Summary Under the proposed Cloud and AI Development Act (CADA), repeat infringements are a specific statutory factor that national competent authorities must consider when determining penalties. As proposed in Article 24(2)(c), a provider's history of "any previous infringements by the infringing party" is explicitly listed as a criterion for imposing fines, meaning that repeated non-compliance would likely result in higher financial sanctions. Furthermore, the concept of "recurrence" is directly relevant to enforcement powers under Article 26(3), which requires authorities to calibrate measures based on the "nature, gravity, recurrence and duration" of the infringement. This framework ensures that sanctions are not only punitive but also dissuasive against recidivism.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a robust enforcement framework for the Union cloud computing sovereignty framework. A central pillar of this framework is the ability of national competent authorities to impose effective, proportionate, and dissuasive penalties on cloud computing service providers that fail to comply with their obligations. Unlike some regulations that rely solely on fixed maximums, CADA explicitly mandates a risk-based approach where the provider's compliance history directly influences the severity of the sanction.

Article 24: Criteria for Imposing Penalties

Article 24 of the CADA proposal mandates that Member States lay down the rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. Crucially, it provides a non-exhaustive list of criteria that Member States must take into account when imposing these penalties to ensure they are "effective, proportionate and dissuasive."

Article 24(2) lists several specific factors, including the nature, gravity, scale, and duration of the infringement, as well as any financial benefits gained or losses avoided by the infringing party. Specifically, Article 24(2)(c) requires authorities to consider "any previous infringements by the infringing party."

This provision ensures that a cloud provider's past behavior is directly relevant to current enforcement actions. The regulation does not set a fixed mathematical multiplier for repeat offenses (e.g., "double the fine for the second offense"). Instead, it places a binding obligation on Member States to factor this history into their penalty calculations. Consequently, a provider with a clean record might face a lighter sanction for a first-time, minor oversight, whereas a provider with a history of similar violations would likely face a steeper penalty. The legislative intent is clear: sanctions must be dissuasive enough to prevent recidivism, and a history of non-compliance indicates a higher risk of future violations, justifying a more severe response.

Article 26: Enforcement Powers and the Concept of Recurrence

Beyond one-off fines, CADA grants national competent authorities significant enforcement powers to ensure ongoing compliance and to address persistent non-compliance. These powers are detailed in Article 26, which outlines the investigative and enforcement capabilities of the competent authority of establishment.

Article 26(2)(c) empowers national competent authorities to "impose a periodic penalty payment... to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a)." This mechanism is particularly relevant for repeat or persistent infringements. If a provider fails to remedy a violation within a specified timeframe, authorities can levy recurring financial penalties (e.g., per day) until compliance is achieved. This creates a compounding financial pressure that is distinct from the initial fine.

Furthermore, Article 26(3) states that measures taken by national competent authorities in exercising their powers shall be "effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement."

The explicit inclusion of "recurrence" in Article 26(3) reinforces the principle that authorities have the discretionβ€”and indeed the obligationβ€”to escalate enforcement measures when a provider demonstrates a pattern of non-compliance. "Recurrence" here refers not just to the repetition of the exact same act, but to the broader pattern of failing to comply with obligations. This allows authorities to:

  • Increase the rate of periodic penalty payments.
  • Pursue more severe corrective actions.
  • Apply stricter investigative measures.

This dual-layered approach (Article 24 for the initial fine calculation and Article 26 for ongoing enforcement measures) ensures that repeat offenders face a significantly higher regulatory burden than first-time violators.

The Role of National Competent Authorities

The CADA designates the national competent authority in the Member State where the cloud computing service provider has its main establishment as having exclusive competence for enforcing the sovereignty framework (Article 25(4)). This centralization is critical for the enforcement of repeat-infringement rules.

Because the authority of establishment has exclusive jurisdiction, it is the only body that maintains a complete, Union-wide view of a provider's compliance history. These authorities are empowered to conduct inspections (Article 26(1)), require information, and access premises. This position allows them to identify patterns of repeat infringements that might otherwise be obscured if enforcement were fragmented across multiple Member States. When a provider operates across the EU, the authority of establishment can aggregate data on past violations to apply the Article 24(2)(c) criterion accurately, ensuring that a "previous infringement" in one context is not overlooked when assessing a new violation.

What this means for you

For cloud service providers and data centre operators subject to the proposed CADA, the explicit consideration of repeat infringements has several critical practical implications:

  1. Compliance History is a Financial Asset: Maintaining a clean compliance record is not merely a reputational goal; it is a tangible financial asset. Under Article 24(2)(c), a history of robust compliance acts as a mitigating factor. If a minor breach occurs, a provider with no prior record can argue for a lower penalty. Conversely, a history of violations removes this mitigation and triggers the aggravating factor, likely resulting in a higher fine.
  2. Remediation Speed is Critical to Avoid Escalation: Given the power to impose periodic penalty payments under Article 26(2)(c), providers must act with extreme urgency to remedy any identified infringements. Delays in fixing a compliance gap do not just prolong the violation; they increase the "duration" and "recurrence" factors under Article 26(3). This can lead to escalating costs as the authority increases the daily penalty rate or imposes stricter measures to force termination of the infringement.
  3. Internal Auditing is Essential for Prevention: Providers should implement rigorous internal monitoring to detect and correct issues before they are identified by competent authorities. Self-identified and promptly corrected issues may be viewed more favorably than repeated violations discovered during an authority's inspection. Proactive correction can prevent a single incident from becoming a "previous infringement" that aggravates future penalties.
  4. Documentation of Past Infringements is Strategic: Providers should maintain detailed records of any past interactions with regulators, including any infringements and the subsequent remedial actions taken. This documentation is crucial for demonstrating that previous issues were isolated incidents and that systemic improvements have been made. In the event of a new investigation, this evidence can help argue that the "recurrence" is not indicative of a systemic failure, potentially mitigating the impact of the Article 24(2)(c) criterion.

Common misconceptions

Misconception 1: CADA sets fixed fines for repeat offenses. CADA does not prescribe specific fine amounts or fixed multipliers for repeat infringements (unlike the AI Act, which sets specific caps like €35 million or 7% of turnover). Instead, it provides a framework of criteria (Article 24) that Member States must implement in their national laws. The exact impact of a repeat offense on the final penalty amount will depend on how each Member State translates these criteria into national legislation, but the requirement to consider previous infringements is mandatory.

Misconception 2: Only the initial fine matters. Providers may focus solely on the one-time fine for an infringement. However, the ability of authorities to impose periodic penalty payments (Article 26(2)(c)) means that the financial burden of a persistent or repeated infringement can grow significantly over time if the root cause is not addressed. The "recurrence" factor in Article 26(3) ensures that the enforcement response escalates as long as the non-compliance continues.

Misconception 3: "Recurrence" only applies to identical violations. The term "recurrence" in Article 26(3) and "previous infringements" in Article 24(2)(c) are broad. While identical violations are clearly covered, a pattern of different violations that indicate a systemic failure in compliance management could also be viewed as recurrent non-compliance. For example, repeated failures in different areas of the sovereignty framework (e.g., data localization, personnel screening, and cybersecurity) could collectively be treated as a pattern of recurrence, leading to more severe enforcement actions.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.