Can CADA authorities act against a non-EU cloud provider?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities can enforce sovereignty and transparency obligations against non-EU cloud providers only if those providers have a "main establishment" within the European Union. The Member State where this main establishment is located holds exclusive competence for enforcement under Article 25(4). However, the framework is not isolated: if a "destination authority" (where the service is used) or the Commission suspects non-compliance, Article 28 empowers them to request an assessment and enforcement action from the authority of establishment. This ensures that providers serving the EU market remain accountable, even if their primary regulator is in a different Member State.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised sovereignty framework for cloud computing services. A critical operational question for non-EU providers and their EU subsidiaries is how enforcement jurisdiction is allocated across the single market. CADA explicitly rejects a model where every national authority has free rein to investigate any provider serving the EU. Instead, it institutes a strict "authority of establishment" model, designed to prevent regulatory fragmentation, while supplementing it with robust cross-border cooperation mechanisms to address risks in other Member States.

Exclusive Competence Based on Main Establishment

The cornerstone of CADA's enforcement architecture is Article 25(4). This provision mandates that the Member State in which the cloud computing service provider has its main establishment shall have exclusive competence for enforcing the sovereignty chapter (Title IV, Chapter I) of the Regulation.

The proposal defines "main establishment" in Article 25(4) as the location of the provider's head office or registered office "from which the principal financial functions and operational control are exercised." For a non-EU multinational provider, this typically corresponds to the EU subsidiary that acts as the central hub for European operations, rather than a local sales office or a regional data centre.

Consequently, if a non-EU provider operates in multiple Member States but exercises principal operational control from a single EU entity (e.g., in Ireland or Germany), only the competent authority of that specific Member State has the legal power to:

• Investigate suspected infringements of Union assurance level criteria.
• Impose fines or periodic penalty payments.
• Order the cessation of infringements or mandate remedial measures.
• Recognise or revoke the provider's Union assurance level status.

This exclusive competence is a deliberate design choice to ensure legal certainty and prevent conflicting enforcement actions. It ensures that a single provider is not subject to simultaneous, potentially contradictory investigations from multiple national regulators. The authority of establishment is also the sole body responsible for supervising the audits required for recognition and managing the provider's entry into the central repository of recognised services.

Investigative and Enforcement Powers

Once exclusive competence is established, the authority of establishment wields significant powers under Article 26. These powers are designed to be "effective, dissuasive and proportionate" and include:

• Investigative Powers: The authority can require any person acting for the provider (including auditing organisations) to provide information, carry out inspections of premises, and request explanations from staff.
• Enforcement Powers: The authority can order the cessation of infringements, impose remedies, and levy fines or periodic penalty payments for failure to comply with the Regulation or investigative orders.

These powers apply to infringements of the sovereignty framework, including failures to meet the cumulative criteria for Union assurance levels (Annex II) or the provision of misleading information during the recognition process.

Escalation by Destination Authorities and the Commission

While the authority of establishment holds exclusive competence, Article 28 ensures that authorities in other Member States (destination authorities) and the Commission are not powerless if they suspect non-compliance affecting their territory.

Article 28(1) establishes a clear escalation path: If a competent authority of a destination Member State has reason to suspect that a cloud computing service provider no longer fulfils the requirements of the Union assurance levels, it may request the competent authority of establishment to assess the matter. This request must be "duly reasoned."

Upon receiving such a request, the authority of establishment is obliged to:

1. Assess the matter.
2. Take the necessary investigatory and enforcement measures to ensure compliance.

Similarly, Article 28(2) empowers the Commission to request the competent authority of establishment to assess a matter and take necessary measures. This mechanism is crucial for addressing systemic risks or widespread non-compliance that may be evident in a Member State where the service is heavily used but not immediately visible to the authority of establishment.

The timeline for this cooperation is strict: Article 28(4) requires the authority of establishment to communicate its assessment and any measures taken to the requesting authority and the Commission "as soon as possible and in any event not later than two months after receipt of the request." If the destination authority is unsatisfied with the response, the framework allows for further escalation, ensuring that public order concerns in one Member State are not ignored by the authority of another.

Reach Over Providers Serving the EU Market

CADA applies to cloud computing service providers that offer services to Union entities and public sector bodies. While the enforcement mechanism is anchored in the location of the main establishment, the scope of the Regulation is broad. Non-EU providers who establish a main establishment in the EU to serve the European market are fully subject to these rules.

If a non-EU provider does not have a main establishment in the EU, the situation presents a significant barrier. The sovereignty framework is primarily designed for providers seeking recognition to serve the public sector. The requirement for a main establishment for exclusive competence suggests that providers without such a presence may face insurmountable hurdles in obtaining Union assurance recognition. Without a main establishment in the EU, a provider cannot be the subject of the exclusive enforcement competence defined in Article 25(4), effectively blocking their ability to legally serve public-sector activities requiring Union assurance levels 2, 3, or 4 under the proposed regime.

Penalties and Compensation

Member States must lay down rules on penalties for infringements by cloud computing service providers within their competence under Article 24. These penalties must be "effective, proportionate and dissuasive." When determining penalties, authorities must consider non-exhaustive criteria including the nature, gravity, and duration of the infringement, any financial benefits gained, and the provider's annual turnover in the Union.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter. This creates a private right of action that complements public enforcement, adding a layer of financial liability for non-compliance.

What this means for you

For in-house counsel and compliance officers at non-EU cloud providers with EU operations, the implications are precise and actionable:

1. Pinpoint Your Authority of Establishment: Immediately identify which Member State hosts your "main establishment" (the head office where principal financial functions and operational control are exercised). This is your sole regulator for CADA sovereignty issues. Ensure your compliance team has a direct, prioritised line of communication with this specific authority.
2. Prepare for Cross-Border Escalation: Even if you are regulated by only one authority, be prepared for "duly reasoned" requests from destination authorities via the authority of establishment under Article 28. Maintain robust, real-time records demonstrating compliance with Union assurance levels, as these may be scrutinised by multiple national bodies through the cooperation mechanism.
3. Audit Readiness is Critical: Ensure your audit evidence and documentation are accessible and verifiable. The authority of establishment has the power to inspect premises and demand information. Delays or incomplete responses can trigger penalties and jeopardise your recognition status.
4. Monitor Material Changes: If your service is recognised at a specific Union assurance level, Article 23 requires you to report any material change in circumstances immediately to the auditing organisation and the authority of establishment. Failure to do so can lead to the revocation of recognition and subsequent enforcement action.
5. Contractual Risk Management: Review contracts with public sector clients. Non-compliance with CADA obligations can lead to liability for damages under Article 24(3). Ensure your service level agreements and compliance warranties align strictly with the Union assurance levels you claim to offer.

Common misconceptions

• Misconception: Any EU country can fine a non-EU provider for CADA violations if the provider serves customers there.
  • Reality: No. Only the Member State of the provider's main establishment has exclusive enforcement competence under Article 25(4). Other countries must refer concerns to that authority via the Article 28 cooperation mechanism.
• Misconception: Non-EU providers are exempt if they don't have a physical office in the EU.
  • Reality: To serve the EU public sector under CADA, providers generally need to meet strict sovereignty criteria, which necessitate an EU presence. Without a main establishment, navigating the enforcement framework is extremely difficult, and obtaining Union assurance recognition may be legally unattainable.
• Misconception: The Commission directly enforces CADA against providers.
  • Reality: The Commission can request the authority of establishment to act under Article 28(2), but the day-to-day enforcement, investigation, and imposition of fines are carried out by the national competent authority of the Member State where the provider is established.
• Misconception: A provider can choose which Member State enforces the rules.
  • Reality: The authority of establishment is determined by the factual location of the "principal financial functions and operational control," not by the provider's preference.

Related

• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities question a provider's staff?
• Can CADA authorities order a provider to stop an infringement?
• Can CADA authorities inspect a cloud provider's premises?

This is general information about a draft EU regulation, not legal advice.