Can taking remedial action reduce a CADA penalty?

Summary Yes, taking prompt and effective remedial action can significantly reduce a penalty under the proposed Cloud and AI Development Act (CADA). Article 24(2)(b) explicitly mandates that Member States consider "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement" when determining the penalty. This mitigation is not automatic; it is weighed against the gravity of the breach, the provider's turnover, and any previous infringements. Crucially, voluntary remedial action aligns with the enforcement powers in Article 26, potentially reducing the need for coercive orders and demonstrating a commitment to compliance that authorities must factor into their final decision.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a rigorous enforcement regime to ensure the integrity of the Union's cloud sovereignty framework. While the Act empowers national competent authorities to impose "effective, proportionate and dissuasive" penalties, it also recognises that the behaviour of a provider after an infringement occurs is a critical variable in the sanctioning process. For cloud service providers, understanding the interplay between Article 24 (Penalties and compensation) and Article 26 (Powers of the national competent authorities) is essential for risk mitigation.

The Legal Basis for Mitigation: Article 24(2)(b)

The cornerstone of penalty mitigation in CADA is Article 24. Paragraph 1 of this Article requires Member States to lay down rules on penalties for infringements by cloud computing service providers, ensuring these penalties are "effective, proportionate and dissuasive."

However, the calculation of the specific penalty is not left to arbitrary discretion. Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account. Among these, Article 24(2)(b) is the specific provision governing remedial conduct:

"any action taken by the infringing party to mitigate or remedy the damage caused by the infringement;"

This clause creates a statutory obligation for authorities to evaluate the provider's post-infringement conduct. It acknowledges that a provider who actively works to fix a compliance failure, limit the scope of harm, and restore the status quo has acted differently than one who ignores the issue, conceals it, or obstructs the investigation. The text does not specify a fixed reduction percentage; rather, it requires the authority to weigh this action alongside other factors, such as the nature, gravity, scale, and duration of the infringement (Article 24(2)(a)), any previous infringements (Article 24(2)(c)), and the financial benefits gained or losses avoided (Article 24(2)(d)).

Consequently, while remedial action does not guarantee the elimination of a penalty—especially in cases of severe, intentional, or systemic breaches—it serves as a powerful lever to prevent the penalty from reaching the maximum possible level. It shifts the narrative from "punishment for non-compliance" to "correction of a deviation," which can significantly influence the "proportionality" requirement of Article 24(1).

The Enforcement Context: Article 26 and Remedial Action

Remedial action is not merely a passive factor in a penalty calculation; it is dynamically linked to the active enforcement powers granted to national competent authorities under Article 26. These powers are designed to stop infringements and ensure future compliance.

Article 26(2) grants authorities the power to:

• Order the cessation of infringements and, where appropriate, "impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end" (Article 26(2)(a)).
• Impose fines for failure to comply with the Regulation (Article 26(2)(b)).
• Impose periodic penalty payments to ensure an infringement is terminated (Article 26(2)(c)).

The relationship between Article 24(2)(b) and Article 26(2) is symbiotic. When a provider voluntarily takes remedial steps before or during an investigation, they are effectively pre-empting the coercive measures in Article 26(2)(a). By demonstrating that they are already "bringing the infringement effectively to an end," the provider reduces the necessity for the authority to issue a formal cessation order or impose a periodic penalty payment.

Furthermore, the "remedies proportionate to the infringement" mentioned in Article 26(2)(a) often mirror the "mitigate or remedy the damage" required by Article 24(2)(b). If a provider has already implemented the necessary technical or organisational measures to remedy the damage, the authority may view the imposition of additional coercive remedies as redundant or disproportionate. This alignment allows the provider to argue that the penalty should be reduced because the primary enforcement objective—restoring compliance—has already been achieved voluntarily.

Practical Steps for Providers to Leverage Mitigation

To effectively invoke Article 24(2)(b) and align with Article 26, providers should adopt a structured approach to remediation. The following steps are derived from the obligations and powers outlined in the proposal:

1. Immediate Self-Reporting and Notification: Under Article 23, providers are already obligated to notify the auditing organisation and the national competent authority of any material changes that may affect their recognition. In the event of an infringement, extending this duty to immediate self-reporting demonstrates transparency. Voluntary disclosure often precedes and enhances the weight of remedial action, showing the authority that the provider is not attempting to conceal the breach.

2. Swift Technical and Operational Correction: The core of "remedying damage" involves fixing the root cause. For example, if a provider inadvertently processed customer data outside the Union contrary to Annex II criteria for a specific assurance level, the immediate migration of that data back to the Union and the implementation of technical controls (e.g., geofencing, access restrictions) to prevent recurrence constitutes direct remedial action. This aligns with the authority's power under Article 26(2)(a) to order remedies, but doing it voluntarily is far more persuasive.

3. Comprehensive Documentation of Actions: To prove that action was taken to "mitigate or remedy" the damage, providers must maintain a detailed audit trail. This should include internal memos detailing the decision to remediate, technical logs showing data migration or system patches, communication records with affected customers, and updated policies preventing future breaches. This documentation serves as the evidentiary basis for the authority to apply the mitigation factor under Article 24(2)(b).

4. Full Cooperation with Investigations: Article 26(1) grants authorities extensive investigative powers, including the right to require information, carry out inspections, and ask for explanations. Full cooperation, including providing access to premises and data without obstruction, is a critical component of remedial conduct. Obstruction could be viewed as an aggravating factor, while cooperation reinforces the claim of good faith remediation.

5. Engagement with Auditing Organisations: If the infringement affects the provider's Union assurance level recognition, Article 23 requires the provider to notify the auditing organisation. Working closely with the auditor to amend or revoke audit reports, or to conduct a new assessment, demonstrates a commitment to restoring the integrity of the sovereignty framework. This proactive engagement supports the argument that the damage to the regulatory framework has been remedied.

What this means for you

For cloud service providers operating under the proposed CADA framework, "remedial action" is a strategic operational imperative, not just a legal afterthought.

• Risk Management: Do not wait for an authority to discover a breach. If you identify a failure in your sovereignty criteria (e.g., a lapse in personnel screening or data localisation), initiate a remediation plan immediately. The speed of your response is a key indicator of your commitment to mitigating damage.
• Evidence is Key: The mitigation under Article 24(2)(b) is not self-executing. You must be able to prove that you took action. Ensure your internal compliance teams document every step of the remediation process, from the initial discovery to the final verification of the fix.
• Alignment with Enforcement: Understand that your remedial actions are effectively performing the work of Article 26(2)(a). By voluntarily bringing the infringement to an end, you reduce the scope for the authority to impose heavy-handed coercive measures, which in turn lowers the overall penalty risk.
• Holistic View: Remember that remedial action is one of several factors. Even with perfect remediation, a penalty may still be imposed if the infringement was severe, intentional, or resulted in significant financial gain for the provider (Article 24(2)(d)). The goal is to ensure the penalty remains "proportionate" rather than to guarantee immunity.

Common misconceptions

"Remedial action eliminates the penalty entirely." This is incorrect. Article 24(1) mandates that penalties must be "dissuasive." If an infringement was severe, intentional, or caused significant harm to public order, a penalty must still be imposed to deter future violations. Remedial action under Article 24(2)(b) serves to reduce the penalty, not necessarily to erase it.

"Only financial compensation counts as remedial action." No. While Article 24(3) grants recipients the right to seek compensation for damage, the mitigation factor in Article 24(2)(b) is broader. It includes technical fixes, process improvements, operational changes, and any other measures that prevent further harm or restore compliance. Correcting the underlying compliance failure is often more significant for regulatory authorities than financial restitution alone.

"I can wait for the authority to find the issue, then fix it." Delayed remediation is far less effective. Proactive, immediate action demonstrates a genuine commitment to compliance. Waiting for an investigation to begin may be viewed as obstructive or negligent, potentially aggravating the penalty under other criteria like the "nature, gravity, scale and duration" of the infringement (Article 24(2)(a)).

Related

• Can a CADA fine and a periodic penalty be combined?
• Who sets the penalty rules under CADA? Article 24 explained
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Which CADA obligations can lead to penalties?
• What remedies can CADA authorities impose on providers?

This is general information about a draft EU regulation, not legal advice.