Can CADA authorities inspect a cloud provider's premises?

Summary Yes — under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final, a proposal not yet in force), national competent authorities would be able to inspect the premises of cloud computing service providers and related parties when investigating a suspected infringement of the Union sovereignty framework. As proposed in Article 26(1)(b), they could carry out the inspection themselves, request a judicial authority to order it, or request other public authorities to do so, and could examine, seize, take or copy information "in any form, irrespective of the storage medium." The power is bounded: Member States must subject it to adequate national safeguards, including defence rights and an effective judicial remedy (Article 26(4)), and every measure must be proportionate (Article 26(3)).

Detail

CADA's Chapter I of Title IV ("Autonomy") establishes a Union cloud computing sovereignty framework with four graded assurance levels. National competent authorities are designated by Member States to supervise and enforce that Chapter, and inspection of premises is one of their core investigative powers.

The power to inspect (Article 26(1)(b))

Article 26 sets out the investigative and enforcement powers of the competent authority of establishment — the authority in the Member State where the provider has its main establishment, defined as the head office or registered office from which principal financial functions and operational control are exercised (Article 25(4)). Under Article 26(1)(b), that authority has the power:

"to carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium;"

The reach is broad in two senses. The target is "any premises" used for trade or business — not just the registered head office, but data centres, server rooms, administrative offices and, because the power extends to other persons acting in their trade or business, the premises of subcontractors and auditing organisations. And the purpose is tied to a suspected infringement: this is targeted investigation, not a general or routine audit.

Note one limit that the proposal places on the power itself: under Article 26(1), these powers are available "where needed to carry out their tasks under Article 17" — the recognition of Union assurance levels. An inspection is a tool for verifying or enforcing recognition, not an open-ended licence.

What can be examined or seized

The phrase "in any form, irrespective of the storage medium" means the format of the evidence does not constrain the power. Authorities could examine, seize, take or copy:

• physical documents and records;
• digital data on servers, drives or cloud instances;
• electronic communications and logs;
• any other material evidence relevant to the suspected infringement.

For the cloud sector — where evidence of non-compliance (misconfigured data-residency settings, undisclosed subcontracting, third-country control arrangements) is typically digital and distributed — this breadth is what makes inspection effective.

Judicial authorities and other public bodies

Article 26(1)(b) builds in flexibility and a route to judicial oversight. The authority may inspect directly, or request a judicial authority in its Member State to order the inspection, or request other public authorities to carry it out. As proposed, which route applies in a given case turns on the rules and safeguards each Member State sets under Article 26(4) — so whether a provider faces a direct inspection or one ordered by a court depends on national implementation and the intrusiveness of the measure. The reference to "other public authorities" supports cooperation — for example, drawing in police or specialised technical bodies where needed.

Safeguards and proportionality (Article 26(3)–(4))

The power is not unchecked. Article 26(4) requires Member States to set out specific rules and procedures, subject to adequate safeguards under national law in compliance with the general principles of Union law. Measures may be taken only in accordance with:

• the right to respect for private life;
• the rights of defence, including the rights to be heard and to access the file; and
• the right of all affected parties to an effective judicial remedy.

Article 26(3) adds that any inspection must be effective, dissuasive and proportionate, having regard in particular to the nature, gravity, recurrence and duration of the (suspected) infringement and, where relevant, the economic, technical and operational capacity of the provider.

What this means for you

For cloud service providers and data centre operators, on-site investigation by a national competent authority is a real prospect under CADA as proposed. Prepare on three fronts.

Operational preparedness.

• Documentation readiness: Keep records on your Union assurance-level claims, subcontractor agreements and data-residency configurations organised and accessible. Because authorities can seize or copy information "irrespective of the storage medium," your digital and physical records should be consistent.
• Premises protocols: Establish a clear procedure for handling official inspection requests and designate a regulatory point of contact to manage logistics and limit disruption.
• Know your national route: Check whether your competent authority can inspect directly or needs a judicial order in your Member State. That distinction shapes your immediate response and any grounds to challenge an inspection conducted without proper procedure.

Strategic implications.

• Sovereignty assurance is the trigger: Inspections target suspected infringement of the sovereignty framework. If you claim assurance levels 2, 3 or 4, expect stricter scrutiny — ensure your independent audit reports and evidence align with the Annex II criteria.
• Cross-border reach: Your authority of establishment has exclusive enforcement competence (Article 25(4)) but cooperates with other authorities through mutual assistance (Article 27) and cross-border cooperation (Article 28). An inspection at home may form part of a broader investigation triggered by a destination authority.

Risk mitigation.

• Internal audits: Find compliance gaps before an authority does; proactive remediation can reduce the severity of any measure.
• Counsel on site: Have legal counsel available during an inspection to confirm the authority stays within scope and to protect your Article 26(4) rights — to be heard, to access the file and to seek an effective judicial remedy.

Common misconceptions

Misconception 1: Authorities can inspect any location at will. While Article 26(1)(b) covers "any premises" used for business, the power must relate to a suspected infringement, is tied to the authority's Article 17 tasks, and is subject to the national safeguards in Article 26(4). It is not a licence for fishing expeditions.

Misconception 2: Only the main headquarters can be inspected. The text covers "any premises that those providers... use for purposes related to their trade, business, craft or profession" — data centres, edge sites and administrative offices included, not just the registered office.

Misconception 3: Authorities can only seize physical documents. "Irrespective of the storage medium" means digital data — logs, database records and the like — is fully in scope alongside paper.

Misconception 4: There is no way to challenge an inspection. Article 26(4) guarantees an effective judicial remedy. A provider can challenge the legality of an inspection, the scope of a seizure or the proportionality of the measures before the national courts, and can invoke the rights to be heard and to access the file. Where national law requires a judicial authority to order an inspection in the first place, that requirement is itself a safeguard against disproportionate or unfounded action.

Related

• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities question a provider's staff?
• Can CADA authorities order a provider to stop an infringement?
• Can CADA authorities demand information from a cloud provider?

This is general information about a draft EU regulation, not legal advice.