspected infringement and, with their consent, to record their answers (Article 26(1)(c)).

These powers are not merely procedural; they are the operational backbone of the sovereignty framework. If a provider obstructs these powersβ€”by refusing access, delaying information, providing misleading data, or hampering the performance of an auditβ€”they are directly impeding the enforcement of CADA. The proposal explicitly states in Article 26(2) that providers must "refrain from hampering, unduly influencing or undermining the performance of the audit," a duty that extends to the broader investigative powers of the competent authority.

Penalties for Obstruction and Non-Compliance

The proposal explicitly addresses non-compliance with these investigative powers in Article 26(2), which sets out the enforcement powers available to national competent authorities. This paragraph creates a two-tiered penalty structure for failure to cooperate.

First, Article 26(2)(b) grants authorities the power to "impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1."

This provision is critical: the act of obstructing an investigation is, in itself, an infringement subject to financial penalty. The fine is not contingent on the provider eventually being found guilty of a sovereignty breach (e.g., failing to meet Union assurance level criteria). Instead, the fine applies to the procedural failure to assist the authority in discovering whether such a breach exists. As proposed, the authority can penalise the refusal to provide data or the denial of site access immediately upon the failure to comply with the order.

Second, Article 26(2)(c) introduces a mechanism for escalating pressure on non-compliant providers. Authorities have the power to "impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders issued pursuant to paragraph 1."

Periodic penalty payments are recurring fines (e.g., calculated daily or weekly) that continue to accrue until the provider complies with the investigative order. This creates a powerful financial incentive for providers to cease obstruction and cooperate immediately. Unlike a one-off fine, a periodic penalty can grow indefinitely, making prolonged obstruction financially unsustainable. The reference to Article 24 ensures that these penalties are "effective, proportionate and dissuasive," and that Member States consider criteria such as the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained or losses avoided by the infringing party.

Proportionality and Safeguards

While the powers are broad, Article 26(3) requires that measures taken by national competent authorities in exercising these powers be "effective, dissuasive and proportionate." Authorities must have regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement, and, where relevant, the economic, technical and operational capacity of the service provider concerned.

However, "proportionality" does not mean obstruction is tolerated. It means the severity of the fine or the rate of the periodic penalty will be calibrated to the provider's size and the severity of the obstruction. A small startup delaying a minor information request due to technical constraints may face a different consequence than a hyperscaler refusing physical access to a data centre during a critical sovereignty audit. The proposal ensures that the penalty fits the obstruction, but it does not excuse the obstruction itself.

Additionally, Article 26(4) ensures that the exercise of these powers is subject to adequate safeguards under applicable national law in compliance with the general principles of Union law. These measures shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, and shall be subject to the right of all affected parties to an effective judicial remedy. This means a provider can challenge an order in court, but they cannot simply ignore it while the challenge is pending without risking periodic penalties.

What this means for you

For cloud service providers, data centre operators, and their legal teams, the message is clear: cooperation with national competent authorities is a strict legal obligation, not a discretionary courtesy. The proposed framework treats non-cooperation as a distinct and punishable offence.

  1. Designate a Compliance Contact: Ensure you have a dedicated, empowered point of contact for national competent authorities. Delays in responding to information requests under Article 26(1)(a) can be construed as a failure to comply, triggering immediate fines under Article 26(2)(b).
  2. Prepare for Physical Inspections: Your premises may be inspected. Have clear, pre-approved protocols for granting access to auditors and authority officials. Refusing entry, delaying access to servers, logs, or administrative panels, or failing to provide staff for interviews can be classified as obstruction.
  3. Understand Periodic Penalties: Be acutely aware that non-compliance with an investigative order can lead to accumulating daily fines. If you are unable to provide requested information immediately (e.g., due to technical constraints or the need to redact trade secrets), communicate this proactively to the authority to demonstrate good faith and mitigate the risk of periodic penalties. Silence is not a defence.
  4. Document Your Responses: Keep detailed records of all information provided to authorities and all interactions. If you believe an order is overly broad or disproportionate, use the legal safeguards in Article 26(4) to challenge it through proper judicial channels rather than refusing to comply outright. A refusal to comply while a challenge is pending may still trigger periodic penalties until a court orders otherwise.

Common misconceptions

Misconception 1: "I can refuse to provide information if it contains trade secrets." While trade secrets are protected under confidentiality rules, this does not give you the right to obstruct an investigation. Article 26 allows authorities to request information necessary to assess infringements. If you believe certain data is confidential, you should flag it as such and request appropriate confidentiality measures (as implied by the duty of professional secrecy in Article 20(3) regarding audits), rather than refusing to provide it. A blanket refusal can still trigger fines under Article 26(2)(b).

Misconception 2: "Penalties only apply if I am found guilty of a sovereignty breach." No. Article 26(2)(b) explicitly states that fines can be imposed for "failure to comply with this Regulation, including with any of the investigative orders." You can be fined for obstructing the investigation even if no underlying sovereignty infringement is ultimately proven. The obstruction itself is the infringement. The authority's power to investigate is independent of the final outcome of the case.

Misconception 3: "Periodic penalties are just a suggestion or a last resort." Periodic penalty payments under Article 26(2)(c) are a formal, statutory enforcement tool. They are designed specifically to coerce compliance. If you fail to comply with an investigative order, the authority can impose recurring fines until you comply. This is a serious financial risk that can escalate quickly, potentially exceeding the cost of the original compliance issue.

Related

This is general information about a draft EU regulation, not legal advice.