Can CADA authorities demand information from a cloud provider?

Summary Yes, as proposed, national competent authorities under the Cloud and AI Development Act (CADA) possess broad administrative powers to demand information from cloud computing service providers and the wider ecosystem. Under Article 26(1)(a) of the proposal, authorities can require any provider, or any person reasonably expected to possess relevant information—including auditing organisations—to provide that information "as soon as possible" when investigating a suspected infringement. This power is a cornerstone of the enforcement mechanism for the Union's cloud sovereignty framework, ensuring that authorities can access the evidence necessary to verify compliance with Union assurance levels.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services across the EU. To ensure this framework functions effectively and that the "Union assurance levels" are not merely theoretical, the proposal grants national competent authorities significant investigative powers. These powers are not limited to the cloud provider itself but extend to the broader ecosystem of entities involved in the service's delivery, verification, and support.

The Power to Require Information

The primary mechanism for gathering evidence is found in Article 26(1)(a) of the proposed Regulation. This provision empowers the national competent authority of establishment to:

"require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation, including auditing organisations, to provide that information as soon as possible;"

This wording is deliberately expansive. It captures not only the primary cloud computing service provider but also any third party acting in a professional capacity who might hold relevant data. Crucially, the text explicitly names auditing organisations. These entities are critical to the CADA framework because they perform the independent third-party audits required for Union assurance levels 2, 3, and 4. If an auditor holds records, audit reports, or evidence that contradicts a provider's claim of compliance, the authority can compel their disclosure directly.

The phrase "as soon as possible" imposes a strict timeline. While the proposal does not specify a rigid number of hours or days in Article 26, the urgency implies that authorities expect prompt cooperation to prevent the destruction, alteration, or concealment of evidence. This is particularly relevant in digital environments where data can be deleted or overwritten rapidly.

Scope and Context of the Power

The power to demand information is triggered by a "suspected infringement." In the context of CADA, infringements typically relate to the cloud computing sovereignty framework established in Title IV, Chapter I. This includes:

• Violations of the criteria for Union assurance levels (detailed in Annex II of the proposal).
• Failure to maintain recognized status under Article 17.
• Providing misleading or incorrect information during the recognition process.
• Breaches of transparency obligations under Article 23.

The authority exercising this power is the competent authority of establishment. Under Article 25(4), this is the Member State where the cloud computing service provider has its main establishment (defined as the head office or registered office from which the principal financial functions and operational control are exercised). This centralizes enforcement, preventing a fragmented approach where multiple Member States could independently investigate a single provider, thereby ensuring legal certainty and efficiency.

Link to Other Investigative Powers

Article 26(1)(a) is part of a suite of investigative powers designed to give authorities a comprehensive view of compliance. Alongside the power to demand information, Article 26(1) also grants authorities the power to:

• Conduct inspections of premises (Article 26(1)(b)): This includes the power to enter any premises used for trade or business to examine, seize, or obtain copies of information in any form.
• Question staff and representatives (Article 26(1)(c)): Authorities can ask any member of staff or representative to give explanations regarding a suspected infringement and, with their consent, record their answers.

These powers are exercised by the national competent authority of establishment. This ensures that the entity with the most direct oversight of the provider's operational control leads the investigation.

Confidentiality and Professional Secrecy

While authorities have the power to demand information, the proposal recognizes the sensitivity of the data involved, particularly trade secrets and intellectual property. Article 26(4) mandates that measures taken by competent authorities shall be subject to adequate safeguards, including the right to respect for private life and the rights of defence.

Furthermore, Article 20(3) explicitly requires auditing organisations to ensure an adequate level of confidentiality and professional secrecy regarding information obtained during audits. However, this obligation is not absolute in the face of an investigation. The proposal clarifies that the requirement for confidentiality "shall not adversely affect the performance of the audits and other provisions of this Regulation." In practice, this means that while auditors must protect client data generally, they must cooperate with competent authorities when legally compelled under Article 26. The authority receiving the information is then bound to handle it confidentially, but they retain the right to use it to determine if an infringement has occurred.

Enforcement and Penalties for Non-Compliance

Failure to comply with an information request under Article 26(1)(a) is a serious matter. Article 26(2) outlines the enforcement powers available to authorities, including:

• The power to order the cessation of infringements.
• The power to impose fines for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1.
• The power to impose a periodic penalty payment to ensure that an infringement is terminated or to enforce compliance with investigative orders.

Additionally, Article 24 requires Member States to lay down rules on penalties applicable to infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive." While CADA does not set a specific maximum fine amount (unlike the AI Act's Article 99), it empowers Member States to determine the specific penalty regimes, ensuring that non-cooperation with investigations carries significant financial risk.

What this means for you

If you are a cloud service provider, a data-centre operator, or an auditing organisation subject to CADA, you must prepare for direct and urgent engagement with national competent authorities.

1. Prepare Your Data Governance: You must maintain clear, accessible, and up-to-date records of your compliance with Union assurance levels. If you claim Level 1, your EU statement of conformity must be ready for immediate review. If you claim Levels 2–4, your audit reports, evidence logs, and software bills of materials (SBOMs) must be readily retrievable.
2. Train Your Staff and Auditors: Employees and external auditors should understand that they may be asked to provide information "as soon as possible" during an investigation. They should know who the designated contact for such requests is and how to escalate queries without delaying compliance. Auditors must ensure their internal protocols allow for the rapid sharing of necessary evidence with authorities if legally compelled.
3. Coordinate with Third Parties: If you use third-party auditing organisations or subcontractors, ensure your contracts and operational workflows allow for the sharing of necessary evidence with authorities if legally compelled. Misalignment between your internal records and your auditor's findings can trigger immediate scrutiny and complicate the investigation.
4. Understand the "Reasonably Expected" Standard: Do not assume you are exempt because you are a subcontractor, a technical partner, or a software vendor. If you are "acting for purposes related to your trade" and are "reasonably expected to be aware" of information relating to a suspected infringement, you are in scope. The power extends to anyone holding relevant data, not just the primary provider.

Common misconceptions

Misconception 1: Only the main cloud provider can be questioned. Reality: Article 26(1)(a) explicitly extends to "any other persons acting for purposes related to their trade... including auditing organisations." Subcontractors, technical support firms, and auditors can all be compelled to provide information if they hold relevant data. The scope is defined by the possession of information, not just the contractual relationship with the end-user.

Misconception 2: Authorities need a court order to request information. Reality: The proposal grants administrative investigative powers to the national competent authority. While specific severe measures (like sealing premises or seizing physical assets) might require judicial involvement depending on national law, the power to require information is an administrative power exercisable by the authority itself under Article 26. No prior court order is needed to issue the demand.

Misconception 3: Trade secrets protect you from all disclosure. Reality: While Article 26(4) and Article 20(3) mandate confidentiality and the protection of trade secrets, they do not grant an absolute right to withhold information from competent authorities during an investigation. The authority can demand the information; they are then bound to handle it confidentially, but they can still use it to determine if an infringement has occurred. The protection is against public disclosure, not against the authority's internal use.

Misconception 4: "As soon as possible" allows for a reasonable delay. Reality: In the context of digital evidence and suspected infringements, "as soon as possible" is interpreted as immediate cooperation. Delays can be viewed as non-compliance, potentially triggering periodic penalty payments under Article 26(2)(c) or fines for obstructing the investigation.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Can CADA authorities require information from a provider's suppliers?
• How do CADA authorities request information from each other?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities question a provider's staff?
• Can CADA authorities order a provider to stop an infringement?

This is general information about a draft EU regulation, not legal advice.