Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities do not possess an automatic, unconditional right to enter a cloud computing service provider's premises without judicial oversight. As proposed, Article 26(1)(b) grants authorities the power to "carry out, or to request a judicial authority in their Member State to order, inspections." This creates a dual pathway: authorities may inspect directly or seek a court order, depending entirely on the national procedural rules of the Member State where the inspection occurs. Crucially, Article 26(4) mandates that any exercise of these powers must be subject to "adequate safeguards under applicable national law," including the right to an effective judicial remedy. Therefore, whether a court order is physically required for entry is a matter of national law, but the framework for such inspections is strictly harmonized to protect fundamental rights.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) is designed to ensure that the Union's cloud computing sovereignty framework is not merely symbolic but effectively enforceable. Central to this architecture is the investigative power granted to national competent authorities (NCAs). These authorities are responsible for recognizing cloud computing service providers as offering specific Union assurance levels (Article 17) and supervising their ongoing compliance. To fulfill these duties, CADA empowers NCAs to investigate suspected infringements, but it carefully calibrates these powers to respect the legal traditions and constitutional protections of the Member States.

The Dual Pathway of Article 26(1)(b)

Article 26 of the CADA proposal, titled "Powers of the national competent authorities," delineates the specific tools available to NCAs. While Article 26(1)(a) grants the power to require information from providers and related persons, Article 26(1)(b) addresses the more intrusive power of physical inspection.

The text of Article 26(1)(b) states that competent authorities shall have the power:

"to carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium"

This phrasing is deliberate. It does not mandate a single EU-wide procedure for entering premises. Instead, it establishes a flexible mechanism that accommodates the diverse administrative and judicial traditions across the Union. The authority has two options:

  1. Direct Execution: The authority may carry out the inspection itself.
  2. Judicial Request: The authority may request a judicial authority in their Member State to order the inspection.

The choice between these options is not left to the discretion of the authority alone but is dictated by the "applicable national law" of the Member State. In jurisdictions where administrative bodies have broad powers to conduct unannounced inspections (often common in competition or tax law contexts), the authority may proceed directly. In jurisdictions where the constitution or procedural codes require judicial authorization for entry into business premises to protect the right to privacy and inviolability of the home/business, the authority must request a judicial order.

The Decisive Role of National Procedural Rules (Article 26(4))

The variability in whether a court order is strictly necessary is explicitly anchored in Article 26(4). This provision acts as the bridge between the EU-level grant of power and national implementation. It states:

"Member States shall set out specific rules and procedures for the exercise of the powers pursuant to paragraphs 1 and 2 and shall ensure that any exercise of those powers is subject to adequate safeguards under applicable national law in compliance with the general principles of Union law."

This clause confirms that CADA does not override national procedural codes regarding the method of execution. Instead, it requires Member States to transpose the power into their domestic legal frameworks while ensuring that the exercise of that power remains lawful. Consequently:

  • In Member State A, if national law requires a warrant for administrative inspections, the NCA must request a judicial order under Article 26(1)(b) before entering.
  • In Member State B, if national law permits administrative inspections without a warrant for certain regulatory breaches, the NCA may "carry out" the inspection directly, provided they adhere to the national procedural rules set out under Article 26(4).

This approach ensures that CADA respects the principle of subsidiarity and the diverse legal cultures of the EU, while still guaranteeing that the power to inspect exists in every Member State.

Safeguards, Fundamental Rights, and Judicial Remedies

While the procedural trigger for an inspection may vary, the safeguards surrounding the inspection are harmonized and mandatory across the Union. Article 26(4) imposes a rigorous set of conditions that apply regardless of whether a court order was obtained or if the inspection was carried out administratively.

The provision explicitly requires that the exercise of investigative powers be subject to:

  1. Adequate safeguards under applicable national law: This ensures that domestic constitutional protections, such as the inviolability of the home or business premises, are not bypassed.
  2. Compliance with general principles of Union law: This includes the principles of proportionality (the inspection must be necessary and not excessive) and legal certainty.
  3. Respect for fundamental rights: Specifically, the right to respect for private life (Article 7 of the Charter of Fundamental Rights) and the rights of defence.
  4. Rights of defence: This includes the right to be heard and the right to have access to the file.
  5. Effective judicial remedy: The text mandates that "any exercise of those powers... shall be subject to the right of all affected parties to an effective judicial remedy."

This last point is critical. Even if a national authority conducts an inspection without a prior court order (because national law allows it), the provider retains the absolute right to challenge the legality, proportionality, or scope of that inspection in court after the fact. The "effective judicial remedy" ensures that there is always a mechanism to review whether the authority acted within its powers and respected the provider's rights.

Scope and Limitations of the Inspection Power

When an inspection is lawfully conductedβ€”whether via direct administrative action or judicial orderβ€”the scope of the authority's access is broad but defined. Article 26(1)(b) authorizes authorities to:

  • Examine, seize, take, or obtain copies of information.
  • Target information relating to a suspected infringement.
  • Access information in any form, irrespective of the storage medium.

This broad scope is necessary to verify technical compliance with the Union assurance levels, which may require examining server logs, configuration files, access controls, and physical security measures. However, this power is not a "fishing expedition." It is limited to information relevant to the suspected infringement. Furthermore, the obligation to respect confidentiality and trade secrets (as reinforced by Article 23 on transparency and general EU law principles) means that authorities must handle sensitive data with care, and providers have the right to claim professional secrecy for specific documents.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the operational reality of CADA inspections requires a strategy that accounts for both EU harmonization and national divergence.

1. Map Your National Procedural Landscape

You cannot assume a single rule applies across the EU. Your first step is to determine the specific procedural rules in the Member State where your main establishment is located (as per Article 25(4)).

  • Check for Warrant Requirements: Does your national law require a judicial warrant for administrative inspections of business premises? If yes, you have a clear procedural checkpoint: the authority must present a valid court order before entry.
  • Check Administrative Powers: If your national law allows administrative inspections without a warrant, understand the specific conditions (e.g., notice periods, time of day, scope limitations) that apply under Article 26(4).

2. Prepare for "Any Form, Any Medium"

Article 26(1)(b) explicitly covers "any form, irrespective of the storage medium." This means inspections are not limited to physical servers or paper documents.

  • Digital Readiness: Ensure your IT teams are prepared to provide access to logs, databases, and configuration files.
  • Seizure Protocols: Be aware that authorities can "seize" information. Have protocols in place to ensure that only relevant data is seized and that copies are made where appropriate to minimize business disruption.
  • Trade Secret Protection: Designate sensitive data (e.g., proprietary algorithms, customer lists) and be ready to assert confidentiality claims immediately, ensuring that any seizure or copying is handled under strict confidentiality agreements.

3. Assert Your Rights of Defence

Regardless of how the inspection is initiated, Article 26(4) guarantees your rights.

  • Right to be Heard: You have the right to present your case and provide context for any information found.
  • Right to Access the File: You are entitled to access the file regarding the investigation to prepare your defence.
  • Right to Judicial Review: If you believe the inspection was unlawful, disproportionate, or violated your rights, you have an "effective judicial remedy." Document every step of the inspection process meticulously to support any potential legal challenge.

4. Cooperate, But Verify

While Article 26(1)(b) grants significant powers, it does not grant carte blanche. If an authority attempts to inspect without the required national procedural basis (e.g., no court order where one is legally required), you have the right to refuse entry until the proper legal instrument is presented. However, always seek immediate legal counsel to avoid accusations of obstruction while verifying the authority's legal basis.

Common misconceptions

  • Misconception: CADA mandates a court order for every inspection across the EU.
    • Reality: CADA provides a dual pathway. Article 26(1)(b) allows authorities to either carry out inspections or request a judicial order. The specific requirement for a court order depends on the national procedural rules of the Member State where the inspection takes place.
  • Misconception: If no court order is required, the inspection is unchecked.
    • Reality: Even in jurisdictions where a court order is not required, Article 26(4) mandates "adequate safeguards," compliance with general principles of Union law, and respect for fundamental rights. Furthermore, the right to an effective judicial remedy ensures that any abuse of power can be challenged in court.
  • Misconception: Authorities can inspect any location, including private homes.
    • Reality: Article 26(1)(b) limits inspections to "premises that those providers... use for purposes related to their trade, business, craft or profession." Private residences are generally excluded unless they are used for business purposes, and even then, strict safeguards apply.
  • Misconception: CADA overrides national constitutional protections.
    • Reality: Article 26(4) explicitly states that the exercise of powers must be subject to "adequate safeguards under applicable national law." National constitutional protections regarding privacy and the inviolability of premises remain fully in force.

Related

This is general information about a draft EU regulation, not legal advice.