Can CADA authorities act before an infringement is confirmed?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), national competent authorities possess the power to act decisively before an infringement is formally confirmed. Article 26(1) grants these authorities specific investigative powers—including the right to demand information, conduct inspections, and seize data—whenever they have reason to suspect a breach of the regulation. These powers are triggered by the existence of a "suspected infringement," not by a final finding of guilt. The investigation serves as the mechanism to gather evidence; only after this process substantiates the suspicion do enforcement measures, such as fines or orders to cease activities, follow under Article 26(2).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a robust supervisory framework designed to safeguard the Union's cloud sovereignty and public order. A critical component of this framework is the ability of national competent authorities to intervene proactively. The regulation explicitly rejects the notion that authorities must wait for a definitive finding of guilt before taking action. Instead, it empowers them to investigate suspected non-compliance vigorously and to enforce corrective measures promptly to prevent harm to the internal market or public order.

Investigative Powers Triggered by Suspicion

The primary legal basis for early intervention is found in Article 26 of the CADA proposal. Specifically, Article 26(1) outlines the investigative powers that competent authorities of establishment may exercise. These powers are activated "Where needed to carry out their tasks under Article 17," which governs the recognition and supervision of cloud computing service providers offering Union assurance levels.

Crucially, the text of Article 26(1) ties these powers to the process of evaluation and supervision, not merely the outcome. If a competent authority has reason to suspect that a cloud computing service provider has failed to meet the criteria for a specific Union assurance level, has provided misleading information during the recognition process, or is otherwise non-compliant, they can immediately invoke these powers. The threshold for action is a "suspected infringement," meaning the authority does not need to have already proven the breach to demand data, enter premises, or interview staff.

Under Article 26(1), the competent authority has the power to:

• Require Information: Demand that any cloud computing service provider, or any person acting for purposes related to their trade, business, craft, or profession, who may reasonably be expected to be aware of information relating to a suspected infringement, provide that information "as soon as possible." This extends beyond the provider itself to include auditors, subcontractors, or other relevant third parties.
• Conduct Inspections: Carry out, or request a judicial authority in their Member State to order, inspections of any premises used by the provider or related persons. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement "in any form, irrespective of the storage medium." This ensures that digital evidence cannot be hidden by technical obfuscation.
• Request Explanations: Ask any member of staff or representative of the provider to give explanations in respect of any information relating to a suspected infringement. With their consent, the authority may record their answers by any technical means.

These provisions make it clear that the investigation itself is the mechanism by which the suspicion is either confirmed or dispelled. The authority acts on the basis of reasonable suspicion to gather the necessary evidence to make a final determination.

Enforcement Measures Following Investigation

While investigative powers allow authorities to look under the hood, Article 26(2) provides the toolkit for enforcement once the investigation yields evidence of non-compliance. These enforcement powers are also tied to the tasks under Article 17 (recognition and supervision).

Under Article 26(2), the competent authority has the power to:

• Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end. They may also request a judicial authority to do so. This allows for immediate remedial action to stop ongoing harm to the sovereignty framework.
• Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the regulation. This includes fines for failure to comply with investigative orders issued under paragraph 1, ensuring that providers cannot obstruct the investigation itself.
• Impose Periodic Penalty Payments: Impose a periodic penalty payment, or request a judicial authority to do so, in accordance with Article 24, to ensure that an infringement is terminated in compliance with an order or to enforce compliance with investigative orders.

The structure of Article 26 demonstrates a clear procedural flow: suspicion triggers investigation (paragraph 1), and the results of that investigation trigger enforcement (paragraph 2). Importantly, the regulation allows for interim measures. If an authority identifies a risk to the integrity of the sovereignty framework or public order during the investigation, they can order the cessation of the infringing activity immediately, rather than waiting for a lengthy judicial process.

Procedural Safeguards and Proportionality

The exercise of these pre-confirmation powers is not unfettered. Article 26(3) mandates that measures taken by national competent authorities must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement or suspected infringement, as well as the economic, technical, and operational capacity of the service provider.

Furthermore, Article 26(4) requires Member States to set out specific rules and procedures for the exercise of these powers, ensuring that they are subject to adequate safeguards under applicable national law. These safeguards must comply with the general principles of Union law, including the right to respect for private life and the rights of defence. This includes the right to be heard, the right to have access to the file, and the right to an effective judicial remedy for all affected parties.

This balance ensures that while authorities can act swiftly to protect the Union's cloud sovereignty, providers are protected against arbitrary or disproportionate interference. The "suspected infringement" standard lowers the barrier for investigation but raises the bar for final punitive measures, which must be justified by the evidence gathered during the investigative phase.

Interaction with Other Provisions

It is important to note that the powers in Article 26 are part of a broader ecosystem of oversight. For instance, Article 27 establishes principles of mutual assistance between Member States, allowing authorities to share information and coordinate investigations. Article 28 sets out cross-border cooperation principles for enforcement actions. This means that an investigation triggered in one Member State under Article 26(1) can quickly expand to involve other jurisdictions if the cloud provider operates across borders.

Additionally, Article 24 details the rules on penalties and compensation, which feed into the enforcement powers of Article 26(2). Member States are required to lay down rules on penalties that are effective, proportionate, and dissuasive. The criteria for imposing these penalties, such as the nature and gravity of the infringement and the financial benefits gained, are outlined in Article 24(2). This ensures that when an investigation under Article 26(1) confirms an infringement, the subsequent penalty under Article 26(2) is calibrated correctly.

What this means for you

For in-house counsel and compliance officers, the implications of Article 26 are immediate and operational. You cannot assume that a lack of formal accusation means a lack of regulatory scrutiny. If a competent authority has a "reasonable expectation" that you possess information relevant to a suspected infringement, they can demand it.

1. Prepare for Early Intervention: Ensure your organization has a clear protocol for responding to requests for information and inspections under Article 26(1). Delaying responses can lead to periodic penalty payments under Article 26(2)(c).
2. Document Everything: Since authorities can seize information "irrespective of the storage medium," your data governance and retention policies must be robust. Ensure that all evidence of compliance with Union assurance levels is readily accessible and verifiable.
3. Understand the Scope of "Suspected Infringement": Be aware that the threshold for an investigation is low. Any deviation from the criteria in Annex II, or any inconsistency in your recognition application under Article 17, can trigger these powers.
4. Engage Legal Counsel Early: Given the rights of defence and the right to be heard under Article 26(4), involving legal counsel at the outset of an investigation is crucial to protect your organization's interests and ensure procedural fairness.
5. Monitor Cross-Border Risks: If you operate in multiple Member States, an investigation in one jurisdiction can trigger mutual assistance requests under Article 27. Ensure your compliance framework is consistent across all jurisdictions to avoid conflicting information.

Common misconceptions

• Misconception: Authorities can only fine you after a court has confirmed an infringement.
  • Reality: While judicial involvement may be required for certain severe measures, Article 26(2) allows competent authorities to impose fines and orders directly in many cases, or request a judicial authority to do so. The investigation itself does not require a prior court order, though judicial assistance can be requested for inspections.
• Misconception: You have the right to remain silent during an investigation.
  • Reality: Article 26(1)(a) explicitly gives authorities the power to require providers and related persons to provide information as soon as possible. While you have the right to legal counsel and procedural safeguards under Article 26(4), you cannot generally refuse to provide information relevant to a suspected infringement.
• Misconception: Only the provider's own staff can be interviewed.
  • Reality: Article 26(1)(c) allows authorities to ask any member of staff or representative of the provider, or any person acting for purposes related to their trade, business, craft, or profession, to give explanations. This can include subcontractors or third-party partners if they are reasonably expected to be aware of relevant information.

Related

• Can CADA authorities order a provider to stop an infringement?
• Can CADA authorities act against a non-EU cloud provider?
• What remedies can CADA authorities impose on providers?
• CADA Article 28: Deadline for authorities to act on Commission requests
• What evidence can CADA authorities collect during an investigation?

This is general information about a draft EU regulation, not legal advice.