Summary Yes, under the proposed Cloud and AI Development Act (CADA), recipients of cloud computing services can simultaneously pursue compensation for damages and report a regulatory breach. Article 24(3) establishes an independent private right to seek compensation for losses caused by a provider's infringement, which operates separately from public enforcement. Concurrently, Article 28 facilitates cross-border cooperation between national competent authorities to investigate and penalize non-compliance. These parallel tracks mean a customer can initiate civil redress while authorities handle administrative sanctions, with neither process barring the other.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a dual-track enforcement mechanism for breaches of the Union cloud computing sovereignty framework. For legal counsel and compliance officers, it is critical to understand that the right to private compensation and the mechanism for public reporting are distinct legal pathways designed to be activated in parallel.

The Private Right to Compensation (Article 24)

Article 24 of the CADA proposal governs penalties and compensation. While paragraphs 1 and 2 mandate that Member States establish effective, proportionate, and dissuasive administrative penalties for infringements, Article 24(3) explicitly safeguards the rights of private parties. It states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision confirms that the right to compensation is a civil matter governed by Union and national private law. Crucially, this right is independent of public enforcement. It is not contingent upon a prior administrative finding of guilt by a regulator, nor does it require the exhaustion of administrative remedies. A customer who suffers financial loss or operational disruption due to a provider's failure to meet the required Union assurance levels (e.g., failure to maintain data residency, unauthorized third-country control, or security breaches) can initiate civil proceedings for damages immediately, regardless of whether a regulatory investigation is pending or concluded.

The Public Reporting and Enforcement Mechanism (Article 28)

Simultaneously, the CADA establishes a robust public enforcement regime to ensure consistent application of the sovereignty framework across the Union. Article 28, titled "Cross-border cooperation," provides the mechanism for reporting and investigating breaches that span Member States.

Under Article 28(1), if a competent authority in a Member State where the service is used (the "destination") suspects that a cloud computing service provider no longer fulfills the requirements set out in Annex II (the Union assurance levels), it may request the competent authority of the provider's establishment (the "origin") to assess the matter. The authority of establishment is then obligated to take the necessary investigatory and enforcement measures.

Furthermore, Article 28(2) allows the European Commission to directly request the competent authority of establishment to assess suspected non-compliance and take enforcement action. Article 28(4) mandates that the authority of establishment communicate its assessment and any measures taken to the requesting authority and the Commission within two months.

This mechanism ensures that a breach reported by a customer or detected by a national authority triggers a coordinated public investigation. The authority of establishment possesses the power to order the cessation of infringements, impose fines, or apply periodic penalty payments, as outlined in Article 26.

Parallel Proceedings: No Conflict of Interest

The structure of the CADA proposal implies that private compensation claims and public regulatory enforcement are complementary, not mutually exclusive.

  1. Independence of Claims: Article 24(3) grants a standalone right to compensation. A customer does not need to wait for the conclusion of an Article 28 investigation to file a civil claim for damages. The civil court's assessment of liability and damages is separate from the administrative authority's assessment of regulatory compliance and penalties.
  2. Evidence Sharing: While the proceedings are separate, evidence gathered during the public investigation under Article 28 (such as audit reports, findings of non-compliance, or revocation of recognition) may be relevant in civil litigation, subject to applicable data protection and confidentiality rules. Conversely, a civil judgment finding a provider liable for damages may inform the regulator's view on the severity of the infringement, though it does not automatically dictate the administrative penalty.
  3. Strategic Advantage for Customers: For public sector bodies or private entities in high-criticality sectors (as referenced in Article 31), the ability to report a breach under Article 28 while simultaneously seeking compensation under Article 24 provides a powerful lever. It allows the customer to mitigate immediate financial losses through civil action while ensuring the provider is held accountable and corrected through regulatory oversight.

What this means for you

For in-house counsel and compliance officers, the dual-track nature of CADA enforcement requires a proactive strategy for incident response and contract management.

1. Contractual Alignment and Liability Clauses Review existing and future cloud service agreements to ensure they align with Article 24(3). While the CADA grants a statutory right to compensation, contractual clauses can streamline the process by defining what constitutes "damage or loss," specifying notification periods, and agreeing on methodologies for calculating damages. Ensure that liability caps in contracts do not inadvertently exclude liability for breaches of the CADA's sovereignty obligations, as such exclusions may be deemed unenforceable if they contravene the mandatory nature of the Regulation.

2. Incident Response Protocols Update your incident response playbooks to include parallel tracks for regulatory reporting and civil claims. When a potential breach of the Union assurance levels is identified (e.g., unauthorized data transfer to a third country or loss of Union citizenship for key personnel):

  • Regulatory Track: Notify the relevant national competent authority as required by transparency obligations (Article 23) and trigger the cross-border cooperation mechanism if necessary (Article 28). Document all communications with the provider and authorities.
  • Civil Track: Preserve all evidence of the breach and resulting damages (e.g., logs, financial losses, reputational harm). Consult with litigation counsel to assess the viability of a compensation claim under Article 24(3). Do not delay this assessment waiting for regulatory outcomes.

3. Evidence Preservation Because public investigations under Article 28 and private claims under Article 24 may rely on similar factual bases, maintain a rigorous chain of custody for all relevant data. This includes audit reports, service level agreement (SLA) performance records, and correspondence with the provider. Ensure that data sharing between your legal team and regulatory authorities complies with data protection laws (GDPR) and the confidentiality obligations of the CADA.

4. Monitoring Provider Compliance Regularly monitor your provider's status in the central repository of recognized services (Article 22). If a provider's recognition is revoked or amended due to non-compliance, this may serve as immediate evidence of an infringement, strengthening both your regulatory report under Article 28 and your compensation claim under Article 24.

Common misconceptions

Misconception 1: You must wait for a regulatory penalty before suing for damages. This is incorrect. Article 24(3) grants an independent right to seek compensation. Civil proceedings can commence as soon as damage is suffered and causation is established, regardless of whether a competent authority has imposed a fine under Article 26.

Misconception 2: Reporting a breach to authorities waives your right to private compensation. No. Reporting a breach under the transparency obligations (Article 23) or triggering cross-border cooperation (Article 28) is a regulatory duty or right that does not prejudice your civil claims. In fact, timely reporting may help establish the timeline of events and the provider's awareness of the breach, which can be relevant in civil litigation.

Misconception 3: Administrative fines paid by the provider cover your damages. Administrative fines imposed under Article 26 are paid to the state and are intended to be dissuasive and punitive. They do not compensate the victim. Article 24(3) ensures that victims can still seek full compensation for their actual losses from the provider, separate from any fines paid to the regulator.

Misconception 4: Only public sector bodies can claim compensation. While Article 30 mandates public procurement of sovereign services, Article 24(3) refers to "recipients of the cloud computing services" broadly. This includes both public sector bodies and private sector entities, particularly those in high-criticality sectors as referenced in Article 31, who may suffer losses from non-compliant services.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.