Can CADA authorities require information from a provider's suppliers?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) grants national competent authorities the explicit power to require information not only from cloud computing service providers but also from any person acting for purposes related to their trade, business, craft, or profession who may reasonably be expected to be aware of information relating to a suspected infringement. This provision, found in Article 26(1)(a), significantly extends investigative reach to the entire supply chain, including subcontractors, technical support providers, and auditing organisations. The obligation is strictly limited to information relevant to a suspected infringement of the Regulation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous enforcement framework to safeguard the Union cloud computing sovereignty framework. A cornerstone of this framework is Article 26, which delineates the investigative and enforcement powers of national competent authorities. Crucially, the text of Article 26(1)(a) ensures that the regulatory net is cast wide enough to capture the complex, multi-layered nature of modern cloud supply chains.

The Scope of Information Requests: Beyond the Primary Provider

Under Article 26(1)(a), the competent authority of establishment possesses the power to require:

"any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation, including auditing organisations, to provide that information as soon as possible."

This wording is legally significant for several reasons:

1. Broad Definition of "Person": The phrase "any other persons acting for purposes related to their trade, business, craft or profession" is intentionally expansive. It moves beyond the contractual relationship between the public sector body and the primary cloud provider. It captures any entity in the value chain whose activities are integral to the provision of the service.
2. Explicit Inclusion of Auditors: The text explicitly names "auditing organisations" within this category. This ensures that authorities can directly verify the integrity of the audit process, audit evidence, and the independence of the auditor if a suspected infringement arises regarding Union assurance levels 2, 3, or 4.
3. The "Reasonably Expected" Threshold: The power is not arbitrary. It is conditioned on the person being someone who "may reasonably be expected to be aware of information relating to a suspected infringement." This creates a relevance and proximity test. A supplier must hold knowledge or data pertinent to the specific breach under investigation (e.g., data localization failures, personnel citizenship issues, or third-country control risks).

Who Falls Within This Scope?

The investigative reach of Article 26(1)(a) extends to various actors in the cloud ecosystem:

• Subcontractors: Entities with a direct contractual relationship to the cloud computing service provider that contribute to the provision and delivery of the service. Under Annex II, specific criteria for assurance levels 2, 3, and 4 require transparency regarding subcontractors. If a suspected infringement involves a subcontractor's failure to meet data localization or personnel criteria, the authority can demand information directly from that subcontractor.
• Technical and Operational Support Providers: Third parties providing maintenance, monitoring, incident response, or security operations. Annex II criteria for levels 2, 3, and 4 mandate that technical support be initiated and performed exclusively within the Union. If an authority suspects support is being routed through a third country, they can compel information from the support provider.
• Software and Hardware Suppliers: Entities providing critical components, such as those listed in the Software Bill of Materials (SBOM) required under Annex II. If a suspected infringement relates to the supply chain (e.g., unauthorized remote features or lack of source code auditability), suppliers of these components fall within the scope of Article 26(1)(a).
• Auditing Organisations: As noted, these are explicitly named. Authorities can request audit reports, evidence, and explanations regarding the audit opinion if there are suspicions of non-compliance or compromised independence.

The Context of Suspected Infringement

These powers are exercised "where needed to carry out their tasks under Article 17." Article 17 governs the recognition of cloud computing service providers as offering specific Union assurance levels. Consequently, information requests from suppliers are typically triggered in three scenarios:

1. Initial Recognition Procedures: During the assessment of whether a provider meets the cumulative criteria for a specific assurance level. Authorities may need to verify claims made by the provider regarding their supply chain.
2. Ongoing Supervision: To monitor continued compliance after recognition. If a provider's supply chain changes (e.g., a new subcontractor is engaged), authorities may seek confirmation of compliance from the new entity.
3. Investigation of Suspected Non-Compliance: When a competent authority receives a complaint or detects potential breaches. For example, if there is evidence of unauthorized data transfers outside the Union, the authority can demand data flow records from the specific subcontractor handling that data transfer.

Obligations and Consequences for Suppliers

While Article 26 places the investigative power on the authority, the obligations flow down the supply chain. Cloud computing service providers are required to cooperate with competent authorities. If a supplier holds information critical to a provider's compliance (e.g., evidence of personnel location, SBOMs, or data flow diagrams), the supplier's failure to provide this information can have severe consequences:

• Direct Enforcement: Under Article 26(2), competent authorities have the power to impose fines or periodic penalty payments for failure to comply with investigative orders. While Article 24 primarily sets out penalties for infringements by cloud computing service providers, Article 26(2)(b) and (c) explicitly grant authorities the power to impose fines or periodic penalty payments on "any other persons" (including suppliers) who fail to comply with investigative orders issued under Article 26(1).
• Impact on Provider Recognition: If a supplier's refusal or inability to provide required information prevents the competent authority from verifying compliance, the authority may revoke the provider's recognition under Article 17(11). This would effectively bar the provider from serving public sector bodies requiring that assurance level.
• Audit Integrity: For assurance levels 2, 3, and 4, the audit report and opinion are central to recognition. If an auditing organisation fails to cooperate under Article 26(1)(a), the validity of the audit opinion is compromised, potentially leading to the withdrawal of recognition.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud providers and their suppliers, Article 26(1)(a) necessitates a fundamental shift in risk management and contract strategy.

1. Map the Entire Supply Chain: You must maintain up-to-date, granular records of all subcontractors and suppliers involved in the provision of your service. This is not just a compliance requirement for Annex II (SBOMs, subcontractor lists) but a readiness requirement for Article 26 investigations. You need to know exactly which entity holds which piece of data or performs which function.
2. Contractual Alignment and Flow-Down Clauses: Your contracts with suppliers must include robust clauses that:
   • Explicitly permit the disclosure of necessary information to competent authorities upon request.
   • Acknowledge that the supplier may be directly contacted by authorities under Article 26.
   • Oblige the supplier to cooperate with investigations and provide evidence within specified timeframes.
   • Address confidentiality and data protection, ensuring that disclosures to authorities are lawful and proportionate.
3. Prepare for Direct Contact: Suppliers should be aware that they may be contacted directly by national competent authorities. Training and legal readiness are essential. A supplier's refusal to cooperate could not only result in fines for the supplier but also jeopardize the cloud provider's recognition status.
4. Audit Readiness: If you are an auditing organisation or a provider using one, ensure that the auditor is prepared to cooperate with authorities. Article 26(1)(a) explicitly names them as subjects of information requests. Auditors must be ready to provide audit evidence, reports, and explanations regarding their findings and independence.
5. Relevance is Key: While the power is broad, it is not unlimited. If a supplier receives a request, they should assess whether the information requested is "relating to a suspected infringement" and whether they are "reasonably expected to be aware" of it. However, the burden of proof for non-compliance is high, and refusal without valid grounds is risky.

Common misconceptions

• "Only the primary provider is liable for information requests." This is incorrect. Article 26(1)(a) explicitly extends the power to "any other persons acting for purposes related to their trade." Suppliers, subcontractors, and auditors can be directly compelled to provide information.
• "Information requests are limited to the provider's internal data." The scope is much broader. It includes data held by any entity in the supply chain that is relevant to a suspected infringement. This includes data held by third-country subsidiaries, technical support providers, and software vendors.
• "Suppliers can refuse based on commercial confidentiality." While general principles of confidentiality and data protection apply, Article 26 is designed to override commercial secrecy when necessary to investigate suspected infringements of public order and sovereignty requirements. The authority's need for information to assess compliance with Union assurance levels takes precedence, provided the request is proportionate and relevant.
• "Auditors are immune from investigation." Auditing organisations are explicitly named in Article 26(1)(a). They are not immune; in fact, their cooperation is critical for verifying the integrity of the assurance framework.

Related

• Can CADA authorities demand information from a cloud provider?
• How do CADA authorities request information from each other?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities question a provider's staff?
• Can CADA authorities order a provider to stop an infringement?

This is general information about a draft EU regulation, not legal advice.