Summary As proposed in the Cloud and AI Development Act (CADA), national competent authorities possess the explicit power to question staff or representatives of cloud computing service providers regarding suspected infringements of the Union sovereignty framework. Under Article 26(1)(c), authorities may ask any member of staff or representative to give explanations concerning information relating to a suspected infringement. However, a critical safeguard exists: authorities may only record these answers by technical means with the consent of the person being questioned. This power is strictly limited to investigations into potential violations of the Union assurance levels and is subject to procedural safeguards, including the right to be heard and access to an effective judicial remedy.
Detail
The Cloud and AI Development Act (CADA), as set out in Commission Proposal COM(2026) 502 final, establishes a robust enforcement mechanism to ensure that cloud computing service providers comply with the Union's sovereignty framework. Central to this enforcement is the role of the national competent authorities designated by each Member State. These authorities are granted specific investigative and enforcement powers to monitor compliance with the Union assurance levels (1 through 4) and to investigate potential breaches of the Regulation.
One of the most direct investigative tools available to these authorities is the power to interview individuals associated with the provider. This is explicitly laid out in Article 26(1)(c) of the CADA proposal. The provision states that competent authorities of establishment shall have the power:
"to ask any member of staff or representative of those providers or those persons acting for purposes related to their trade, business, craft or profession, to give explanations in respect of any information relating to a suspected infringement and, with their consent, to record their answers by any technical means."
This provision creates a formal obligation for staff and representatives to cooperate with authorities by providing explanations when a suspected infringement is under investigation. However, the text carefully balances this investigative need with the fundamental rights of the individuals being questioned. The requirement to provide explanations is mandatory; the authority has the power to "ask... to give explanations." In contrast, the ability of the authority to record those explanations is strictly conditional. The authority must obtain the consent of the staff member or representative before using any technical means (such as audio or video recording) to capture their answers. If consent is not given, the authority cannot record the answers, though it may still take written notes or rely on the verbal explanation provided during the investigation.
It is important to note the scope of this power. The questioning is not a general fishing expedition; it is strictly tied to "any information relating to a suspected infringement" of the Regulation. This means the authority must have a basis for suspecting that the cloud computing service provider has failed to meet the criteria for its recognized Union assurance level, or has otherwise violated the transparency, audit, or recognition obligations set out in Title IV of the proposal. The power does not extend to general market inquiries or unrelated regulatory matters.
The powers under Article 26 are exercised by the competent authority of the Member State where the cloud computing service provider has its main establishment. As defined in Article 25(4), this is the location where the provider has its head office or registered office from which the principal financial functions and operational control are exercised. This ensures a single point of regulatory contact for providers operating across the Union, preventing fragmented investigations by multiple national bodies.
Furthermore, these investigative powers are not absolute. Article 26(4) mandates that Member States must set out specific rules and procedures for the exercise of these powers. Crucially, these measures must be subject to "adequate safeguards under applicable national law in compliance with the general principles of Union law." This includes respecting the right to respect for private life, the rights of defence, the right to be heard, and the right of access to the file. All affected parties must have access to an effective judicial remedy. This legal framing ensures that while authorities have robust tools to enforce the sovereignty framework, they must do so within the bounds of due process and fundamental rights.
The context of this power is further reinforced by Article 26(1)(a) and (b), which grant authorities the power to require information and to carry out inspections. The power to question staff under (c) is part of this broader investigative toolkit, designed to uncover facts that may not be evident from documents alone. However, unlike the power to demand documents (which is mandatory), the recording of verbal answers is the only element in this specific clause that is explicitly conditional on the individual's consent.
What this means for you
For cloud computing service providers and data centre operators seeking recognition under the CADA sovereignty framework, understanding Article 26(1)(c) is critical for internal compliance, risk management, and crisis preparedness.
- Prepare for Regulatory Interviews: Your staff, particularly those in technical, compliance, legal, and senior management roles, may be called upon to provide verbal explanations to national competent authorities if an infringement is suspected. Ensure that your employees are aware of their obligation to cooperate and provide accurate information regarding the provider's compliance with the Union assurance levels. Refusal to provide explanations could be viewed as non-cooperation.
- Manage Consent for Recording: Be prepared for the possibility that authorities will request to record interviews. While you cannot refuse to answer the questions, you have the right to refuse the recording. If you choose not to consent to recording, ensure that accurate contemporaneous notes are taken by your own legal or compliance representatives to maintain a clear record of what was communicated. This protects against potential misinterpretations of verbal statements later in the proceedings.
- Internal Training: Train your staff on the distinction between general inquiries and formal investigative questioning. If an authority invokes Article 26, it indicates a formal investigation into a suspected infringement. Staff should be instructed to involve legal counsel immediately and to provide only factual, verified information relevant to the suspected breach. They should not speculate or provide information outside their knowledge.
- Document Everything: Maintain rigorous internal documentation of all interactions with competent authorities. If staff are questioned, document the date, time, attendees, the general scope of the questions asked, and whether consent was given for recording. This aligns with the broader transparency and record-keeping obligations under CADA and supports your defense if penalties are considered under Article 24.
- Legal Representation: Given the potential for penalties under Article 24, ensure that legal representation is available during any formal investigative questioning. The right to be heard and the right of access to the file, as mandated by Article 26(4), are fundamental protections that your legal team can help you exercise effectively.
Common misconceptions
Misconception 1: Authorities can record staff answers without permission. Some providers assume that regulatory authorities have broad surveillance powers during investigations. This is incorrect under CADA. Article 26(1)(c) explicitly states that answers can be recorded by technical means only with the consent of the staff member or representative. Without consent, the authority must rely on other methods of documentation, such as written minutes.
Misconception 2: Staff can refuse to answer questions entirely. While staff can refuse to allow their answers to be recorded, they cannot refuse to provide explanations when asked by the competent authority in the context of a suspected infringement. The power to "ask... to give explanations" is a mandatory investigative tool. Refusing to cooperate could itself be considered an obstruction of the investigation and may lead to further enforcement actions, including fines or periodic penalty payments under Article 26(2).
Misconception 3: Any authority can question staff at any time. The power to question staff is not a general right for any public body. It is limited to the designated national competent authority of the Member State where the provider has its main establishment. Furthermore, it can only be exercised in the context of a suspected infringement of the CADA provisions, not for general market research or unrelated regulatory matters.
Misconception 4: This applies to all employees regardless of role. While the text says "any member of staff or representative," the practical application is limited to those who "may reasonably be expected to be aware of information relating to a suspected infringement" (a standard applied to information requests in Article 26(1)(a) and relevant to the broader context of Article 26). Authorities will target individuals with relevant knowledge, not random employees.
Related
- Can CADA authorities seize a cloud provider's data?
- Can CADA authorities require information from a provider's suppliers?
- Can CADA authorities order a provider to stop an infringement?
- Can CADA authorities inspect a cloud provider's premises?
- Can CADA authorities demand information from a cloud provider?
This is general information about a draft EU regulation, not legal advice.