Does a provider's size affect CADA enforcement measures?

Summary Yes, a provider's size and financial capacity directly influence enforcement measures under the proposed Cloud and AI Development Act (CADA). As proposed, national competent authorities must consider a provider's annual turnover in the Union when imposing penalties (Article 24(2)(f)) and must ensure that investigative and enforcement measures are proportionate to the provider's "economic, technical and operational capacity" (Article 26(3)). This ensures that penalties are "effective, proportionate and dissuasive" for both small cloud providers and large hyperscalers, preventing regulatory overreach while maintaining deterrence.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework, introducing strict compliance requirements for cloud computing service providers. A core principle of the enforcement regime is proportionality, ensuring that regulatory actions are neither arbitrary nor disproportionately burdensome relative to the entity being regulated. The proposal explicitly links enforcement measures to the size and capacity of the provider through two primary articles: Article 24, which governs penalties and compensation, and Article 26, which defines the powers of national competent authorities.

Penalties and the Role of Turnover (Article 24)

Under Article 24(1), Member States are required to lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." To guide national authorities in setting these rules and applying them, Article 24(2) provides a non-exhaustive list of criteria that must be taken into account when imposing penalties.

Crucially, Article 24(2)(f) explicitly requires authorities to consider the "infringing party's annual turnover in the preceding financial year in the Union." This criterion ensures that fines are scaled to the provider's economic footprint within the single market. For a small or medium-sized enterprise (SME) or a small mid-cap (SMC), a fixed monetary penalty might be crippling, potentially threatening the entity's survival. Conversely, the same fixed amount might be negligible for a global hyperscaler with billions in Union turnover. By mandating the consideration of turnover, CADA aims to ensure that penalties have a genuine deterrent effect regardless of the provider's size, while avoiding disproportionate financial harm to smaller entities that could stifle market competition.

Additionally, Article 24(2)(d) requires consideration of "any financial benefits gained or losses avoided by the infringing party," and Article 24(2)(e) allows for other aggravating or mitigating factors. These provisions further tie the severity of the penalty to the economic reality of the provider, ensuring that the punishment fits the economic impact of the infringement.

Proportionality of Enforcement Powers (Article 26)

While Article 24 deals with the final penalty, Article 26 governs the investigative and enforcement powers of national competent authorities. These authorities possess significant powers, including the ability to require information, inspect premises, seize data, and impose periodic penalty payments to ensure compliance.

Article 26(3) states that measures taken by national competent authorities in exercising these powers "shall be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement... and, where relevant, the economic, technical and operational capacity of the service provider concerned."

This clause is vital for providers of all sizes. It requires authorities to assess not just the legal breach, but the provider's ability to bear the regulatory burden. For example, a complex, resource-intensive investigation or a heavy periodic penalty payment might disrupt the operations of a smaller provider more severely than a large incumbent with dedicated compliance teams. By referencing "economic, technical and operational capacity," Article 26(3) ensures that enforcement actions are calibrated to the provider's specific situation. This prevents regulatory overreach that could destabilize smaller market participants or cause unintended service disruptions, while still ensuring that larger providers with greater capacity face rigorous scrutiny.

SMEs vs. Hyperscalers: A Proportional Approach

The distinction between SMEs/SMCs and large hyperscalers is further nuanced by other provisions in CADA, creating a tiered approach to compliance and enforcement. For instance, Article 17(3) provides a specific derogation for SMEs seeking Union assurance level 1, allowing their EU statements of conformity to be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This significantly reduces the administrative burden and cost for smaller providers entering the market.

However, when it comes to the enforcement of infringements, the principles in Articles 24 and 26 apply uniformly but are applied proportionally. A hyperscaler with a massive Union turnover will face penalties calculated against a much larger baseline than an SME. Conversely, an SME's limited operational capacity might lead authorities to choose enforcement measures that correct the infringement without imposing crippling financial costs, provided the infringement is not severe, intentional, or repeated. The law does not exempt SMEs from liability; rather, it ensures the consequences are calibrated to their reality.

What this means for you

For cloud service providers and data centre operators, understanding the link between size and enforcement is critical for risk management and compliance strategy.

1. Document Your Capacity: Ensure that your financial records, particularly your annual turnover in the Union, are accurate and readily available. In the event of an investigation, this data will be a key factor in determining the severity of any penalties under Article 24(2)(f).
2. Engage Proportionally: If you are an SME or SMC facing an investigation, you can reference Article 26(3) to argue for enforcement measures that account for your limited "economic, technical and operational capacity." This does not exempt you from compliance, but it may influence the type of remedy ordered or the scale of periodic penalty payments.
3. Monitor Turnover Thresholds: As your business grows and your Union turnover increases, your exposure to higher penalty baselines increases. Compliance investments should scale with your turnover to mitigate the financial risk of potential infringements.
4. Leverage SME Simplifications: If you qualify as an SME, actively use the simplified recognition procedures for Union assurance level 1 (Article 17(3)) to reduce administrative friction. However, remain vigilant, as the substantive compliance requirements of the sovereignty framework still apply, and infringements will still be subject to proportionate penalties.

Common misconceptions

Misconception 1: "SMEs are exempt from CADA penalties." No. SMEs are subject to the same substantive obligations and penalty regimes as larger providers. However, the amount and type of penalties must be proportionate to their turnover and capacity. Exemption is not the same as proportionality.

Misconception 2: "Turnover is the only factor in penalty calculation." No. While Article 24(2)(f) mandates consideration of turnover, authorities must also consider the nature, gravity, scale, and duration of the infringement (Article 24(2)(a)), any mitigating actions taken (Article 24(2)(b)), and previous infringements (Article 24(2)(c)). A small provider with a severe, intentional breach may still face significant penalties relative to their size.

Misconception 3: "Operational capacity refers only to financial resources." No. Article 26(3) explicitly mentions "economic, technical and operational capacity." This means authorities must also consider the provider's technical infrastructure and operational resilience. A penalty or enforcement action that would disrupt critical operations or cause service outages may be deemed disproportionate, even if the provider can afford the financial cost.

Related

• What records should a provider keep for CADA enforcement?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?
• Which Member State enforces CADA against a cloud provider?

This is general information about a draft EU regulation, not legal advice.