Can CADA authorities coordinate a joint investigation?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities would be required to provide mutual assistance to one another to ensure consistent enforcement of the cloud sovereignty framework. While the national competent authority of the cloud computing service provider's main establishment holds exclusive competence for enforcement under Article 25(4), it would rely on a robust mutual assistance mechanism to gather evidence across borders. Article 27(2) explicitly allows a requesting authority to involve other competent or public authorities in the Member State where evidence is located, facilitating coordinated investigative measures. This framework ensures that while enforcement is centralized, the reach of the investigation is Union-wide.

Detail

The proposed CADA establishes a sophisticated framework for mutual assistance and cross-border cooperation to ensure that the Union cloud computing sovereignty framework is applied consistently across all Member States. Because cloud computing services are inherently borderless, a single provider may operate in multiple jurisdictions, making coordinated enforcement essential to prevent regulatory arbitrage and ensure the integrity of the Union assurance levels.

Exclusive Competence: The "Lead Authority" Model

A cornerstone of the CADA enforcement regime is the principle of exclusive competence. As proposed, Article 25(4) establishes that the Member State in which the cloud computing service provider has its main establishment—defined as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised—shall have exclusive competence for enforcing the sovereignty chapter (Title IV).

This "single point of control" model is designed to prevent fragmented enforcement. It ensures that a provider is subject to a single supervisory authority for the sovereignty criteria, rather than facing a patchwork of conflicting investigations from multiple Member States. However, exclusive competence does not equate to isolation. The lead authority often lacks direct physical or legal access to evidence, witnesses, or infrastructure located in other Member States. To bridge this gap, CADA introduces mandatory mutual assistance mechanisms that empower the lead authority to act across borders.

Mutual Assistance Mechanisms: Article 27

Article 27 outlines the principles of mutual assistance between national competent authorities. Its primary goal is to enable authorities to apply the sovereignty rules in a consistent and efficient manner through the exchange of information and coordinated investigative actions. This article serves as the procedural vehicle for cross-border evidence gathering.

1. Information Requests: Under Article 27(2), a competent authority may request another competent authority to provide specific information in its possession relating to a specific cloud computing service provider. This allows the lead authority to exercise its investigative powers under Article 26 regarding information located in another Member State. For instance, if the lead authority needs to inspect logs stored on a server in a different Member State, it must request the local authority to perform that inspection or provide the data.
2. Involvement of Other Authorities: Crucially, Article 27(2) states that the competent authority receiving the request may involve other competent authorities or other public authorities of the Member State in question if appropriate. This flexibility is vital for complex investigations that may intersect with the mandates of national cybersecurity agencies, data protection authorities, or other sector-specific regulators. It ensures that the requesting authority can leverage the full spectrum of national expertise and powers available in the destination Member State.
3. Response Deadlines: To prevent investigations from stalling, the authority receiving the request must comply and inform the establishment authority about the action taken as soon as possible and no later than two months after receipt of the request, unless duly justified otherwise. This strict timeline is designed to maintain the momentum of enforcement actions and prevent delays that could undermine the effectiveness of the sovereignty framework.

Cross-Border Cooperation: Article 28

While Article 27 focuses on mutual assistance for information gathering and investigative support, Article 28 addresses cross-border cooperation specifically for enforcement actions triggered by suspicions of non-compliance.

If a competent authority in a Member State where the service is used (the "destination" authority) has reason to suspect that a cloud computing service provider no longer fulfills the requirements of Annex II (the criteria for Union assurance levels), it would request the competent authority of establishment to assess the matter. The destination authority can ask the lead authority to take the necessary investigatory and enforcement measures to ensure compliance.

The establishment authority is then obligated to communicate its assessment and any measures taken or envisaged no later than two months after receiving the request. This ensures that risks identified in one Member State are promptly addressed by the authority with the legal power to enforce compliance across the Union. If the establishment authority considers the information insufficient, it may request additional details, but the clock on the two-month deadline pauses only until that information is provided.

Investigative and Enforcement Powers in a Cross-Border Context

The mutual assistance framework supports the investigative powers granted to competent authorities under Article 26. These powers include:

• Requiring any cloud computing service provider, auditing organization, or other persons to provide information.
• Conducting inspections of premises (or requesting a judicial authority to order them).
• Asking staff or representatives to give explanations.
• Ordering the cessation of infringements and imposing fines or periodic penalty payments.

When these powers need to be exercised across borders, the mutual assistance provisions of Articles 27 and 28 become the mandatory procedural vehicle. The lead authority cannot simply cross a border to inspect a server; it must route its request through the competent authority of the Member State where the server is located, which may then involve other public authorities to execute the inspection.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers, the mutual assistance framework has significant practical implications for how investigations are conducted and how evidence is managed.

• Single Point of Contact, Pan-European Reach: You will primarily deal with the competent authority in your Member State of main establishment. However, you must be prepared for that authority to collaborate extensively with regulators in other Member States where your services are used, where your data is stored, or where your subcontractors operate. A request from your lead authority may trigger a coordinated effort involving multiple national bodies.
• Prepare for Cross-Border Evidence Requests: If your infrastructure, logs, or subcontractors are located in multiple Member States, expect the lead authority to request assistance from local authorities in those jurisdictions. Ensure your internal records are organized to facilitate rapid production of evidence across borders. Be aware that the local authority receiving the request may involve other public authorities (e.g., cybersecurity agencies) to assist in the gathering of that evidence.
• Timeliness is Critical: The two-month response deadline for authorities means investigations will move quickly. While the deadline applies to the authorities, delays in providing information to your lead authority could trigger enforcement actions. Maintain robust internal processes for responding to regulatory inquiries to ensure your lead authority can meet its obligations to other Member States.
• Auditing Organization Coordination: Auditing organizations involved in verifying Union assurance levels (Levels 2-4) may also be subject to information requests under Article 27. Ensure your audits are conducted in a way that allows for transparent cross-border verification, as auditors may be asked to provide evidence to authorities in Member States other than their own.
• Consistency of Standards: The mutual assistance mechanism aims to ensure consistent application of the sovereignty criteria. This reduces the risk of conflicting national interpretations, but it also means that a breach identified in one Member State could lead to Union-wide enforcement action initiated by the lead authority.

Common misconceptions

• "Each Member State can investigate independently." Incorrect. As proposed, the Member State of main establishment has exclusive competence for enforcement under Article 25(4). Other Member States cannot conduct parallel, independent enforcement actions against the same provider for the same obligations. They must channel their concerns through the lead authority via the mechanisms in Articles 27 and 28.
• "Mutual assistance is optional." Incorrect. Article 27 imposes a duty to cooperate and provide assistance. The receiving authority must comply with the request unless duly justified otherwise. The two-month deadline reinforces this mandatory nature.
• "Only the cloud provider is involved in cross-border investigations." Incorrect. Article 27(2) explicitly allows for the involvement of other competent authorities or other public authorities in the Member State where the request is received. This could mean that national cybersecurity, data protection, or law enforcement authorities become involved in the investigation to assist the lead authority.
• "Mutual assistance covers all EU laws." Incorrect. This framework is specific to the CADA sovereignty chapter (Title IV). It does not replace mutual assistance mechanisms under the GDPR, NIS2, or other regulations, although authorities may cooperate informally or under those other frameworks for related issues.
• "The lead authority can act directly in other Member States." Incorrect. The lead authority must request assistance from the competent authority of the Member State where the evidence or premises are located. It cannot unilaterally exercise its investigative powers (like inspections) outside its own territory without following the mutual assistance procedure.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What evidence can CADA authorities collect during an investigation?
• What remedies can CADA authorities impose on providers?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities question a provider's staff?

This is general information about a draft EU regulation, not legal advice.