Can CADA penalties be imposed without a court?

Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate that penalties be imposed exclusively by courts. Instead, Article 26(2) grants national competent authorities a dual option: they may impose fines directly or request a judicial authority to do so, depending on the procedural traditions of the Member State. While the initial imposition may be administrative, Article 26(4) guarantees that all measures are subject to adequate safeguards and the right of all affected parties to an effective judicial remedy. Therefore, a court is not always the imposing body, but judicial oversight is always available.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) is designed to balance the need for swift, effective regulatory action with the fundamental rights of cloud computing service providers. Unlike some EU regulations that strictly reserve the power to impose financial penalties for judicial bodies, CADA adopts a flexible approach that respects the diverse procedural landscapes of the Member States while ensuring substantive harmonization.

The Dual Enforcement Model under Article 26

The core mechanism for imposing penalties is found in Article 26, which outlines the powers of national competent authorities. Specifically, Article 26(2) establishes a bifurcated system for financial sanctions. It explicitly empowers competent authorities of establishment to:

• Impose fines, or
• Request a judicial authority in their Member State to impose fines.

This "or" structure is deliberate. It acknowledges that in some Member States, administrative bodies possess the inherent power to levy fines for regulatory breaches, while in others, the imposition of financial penalties is constitutionally or procedurally reserved for the judiciary. CADA does not force a harmonization of this procedural choice. Instead, it allows Member States to determine, within their national legal frameworks, whether the competent authority acts as the final decision-maker on fines or acts as a prosecutor requesting a court order.

The same dual option applies to periodic penalty payments. Under Article 26(2)(c), authorities may impose these payments to ensure the termination of an infringement or compliance with investigative orders, or they may request a judicial authority to impose them. This ensures that the enforcement tool (the penalty) is available regardless of the national procedural path, preventing regulatory gaps where a provider might otherwise evade sanctions due to jurisdictional technicalities.

Procedural Safeguards and Judicial Remedy

While the imposition of a fine may occur without a judge in certain jurisdictions, the review of that decision is never optional. Article 26(4) serves as the critical safeguard for this flexibility. It mandates that Member States must set out specific rules and procedures for the exercise of these powers, ensuring that any exercise is subject to "adequate safeguards under applicable national law."

Crucially, Article 26(4) explicitly states that measures taken by competent authorities must comply with the general principles of Union law, including:

• The right to respect for private life.
• The rights of defence.
• The right to be heard.
• The right of access to the file.

Most importantly for the question of court involvement, Article 26(4) guarantees that these measures are "subject to the right of all affected parties to an effective judicial remedy." This means that even if a national competent authority imposes a fine directly (without a prior court order), the provider has an automatic right to challenge that decision before a court. The court then reviews the legality, proportionality, and procedural fairness of the administrative decision.

The Role of Article 24 in Penalty Determination

While Article 26 governs who imposes the penalty, Article 24 governs how the penalty is calculated. Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." To ensure consistency across the Union, Article 24(2) provides a non-exhaustive list of criteria that authorities (or courts, where applicable) must consider when determining the severity of a fine. These criteria include:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

This harmonized criteria list ensures that while the procedure for imposing the fine may vary (administrative vs. judicial), the substance of the penalty calculation remains consistent across the EU.

Exclusive Competence and Centralized Enforcement

To prevent conflicting penalties and legal uncertainty for multinational providers, CADA centralizes enforcement competence. Article 25(4) establishes that the Member State where the cloud computing service provider has its "main establishment" (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty framework.

This "main establishment" rule means that a provider cannot be fined simultaneously by authorities in multiple Member States for the same infringement. The authority in the Member State of the main establishment is the sole body empowered to impose penalties or request judicial intervention under Article 26. This centralization simplifies the defense strategy for providers, as they only need to engage with one competent authority regarding the imposition of fines, even if their services are used across the entire Union.

Civil Liability and Compensation

Beyond administrative or judicial fines, Article 24(3) introduces a civil liability dimension. It grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of the sovereignty framework. This right exists independently of the penalties imposed by authorities. A provider could face a fine from a competent authority (under Article 26) and simultaneously face a civil lawsuit for damages from affected customers (under Article 24(3)).

What this means for you

For in-house counsel, compliance officers, and legal teams, the procedural nuances of CADA's enforcement mechanism have significant strategic implications.

1. Map the National Procedural Landscape

Because CADA allows Member States to choose between administrative and judicial imposition of fines, you cannot assume a uniform process across the EU. You must analyze the national implementing legislation in each Member State where you have a presence or where your main establishment is located.

• In Administrative Jurisdictions: Be prepared for the competent authority to issue a fine directly. Your immediate focus should be on the administrative appeal process and the right to be heard during the investigation.
• In Judicial Jurisdictions: The competent authority will likely act as a prosecutor, filing a case in court. Your defense strategy must be court-centric from the outset, focusing on litigation tactics rather than administrative negotiation.

2. Prioritize the "Main Establishment" Defense

Given the exclusive competence rule in Article 25(4), your primary legal engagement should be with the competent authority in the Member State of your main establishment. Do not fragment your defense by responding separately to authorities in other Member States regarding the same infringement. Centralize your legal response to ensure consistency and to leverage the exclusive competence provision to prevent parallel proceedings.

3. Leverage Mitigation and Procedural Rights

Regardless of whether the fine is imposed by an authority or a court, Article 24(2) mandates that mitigating factors be considered.

• Document Mitigation: Maintain rigorous records of any steps taken to remedy an infringement or mitigate damage (e.g., immediate system patches, customer notifications, voluntary audits). This evidence is critical for reducing the fine amount.
• Assert Procedural Rights: Under Article 26(4), you have the right to be heard and access the file. In administrative proceedings, exercise these rights aggressively to challenge the factual basis of the infringement before the fine is finalized.

4. Prepare for Judicial Review

Even if a fine is imposed administratively, Article 26(4) guarantees an effective judicial remedy. Ensure your legal budget and resources are allocated for potential litigation. The "effective judicial remedy" is not merely a formality; it is the mechanism by which you can challenge the proportionality of the fine, the application of the criteria in Article 24, or any procedural errors in the investigation.

5. Monitor Civil Liability Risks

Do not focus solely on regulatory fines. Article 24(3) creates a direct right of action for customers. A finding of infringement by a competent authority could trigger a wave of civil claims for damages. Ensure your insurance coverage and risk management strategies account for this dual exposure (regulatory fines + civil damages).

Common misconceptions

"CADA fines must always be imposed by a judge."

• Reality: This is incorrect. Article 26(2) explicitly allows national competent authorities to impose fines directly. The requirement for a court depends on the national procedural law of the Member State.

"If an authority imposes a fine, there is no court involvement."

• Reality: While the authority may impose the fine initially, Article 26(4) guarantees the right to an effective judicial remedy. The affected party can always challenge the decision in court, ensuring judicial oversight is never absent.

"Penalties are identical in every Member State."

• Reality: While the criteria for calculating penalties are harmonized under Article 24, the procedure for imposing them (administrative vs. judicial) and the specific rules of procedure are determined by national law under Article 26(4).

"Only cloud providers face penalties."

• Reality: While the primary target is cloud computing service providers, Article 26(1) grants authorities the power to require information from "any other persons acting for purposes related to their trade," including auditing organisations and subcontractors. These entities can be subject to investigative measures and, potentially, penalties if they infringe specific obligations.

Related

• Which CADA obligations can lead to penalties?
• Can a CADA fine be challenged in court? Judicial remedies explained
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• What should a startup cloud provider know about CADA penalties?
• What remedies can CADA authorities impose on providers?

This is general information about a draft EU regulation, not legal advice.