Can an existing regulator be designated as a CADA authority?

Summary Yes, as proposed, Member States may designate an existing national regulator to act as the competent authority for the Cloud and AI Development Act (CADA). Article 25(1) explicitly permits this, allowing for the reuse of established bodies rather than creating new entities from scratch. However, the designated authority must possess sufficient technical, financial, and human resources to supervise cloud and AI providers effectively, and its powers must be clearly defined to ensure impartiality. While overlap with NIS2 and cybersecurity regulators is anticipated, the CADA mandate extends beyond technical security to include sovereignty, data localisation, and third-country control assessments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for sovereign cloud computing services across the European Union. A critical component of this framework is the oversight mechanism, which relies on national competent authorities to enforce compliance, conduct investigations, and grant recognitions of Union assurance levels. The legislative design intentionally avoids mandating the creation of entirely new administrative structures, instead opting for a flexible approach that leverages existing regulatory capacity.

Designation of Existing Authorities

Under Article 25(1) of the proposed CADA, Member States are required to designate one or more national competent authorities responsible for enforcing the chapter on cloud computing sovereignty. Crucially, the text states: "To that effect, Member States may designate an existing authority or existing authorities ('competent authorities')."

This provision offers significant flexibility to Member States. It acknowledges that many jurisdictions already possess regulatory bodies with relevant expertise in digital markets, data protection, or cybersecurity. Instead of establishing entirely new administrative structures, governments can leverage existing institutions. This approach aims to reduce administrative overhead and accelerate the implementation timeline, as existing bodies may already have the legal standing, procedural frameworks, and institutional memory required for regulatory oversight. The proposal does not restrict the designation to a specific type of authority, meaning a data protection authority, a cybersecurity agency, a competition authority, or a dedicated digital regulator could all potentially serve this role, depending on national administrative law.

Resourcing and Independence Requirements

While designation is flexible, the operational requirements for these authorities are stringent. Article 25(3) mandates that Member States ensure their competent authorities perform their tasks in an impartial, transparent, and timely manner. More importantly, it requires that these authorities have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

This resourcing requirement is a substantive condition, not merely a suggestion. Cloud and AI infrastructure is complex, involving sophisticated technical architectures, data flows, and security protocols. A regulator cannot effectively audit a cloud provider's compliance with Union assurance levels (such as levels 2, 3, or 4) without staff who possess deep technical expertise in cloud infrastructure, cybersecurity, and data governance. Therefore, simply designating an existing body is insufficient; the Member State must also ensure that the body is adequately funded and staffed to meet these new obligations. If an existing regulator lacks the specific technical capacity to verify software supply chains or assess third-country control, the Member State would be in breach of Article 25(3) unless it invests in upskilling or recruitment.

Overlap with NIS2 and Cybersecurity Regulators

The designation of CADA authorities often intersects with existing regulatory landscapes, particularly the Directive on Security of Network and Information Systems (NIS2). The explanatory memorandum notes that NIS2 improves cybersecurity risk management for cloud providers and data centres but focuses on technical cybersecurity rather than broader sovereignty considerations.

Consequently, the same national body that oversees NIS2 compliance might be designated as the CADA competent authority. This creates a potential overlap in regulatory scope. While NIS2 focuses on preventing cyber incidents and ensuring resilience, CADA focuses on sovereignty, data localisation, personnel citizenship, and protection against third-country extraterritorial access.

If an existing cybersecurity regulator is designated, it must expand its mandate beyond technical security checks to include sovereignty risk assessments and audits of operational autonomy. This requires a shift in expertise from purely technical cybersecurity to include legal and geopolitical risk analysis. The CADA framework complements the Cybersecurity Act (CSA2), which addresses supply chain risks, but CADA specifically targets non-technical sovereignty risks. Therefore, the designated authority must be capable of handling both technical and non-technical dimensions of cloud service provision. The proposal explicitly states that certification under the Cybersecurity Act can address technical cybersecurity criteria but is "not suited for addressing sovereignty concerns that go beyond these technical elements."

Exclusive Competence and Main Establishment

Article 25(4) clarifies jurisdiction by stating that the Member State where the cloud computing service provider has its main establishment has exclusive competence for enforcing this chapter. The "main establishment" is defined as the head office or registered office from which principal financial functions and operational control are exercised. This "passporting" mechanism means that once a provider is recognised by the competent authority in its home Member State, that recognition applies across the entire Union. This reduces the burden on providers, who do not need to undergo separate audits in every Member State, but it places significant responsibility on the home authority to conduct thorough and reliable assessments.

What this means for you

For in-house counsel and compliance officers, the designation of an existing regulator has several practical implications:

1. Identify Your Regulator Early: Since Member States have flexibility in designation, the specific authority responsible for CADA enforcement may vary across the EU. You must monitor national transposition and designation notices to identify which body holds competence in your main establishment's jurisdiction. This could be a data protection authority, a cybersecurity agency, or a new digital market regulator.
2. Prepare for Enhanced Scrutiny: The resourcing requirements under Article 25(3) suggest that competent authorities will be equipped to conduct rigorous, technical audits. Compliance teams should ensure that their documentation regarding data flows, subcontractor oversight, and personnel locations is meticulously maintained. The authority will need to verify these elements to grant Union assurance level recognition.
3. Understand the Sovereignty Distinction: If your current regulator is a NIS2 authority, be aware that CADA audits will go beyond cybersecurity. You will need to demonstrate compliance with sovereignty criteria, such as ensuring that no third-country laws can compel data access or service disruption. This requires legal and contractual safeguards that may not be relevant under NIS2 but are critical under CADA.
4. Monitor Resource Allocation: If your national regulator is an existing body, it may face resource constraints initially as it adapts to new CADA mandates. Compliance officers should anticipate potential delays in recognition processes and plan their cloud procurement strategies accordingly, especially if migrating to sovereign cloud services is required for public sector contracts.

Common misconceptions

• Myth: CADA creates entirely new regulators in every Member State.
  • Fact: Article 25(1) explicitly allows the designation of existing authorities. Many Member States will likely repurpose current digital or cybersecurity regulators to avoid bureaucratic duplication.
• Myth: Cybersecurity compliance is sufficient for CADA.
  • Fact: While cybersecurity is a component (particularly for higher assurance levels), CADA focuses on sovereignty. A service can be secure but not sovereign if it is controlled by a third-country entity that can be compelled to access data. The designated authority must assess both dimensions.
• Myth: Any existing regulator can be designated without additional resources.
  • Fact: Article 25(3) requires "sufficient technical, financial and human resources." An existing authority cannot be designated if it lacks the capacity to adequately supervise cloud providers. Member States must invest in upskilling staff and providing tools for complex cloud audits.
• Myth: Providers face multiple audits in different countries.
  • Fact: Article 25(4) establishes exclusive competence for the Member State of the main establishment. Once recognised there, the service is recognised Union-wide, provided no other Member State raises a reasoned objection during the review period.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Can the Commission ask a CADA authority to investigate a provider?
• Can a Member State designate more than one CADA authority?
• Can a cloud provider negotiate remedies with a CADA authority?
• Can a CADA authority share information with another country's authority?
• Can a CADA authority refuse a mutual assistance request?

This is general information about a draft EU regulation, not legal advice.