Summary Yes, as proposed, national competent authorities under the Cloud and AI Development Act (CADA) possess the explicit power to order a cloud computing service provider to cease an infringement immediately. Under Article 26(2)(a), these authorities can mandate "proportionate remedies" that are "necessary to bring the infringement effectively to an end." If administrative action is insufficient or requires coercive enforcement, the authority may request a judicial authority in their Member State to issue the order. This power is a cornerstone of the enforcement toolkit designed to safeguard the Union's cloud sovereignty framework and public order.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a rigorous enforcement mechanism to protect the Union's public order and ensure the integrity of its cloud computing sovereignty framework. A central component of this framework is the empowerment of national competent authorities to act decisively against non-compliance by cloud computing service providers. Unlike regimes that rely solely on post-hoc financial penalties, CADA prioritizes the immediate cessation of harmful practices that threaten data sovereignty or operational continuity.

The Power to Order Cessation: Article 26(2)(a)

Article 26 of the CADA proposal outlines the specific investigative and enforcement powers granted to the national competent authority of establishment. This authority is located in the Member State where the cloud computing service provider has its main establishment, defined as the location of its head office or registered office from which principal financial functions and operational control are exercised. Article 25(4) confirms that this Member State holds exclusive competence for enforcing Chapter IV (Autonomy) of the Regulation.

The enforcement powers are detailed in Article 26(2). Specifically, Article 26(2)(a) grants the competent authority the power to:

"order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end, or to request a judicial authority in their Member State to do so;"

This provision provides authorities with two primary avenues for action to halt non-compliance:

  1. Direct Administrative Order: The authority can directly order the provider to stop the infringing activity. This is crucial for immediate risk mitigation, particularly where an infringement threatens the Union's public order, such as unauthorized data transfers outside the EU or the use of non-compliant infrastructure.
  2. Judicial Request: If the administrative order is insufficient, contested, or requires stronger coercive measures to be effective, the authority can request a judicial authority within their Member State to issue the cessation order or impose the necessary remedies. This ensures that enforcement actions have the backing of the national legal system when administrative measures face resistance.

Proportionate and Necessary Remedies

The power to order cessation is not absolute; it is strictly coupled with the requirement for proportionality. The remedies imposed must be "proportionate to the infringement" and "necessary to bring the infringement effectively to an end." This legal standard ensures that enforcement actions are tailored to the specific severity and nature of the violation.

For instance, a minor documentation error in a conformity self-assessment might require a simple corrective submission or a temporary suspension of specific reporting functions. In contrast, a systemic failure to maintain data within the Union (violating the criteria for Union assurance levels) or allowing unauthorized third-country access to sensitive data might require the immediate suspension of service provision to public sector bodies until compliance is restored.

Article 26(3) further reinforces this balance, stating that measures taken by national competent authorities must be "effective, dissuasive and proportionate." When determining the appropriate measure, authorities must consider:

  • The nature, gravity, recurrence, and duration of the infringement or suspected infringement.
  • The economic, technical, and operational capacity of the service provider concerned.

This ensures that the remedy does not disproportionately harm the provider's ability to operate while still effectively ending the breach.

Context within the Sovereignty Framework

These enforcement powers are specifically tied to the Union cloud computing sovereignty framework established in Chapter IV of CADA. This framework defines four Union assurance levels (1 through 4) for cloud computing services. Providers must undergo conformity self-assessments (for Level 1) or independent third-party audits (for Levels 2–4) to be recognized.

If a provider is found to be misrepresenting their assurance level, failing to maintain required cybersecurity standards, or allowing unauthorized third-country access to data, the competent authority can invoke Article 26(2)(a) to halt these practices. The goal is to preserve the integrity of the central repository of recognized services (Article 22) and ensure that public sector bodies are not procuring services that do not meet the mandated sovereignty criteria. A cessation order effectively removes a non-compliant service from the market for public sector use until the breach is rectified.

Investigative Powers Supporting Enforcement

To effectively use the power of cessation, authorities must first identify the infringement. Article 26(1) grants extensive investigative powers to support this. These include the power to require providers to provide information, carry out inspections of premises, and request explanations from staff. These investigative tools allow authorities to gather the evidence necessary to justify a cessation order under Article 26(2)(a). Without these powers, the authority would lack the factual basis to determine that an infringement exists and that a cessation order is necessary.

Cross-Border Cooperation and Exclusive Competence

While the authority of establishment has exclusive competence, CADA facilitates cross-border cooperation to ensure that enforcement is not hindered by the cross-border nature of cloud services. Article 28 allows a competent authority in a destination Member State (where the service is used) to suspect non-compliance and request the authority of establishment to assess the matter. If the establishment authority fails to act or its actions are deemed insufficient, the destination authority can escalate the matter. This ensures that a provider cannot evade cessation orders by operating across multiple Member States.

What this means for you

For cloud service providers and data centre operators seeking recognition under the CADA sovereignty framework, the power of cessation under Article 26(2)(a) represents a significant operational risk that requires proactive management.

  1. Immediate Compliance is Critical: Because authorities can order an immediate cessation of infringements, any deviation from the assurance level criteria (e.g., data leaving the Union, failure to maintain audit trails, or unauthorized third-country control) could result in a sudden halt of your ability to serve public sector contracts. This could have severe financial and reputational consequences, potentially removing you from the central repository of recognized services.
  2. Remediation Plans: When facing an enforcement action, your response must focus on demonstrating that your proposed remedies are both proportionate and sufficient to "effectively bring the infringement to an end." Vague promises of future improvement may not suffice; authorities may require immediate technical or organizational changes, such as migrating data back to the Union or terminating specific third-country contracts.
  3. Judicial Escalation: Be aware that if you contest an administrative cessation order, the authority can bypass administrative delays by requesting a judicial authority to enforce the measure. This means legal challenges must be prepared swiftly, as the operational impact of a cessation order can be immediate and enforced by the courts.
  4. Documentation: Maintain robust records of your conformity assessments, audit reports, and operational logs. Under Article 26(1), authorities have the power to inspect premises and request information. Having clear, accessible documentation is the best defense against unjustified cessation orders and can help demonstrate that any infringement was minor or unintentional, potentially mitigating the severity of the remedy.

Common misconceptions

Misconception: Authorities can only fine providers.

  • Reality: While Article 24 and Article 26(2)(b) allow for fines and periodic penalty payments, the power to order cessation under Article 26(2)(a) is distinct and often more impactful. A fine does not stop a sovereignty breach; a cessation order does. Authorities will prioritize cessation to protect public order and data integrity, as the primary goal is to end the infringement, not just penalize it.

Misconception: Only the provider's home country can enforce rules.

  • Reality: While the authority of establishment has exclusive competence (Article 25(4)), Article 28 allows other Member States to trigger investigations. If a provider is non-compliant in one Member State, the authority of establishment is obligated to assess and act, potentially leading to cessation orders even if the provider is headquartered elsewhere in the EU. The cross-border cooperation mechanism ensures that enforcement is not fragmented.

Misconception: Cessation orders are permanent.

  • Reality: The order is to bring the infringement to an end. Once the provider implements the necessary proportionate remedies and demonstrates compliance, the cessation order can be lifted. However, the burden of proof for remediation lies with the provider, and the authority must verify that the infringement has effectively ended before restoring the provider's status.

Related

This is general information about a draft EU regulation, not legal advice.