Can the Commission request information during CADA recognition?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission holds specific authority to request information from national competent authorities during the recognition process for sovereign cloud services. As proposed in Article 17(13) and (14), the Commission may require national competent authorities to provide "any relevant information relating to the concerned cloud computing service provider and the application for recognition" as soon as possible and within a reasonable period. Crucially, the Commission must explicitly state the purpose of the request, specify the exact information required, and set a clear deadline for provision. This power is triggered specifically when a dispute arises between Member States regarding a draft recognition decision.

Detail

The Cloud and AI Development Act (CADA) establishes a harmonised framework for recognising cloud computing services that meet specific Union assurance levels (Levels 1–4). While the primary responsibility for evaluating applications and granting recognition lies with the national competent authority of establishment, the Regulation includes a robust dispute-resolution mechanism to ensure uniform application across the single market. The Commission's power to request information is a critical component of this mechanism, activated when national authorities cannot reach an agreement on a recognition decision.

The Trigger: Disagreement Between Member States

The recognition process for cloud services offering Union assurance levels 2, 3, or 4 involves a multi-stage evaluation. Once a national competent authority prepares a draft recognition decision, it must notify other Member States for a 60-day review period. During this period, another Member State's competent authority may submit a "reasoned objection" if it believes the draft decision does not comply with the applicable Union assurance level criteria set out in Annex II.

If the evaluating national competent authority assesses the objection and intends to maintain its original draft decision despite the objection, the concerned national competent authority (the one that raised the objection) may refer the matter to the Commission (Article 17(10)).

Once a referral is made, the Commission assumes a decisive role. It is empowered to assess the referral and may request information from the national competent authorities concerned to facilitate its assessment. This ensures the Commission has access to all necessary facts before adopting a binding decision determining whether the evaluating authority may proceed with the recognition.

Scope and Procedural Requirements of Information Requests

Article 17(13) explicitly empowers the Commission to require national competent authorities of establishment to provide "any relevant information relating to the concerned cloud computing service provider and the application for recognition." The provision mandates that this information be provided "as soon as possible and within a reasonable period."

To ensure legal certainty, proportionality, and the protection of sensitive data, Article 17(14) imposes strict procedural safeguards on the Commission when issuing such a request. The Commission is legally required to:

1. State the purpose of the request: The Commission must clearly articulate why the information is being sought in the context of the specific referral. This prevents arbitrary data gathering and ensures the request is directly linked to resolving the dispute.
2. Specify what information is required: The request must be precise. The Commission cannot issue vague or overly broad demands; it must define the specific data, documents, or evidence needed. This precision helps protect trade secrets and operational data that are not relevant to the specific dispute.
3. Set the period within which the information is to be provided: The Commission must establish a clear deadline for the provision of information. This ensures the timely resolution of the dispute, preventing prolonged uncertainty for the cloud service provider and the public sector bodies seeking to procure the service.

Context within the Sovereignty Framework

This information-gathering power is integral to the broader system of mutual assistance and cross-border cooperation designed to prevent fragmentation of the single market. The Commission's ability to compel information from national authorities underscores the EU-wide nature of the sovereignty framework. A cloud service recognised in one Member State must be recognised across the Union, provided it meets the cumulative criteria of the relevant Union assurance level.

Disputes over these criteria can have significant market implications, potentially blocking a provider from accessing the entire EU market. Therefore, the Commission's active role in resolving these disputes by gathering comprehensive information is justified. The information requested may include audit reports, evidence of compliance with cybersecurity standards, details on subcontractors, and data regarding the location of infrastructure and personnel. National competent authorities are obliged to cooperate closely with the Commission to ensure the consistent and efficient application of Title IV (Autonomy) of the Regulation.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, understanding the Commission's information powers is critical for managing the recognition process effectively, particularly when facing cross-border objections.

• Prepare for Escalation: If your organisation faces a reasoned objection from another Member State's competent authority, be prepared for the matter to be referred to the Commission. Ensure your internal documentation is robust, as the Commission's request for information will likely be comprehensive and focused on the specific points of contention.
• Cooperate with National Authorities: Your primary point of contact remains the national competent authority of establishment. However, that authority may be compelled to share your information with the Commission under Article 17(13). Ensure your submissions to the national authority are accurate, complete, and well-organized to facilitate this potential transfer and to support the authority's defence of your application.
• Monitor Deadlines: The Commission's request will include a strict deadline set under Article 17(14). Work closely with your legal team and the national competent authority to ensure that any additional information requested by the Commission is provided within the specified timeframe. Delays in providing information could negatively impact the finality of the recognition decision or the Commission's ability to reach a binding conclusion.
• Protect Sensitive Information: While the Commission has broad powers to request information, Article 17(14) requires it to specify the scope. If a request appears overly broad or risks exposing sensitive trade secrets unrelated to the dispute, engage with your legal counsel to discuss potential safeguards or clarifications with the national authority, though the obligation to provide "relevant information" remains strong.

Common misconceptions

• Misconception: The Commission conducts its own independent audit.
  • Reality: The Commission does not replace the national competent authority's audit or evaluation, nor does it act as a primary auditor. It relies on the evidence, audit reports, and findings generated by the national authorities and the independent auditing organisations. Its role is to resolve disputes between Member States regarding the application of the criteria, not to re-audit the cloud service from scratch.
• Misconception: The Commission can request information from the cloud provider directly at this stage.
  • Reality: Under Article 17(13), the Commission's power to require information is directed specifically at the national competent authorities. While the Commission has other investigative powers under Article 26 for enforcement, the specific context of the recognition dispute referral involves requesting information from the authorities involved in the evaluation process. The provider interacts with the Commission indirectly through its national authority.
• Misconception: Information requests are optional or informal.
  • Reality: The language "shall provide" in Article 17(13) indicates a mandatory obligation for the national competent authorities to comply with the Commission's request, provided the request adheres to the procedural requirements of Article 17(14). Failure to comply could hinder the Commission's ability to adopt a binding decision, potentially stalling the recognition process.

Related

• Can the Commission overrule a CADA recognition dispute?
• CADA Recognition Revocation: What Happens if a Provider Supplies False Information?
• CADA Recognition Disputes: How Objections and Commission Decisions Work
• CADA Recognition Clock: How Long Can the Assessment Be Suspended?
• Can the Commission change the CADA assurance levels by delegated act?

This is general information about a draft EU regulation, not legal advice.