Summary Yes, under the proposed Cloud and AI Development Act (CADA), national competent authorities would have the power to impose fines on cloud computing service providers that fail to comply with the Regulation's sovereignty framework obligations. Article 26(2)(b) explicitly grants authorities the power to "impose fines, or to request a judicial authority in their Member State to do so" for failures to comply with the Regulation, including investigative orders. While the proposal does not set fixed maximum fine amounts (unlike the AI Act), Article 24 mandates that penalties must be "effective, proportionate and dissuasive" and requires Member States to consider specific criteria, including the provider's annual turnover in the Union, when calculating sanctions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous enforcement regime to ensure cloud computing service providers adhere to the Union's new sovereignty and assurance standards. Unlike some previous digital regulations that centralise enforcement at the EU level, CADA relies on a decentralised model where Member States designate national competent authorities to supervise and enforce the rules. The financial consequences of non-compliance are significant, designed to deter providers from bypassing the sovereignty framework.

The Power to Impose Fines (Article 26)

The primary legal basis for financial penalties is found in Article 26, titled "Powers of the national competent authorities." These authorities are designated by Member States under Article 25 to enforce the provisions of Title IV (Autonomy), specifically the Union cloud computing sovereignty framework.

Under Article 26(2), competent authorities are granted a suite of enforcement powers. Crucially, Article 26(2)(b) states that authorities have:

"the power to impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1;"

This provision establishes two critical mechanisms for cloud providers:

  1. Dual Enforcement Pathways: Depending on the national legal framework of the Member State where the provider is established, the competent authority may possess the direct administrative power to levy a fine, or it may be required to request a judicial authority to impose the fine. This reflects the diversity of administrative law across the EU, ensuring that enforcement powers are exercised in a manner consistent with national constitutional principles while maintaining the effectiveness of the Regulation.
  2. Broad Scope of Non-Compliance: The power to fine is not limited to substantive breaches of the sovereignty criteria (such as failing to maintain the required Union assurance level). It explicitly extends to procedural failures. Article 26(2)(b) includes "failure to comply... including with any of the investigative orders issued pursuant to paragraph 1." This means that refusing to provide information, obstructing inspections of premises, or failing to cooperate with staff interviews during an investigation can independently trigger financial penalties, regardless of whether the underlying service is ultimately found to be compliant.

Article 26(3) further mandates that any measures taken by national competent authorities, including fines, must be "effective, dissuasive and proportionate." When determining the appropriate sanction, authorities must consider the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider concerned. This ensures that penalties are tailored to the specific circumstances of the case and the size of the provider.

Criteria for Determining Penalties (Article 24)

While Article 26 grants the power to fine, Article 24, titled "Penalties and compensation," sets out the rules for how those penalties are determined and the criteria Member States must follow.

Article 24(1) mandates that Member States shall lay down the rules on penalties applicable to infringements of Title IV by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." To guide national legislators and authorities, Article 24(2) provides a non-exhaustive list of criteria that must be taken into account when imposing penalties:

  • Nature, Gravity, Scale and Duration: The severity and longevity of the infringement.
  • Mitigation Efforts: Any action taken by the infringing party to mitigate or remedy the damage caused by the infringement.
  • Recidivism: Any previous infringements by the infringing party.
  • Financial Benefit: The financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established.
  • Aggravating/Mitigating Factors: Any other circumstances applicable to the case.
  • Turnover: The infringing party's annual turnover in the preceding financial year in the Union.

It is a common misconception that CADA sets fixed fine percentages (e.g., "up to 7% of global turnover") directly in the text. The proposal does not specify maximum fine amounts or percentages. Instead, it delegates the specific quantification to Member States, provided they adhere to the criteria in Article 24. This contrasts with the EU AI Act, which defines specific maximum ceilings in Article 99. Under CADA, the "dissuasive" nature of the fine is left to national implementation, though the explicit inclusion of "annual turnover in the preceding financial year in the Union" in Article 24(2)(f) strongly suggests that fines will be scaled to the financial size of the provider to ensure they are effective.

Right to Compensation

Beyond administrative fines, Article 24(3) introduces a civil liability dimension. It states that recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of the obligations under Title IV. This creates a dual risk for non-compliant providers: they face regulatory fines from national authorities and potential civil claims from affected customers.

Periodic Penalty Payments

In addition to one-off fines, Article 26(2)(c) grants authorities the power to impose a "periodic penalty payment" to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders. This is a recurring financial sanction designed to compel immediate corrective action, distinct from the punitive nature of a standard fine.

What this means for you

For cloud service providers seeking recognition under the Union assurance levels (1–4), the enforcement powers in CADA represent a significant compliance risk that must be managed proactively.

  1. Cooperation is Mandatory and Enforceable: The power to fine for failure to comply with investigative orders (Article 26(1) and 26(2)(b)) means that cooperation with audits and authority inquiries is not optional. Providers must have robust internal processes to promptly provide information, allow access to premises, and answer questions from competent authorities. Failure to do so can trigger fines independently of whether the underlying service is compliant.
  2. National Variations in Enforcement: Since CADA allows authorities to either impose fines directly or request a judicial authority to do so, the enforcement experience may vary across Member States. Providers operating in multiple jurisdictions should monitor the specific procedural rules and penalty ceilings adopted by each national competent authority.
  3. Turnover-Based Calculations: With annual turnover explicitly listed as a criterion for penalties (Article 24(2)(f)), larger providers should expect fines to be scaled to their financial size. Compliance costs should be weighed against the potential financial impact of non-compliance, which could include both regulatory fines and customer compensation claims.
  4. Documentation and Audit Trails: To mitigate the risk of fines, providers should maintain rigorous documentation of their conformity self-assessments (Level 1) or audit reports (Levels 2–4). In the event of an investigation, demonstrating that you have taken actions to mitigate issues (Article 24(2)(b)) can be a crucial mitigating factor in penalty determination.
  5. Civil Liability Exposure: Beyond regulatory fines, providers must consider the risk of civil claims from customers under Article 24(3). A breach of sovereignty obligations could lead to significant damages if a customer suffers loss due to service disruption or data access issues.

Common misconceptions

  • "CADA sets fixed fine percentages like the GDPR or AI Act." This is incorrect. The CADA proposal does not specify maximum fine amounts or percentages of global turnover in the text itself. Instead, it requires Member States to establish penalties that are effective, proportionate, and dissuasive, using criteria that include turnover. The specific monetary values will depend on national implementation.

  • "Only substantive breaches lead to fines." Incorrect. Article 26(2)(b) explicitly includes "failure to comply... including with any of the investigative orders." This means that procedural non-cooperation, such as delaying access to data, refusing to answer questions during an inspection, or obstructing an audit, can itself trigger fines.

  • "Only the EU Commission can impose fines." Incorrect. Enforcement is primarily the responsibility of national competent authorities designated by Member States (Article 25). The Commission plays a role in coordination and can request assessments, but the power to impose fines lies with the national authorities of the provider's main establishment.

  • "Fines are the only financial consequence." Incorrect. Providers also face the risk of periodic penalty payments to force compliance (Article 26(2)(c)) and civil liability for damages suffered by customers (Article 24(3)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.