Can the Commission ask a CADA authority to investigate a provider?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission holds a direct power to request a Member State's national competent authority to investigate a cloud computing service provider and take enforcement action. This mechanism is codified in Article 28(2), which allows the Commission to trigger assessments when there are suspicions of non-compliance with Union assurance levels. The request must be duly reasoned under Article 28(3), and the authority of establishment is legally bound to assess the matter and communicate its findings and any measures taken within two months. Crucially, while the Commission can trigger the investigation, it cannot directly impose fines; enforcement powers remain with the national authority under Article 26.

Detail

The CADA proposal establishes a rigorous framework for cloud sovereignty, requiring cloud providers to meet specific "Union assurance levels" to serve public sector bodies. To enforce these standards across the EU's single market, the regulation relies on a system of national competent authorities designated by Member States under Article 25. While these national authorities hold primary enforcement responsibility, the Commission retains specific oversight powers to ensure consistent application of the law, particularly in cross-border scenarios or systemic risk situations.

The Commission's Power to Request Investigation

The primary mechanism for Commission intervention is found in Article 28 of the CADA proposal, titled "Cross-border cooperation." While Article 28(1) allows a "competent authority of destination" (an authority in a Member State where the service is used) to request an investigation from the "authority of establishment" (the authority in the Member State where the provider is headquartered), Article 28(2) grants a parallel and independent power to the European Commission itself.

Article 28(2) states:

"The Commission may also request the competent authority referred to in Article 25 to assess the matter and take the necessary investigatory and enforcement measures to ensure compliance."

This provision is significant because it allows the Commission to act as a direct trigger for enforcement, bypassing the need for a specific Member State's authority to initiate the complaint. This is particularly relevant for issues that affect the Union's broader public order, strategic autonomy, or where multiple Member States may be affected by a single provider's non-compliance. It ensures that the Commission can intervene proactively if it identifies a risk to the integrity of the Union assurance framework, even if no single Member State has yet raised a formal objection.

Requirements for the Request: "Duly Reasoned"

The Commission cannot issue arbitrary or vague requests. Article 28(3) imposes a strict procedural requirement to ensure legal certainty and efficiency:

"Requests pursuant to paragraph 1 or 2 shall be duly reasoned and shall be duly taken into account by the competent authority of establishment."

This means the Commission must provide a substantive justification for why it believes an investigation is necessary. The request must articulate the specific grounds for suspicion, likely referencing potential violations of the criteria set out in Annex II (the criteria for Union assurance levels). These grounds could include failures in data localization, unauthorized third-country access, lack of proper cybersecurity certifications, or issues regarding the control of the provider by a third country.

The "duly reasoned" standard serves two purposes: it prevents national authorities from being burdened with frivolous requests, and it ensures that the cloud provider (once notified) understands the specific basis of the scrutiny. Furthermore, the requirement that the request "shall be duly taken into account" creates a strong legal obligation for the national authority to engage with the Commission's concerns, rather than simply ignoring them.

Obligations of the National Competent Authority

Once the Commission issues a duly reasoned request under Article 28(2), the national competent authority of establishment is obligated to act. Article 28(3) further mandates that the request "shall be duly taken into account." In practice, this creates a presumption that the authority must launch an assessment of the suspected infringement.

However, the regulation acknowledges that the initial request might lack sufficient detail. Article 28(3) provides a mechanism for this:

"Where the competent authority of establishment considers that the information provided is insufficient, it may either request additional information. The period set out in paragraph 4 shall be suspended until that additional information is provided."

This suspension mechanism ensures that the authority is not forced to make a decision based on incomplete data, but it also prevents indefinite delays. The clock on the response deadline stops only until the necessary information is supplied.

Deadlines and Reporting

Time is of the essence in cross-border enforcement to maintain market confidence and ensure rapid remediation of sovereignty risks. Article 28(4) sets a strict deadline for the authority of establishment:

"The competent authority of establishment shall, as soon as possible and in any event not later than two months after receipt of the request pursuant to paragraph 1 or 2, communicate to the competent authority that sent the request, and the Commission, its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged in relation to the matter to ensure compliance with this Regulation."

This two-month window is absolute unless suspended due to a request for additional information. The authority must report back not only to the Commission but also to the authority that may have originally raised the concern (if applicable, though in a pure Commission request, the primary recipient is the Commission). The report must detail the assessment of the suspected infringement and explain any measures taken or planned.

Investigatory and Enforcement Powers

When the Commission requests an assessment under Article 28(2), the national authority utilizes the powers granted to it under Article 26. These include:

• Investigative powers: Requiring information from providers and auditing organizations, and conducting inspections of premises (Article 26(1)).
• Enforcement powers: Ordering the cessation of infringements, imposing fines, or imposing periodic penalty payments (Article 26(2)).

The measures taken must be "effective, dissuasive and proportionate," considering the nature, gravity, and duration of the infringement (Article 26(3)). It is critical to note that the Commission itself does not possess the power to impose fines directly under CADA. As stated in Article 24, Member States are responsible for laying down the rules on penalties, and Article 26 vests the power to impose fines in the national competent authorities. The Commission's role is to trigger the process and ensure the authority acts, not to act as the adjudicator or fining body itself.

Furthermore, Article 26(4) ensures that any exercise of these powers is subject to adequate safeguards under applicable national law, including the right to respect for private life, the rights of defence (including the right to be heard and to have access to the file), and the right to an effective judicial remedy.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the Commission's power under Article 28(2) adds a significant layer of EU-level scrutiny to national enforcement.

1. Prepare for Commission-Led Scrutiny: Do not assume that compliance with one national authority guarantees safety from others. The Commission can independently trigger investigations across borders. Ensure your compliance documentation (e.g., EU statements of conformity, audit reports, and evidence of Union establishment) is robust, up-to-date, and readily accessible for immediate review.
2. Monitor for "Duly Reasoned" Requests: If you receive a request for information or an investigation notice from a national authority, check if it was triggered by a Commission request under Article 28(2). This may indicate a broader, EU-wide concern about your service's sovereignty credentials, potentially affecting your ability to serve public sector bodies across the Union.
3. Adhere to the Two-Month Timeline: Authorities are under pressure to respond within two months. Be prepared to provide comprehensive evidence quickly. Delays in your response could hinder the authority's ability to meet its deadline, potentially escalating the situation or leading to a presumption of non-compliance.
4. Leverage the Right to Be Heard: While Article 28 focuses on the authority's obligations, Article 26(4) ensures that any enforcement measures are subject to adequate safeguards, including the right to be heard and access to the file. Engage proactively with the authority during the investigation phase to present your case before any final measures are taken.

Common misconceptions

• Misconception: "Only other Member States can trigger cross-border investigations."
  • Correction: Article 28(2) explicitly grants the Commission the power to request assessments and enforcement actions directly from national authorities, independent of other Member States' requests.
• Misconception: "The Commission can directly fine providers for sovereignty violations."
  • Correction: The Commission does not directly impose fines for CADA sovereignty infringements. It requests the national competent authority to take "necessary investigatory and enforcement measures," which includes the authority's power to impose fines under Article 26(2)(b).
• Misconception: "National authorities can ignore Commission requests if they disagree."
  • Correction: Article 28(3) states that requests "shall be duly taken into account." While authorities have discretion in how they investigate, they cannot simply dismiss a duly reasoned Commission request. They must assess the matter and report back within two months.

Related

• Can a cloud provider negotiate remedies with a CADA authority?
• Can a CADA authority ask for more information on a cross-border request?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?

This is general information about a draft EU regulation, not legal advice.