Does CADA allow daily penalties until compliance?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly empowers national competent authorities to impose periodic penalty payments to compel cloud computing service providers to cease infringements and comply with the regulation's requirements. Under Article 26(2)(c), authorities can levy these recurring payments until the provider terminates the infringement, ensuring ongoing compliance rather than just punishing past violations. These payments operate in accordance with the general penalty rules set out in Article 24.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a robust enforcement mechanism designed to ensure that cloud computing service providers not only acknowledge regulatory breaches but actively remedy them. A central component of this enforcement framework is the power to impose periodic penalty payments, which function as a continuous financial pressure mechanism until compliance is achieved. This distinguishes CADA's approach from regulations that rely solely on one-off administrative fines.

The Legal Basis for Periodic Penalties

The authority to impose these penalties is grounded in Article 26 of the CADA proposal, which outlines the specific powers of national competent authorities. Specifically, Article 26(2) lists the enforcement powers available to the competent authority of the Member State where the cloud computing service provider has its main establishment.

Article 26(2)(c) states that competent authorities have:

"the power to impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders issued pursuant to paragraph 1;"

This provision is critical because it distinguishes between a one-off fine for a past violation and a recurring payment designed to force future behavior. Point (a) of the same article refers to the power to "order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement." Therefore, the periodic penalty payment is directly linked to the failure to comply with an order to stop an infringement. It is a coercive tool intended to "ensure that an infringement is terminated."

Alignment with Article 24

The periodic penalty payment mechanism operates in conjunction with Article 24, which sets out the general rules on penalties and compensation applicable to infringements of the sovereignty framework (Title IV). Article 24(1) requires Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

Article 24(2) provides non-exhaustive criteria for imposing penalties, which authorities must consider when determining the severity of both administrative fines and periodic penalty payments. These criteria include:

• The nature, gravity, scale and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

While Article 24 sets the general framework for calculating the severity and proportionality of penalties, Article 26(2)(c) provides the specific procedural tool for ongoing non-compliance. The periodic penalty payment is not a separate type of penalty in isolation but a method of enforcement for existing orders. If a provider ignores an order to cease an infringement (under Article 26(2)(a)), the authority can activate the periodic penalty payment to ensure that order is respected. The reference to "in accordance with Article 24" ensures that the calculation of these periodic payments remains subject to the principles of proportionality and the specific criteria listed in Article 24(2).

Scope and Application

These powers apply to cloud computing service providers that are subject to the CADA's sovereignty framework. This includes providers seeking recognition for Union assurance levels (1 through 4) or those already recognized. The competent authority with exclusive competence for enforcing these rules is the authority in the Member State where the provider has its main establishment, defined as the head office or registered office from which principal financial functions and operational control are exercised (Article 25(4)).

The periodic penalty payment serves a strictly coercive function. It is intended to "ensure that an infringement is terminated." This means the payments continue to accrue until the provider demonstrates compliance with the initial order. This mechanism prevents providers from treating regulatory fines as a mere cost of doing business if they choose to maintain non-compliant operations. Furthermore, Article 26(2)(c) explicitly covers failure to comply with investigative orders issued pursuant to Article 26(1), ensuring that providers cannot obstruct investigations without facing continuous financial consequences.

What this means for you

For cloud service providers and data centre operators, the introduction of periodic penalty payments under CADA signifies a shift towards more aggressive and continuous enforcement. Here is how this impacts your operations:

1. Compliance Orders Are Binding and Immediate: When a national competent authority issues an order to cease an infringement under Article 26(2)(a), you must act immediately. Ignoring or delaying compliance will trigger the periodic penalty payment mechanism under Article 26(2)(c). The clock starts ticking the moment the order is issued and non-compliance persists.
2. Financial Exposure Is Uncapped by Duration: Unlike a fixed administrative fine which has a maximum cap (often based on turnover), a periodic penalty payment can accumulate indefinitely until you achieve compliance. This creates significant financial risk for prolonged non-compliance. The amount will likely be calculated based on your annual turnover and the severity of the breach, as per Article 24(2), but the duration of the payment is open-ended.
3. Proactive Remediation Is Essential: If you receive an investigative order or an order to cease an infringement, your legal and compliance teams must prioritize rapid implementation of the required remedies. Documenting these steps is crucial to demonstrate that you are terminating the infringement and halting the accrual of penalties.
4. Main Establishment Jurisdiction: Ensure you know which Member State's competent authority has jurisdiction over you. As per Article 25(4), this is the state of your main establishment. You should engage proactively with this authority to understand their specific procedures for imposing and calculating periodic penalties, as Member States must lay down the specific rules for these payments under Article 24(1).
5. Judicial Involvement: Be aware that Article 26(2)(c) allows authorities to "request a judicial authority in their Member State" to impose the payment. Depending on the national implementation of CADA, the actual imposition of these daily penalties may require court approval, adding a judicial layer to the enforcement process.

Common misconceptions

Misconception 1: Periodic penalties are the same as administrative fines. While both are financial sanctions, they serve different purposes. An administrative fine punishes a past violation. A periodic penalty payment is a coercive tool to secure future compliance. You may face both: a fine for the initial breach and periodic payments for failing to stop it. The periodic payment stops only when the infringement is terminated.

Misconception 2: Only the national authority can impose these payments. Article 26(2)(c) states that the competent authority can impose the penalty "or to request a judicial authority in their Member State to do so." Depending on national implementation, the actual imposition may require court approval, adding a judicial layer to the enforcement process. The authority cannot always act unilaterally without judicial oversight in every Member State.

Misconception 3: Penalties only apply to high-assurance levels. The enforcement powers in Article 26 apply to infringements of Chapter IV, which covers the entire Union cloud computing sovereignty framework, including Union assurance levels 1 through 4. Any provider subject to these rules and found to be in breach of an enforcement order is exposed to periodic penalties.

Misconception 4: CADA sets a fixed daily rate. CADA does not set a specific daily rate (e.g., "€10,000 per day"). Instead, Article 24(2) requires Member States to consider criteria such as turnover and the gravity of the infringement when laying down the rules. The specific calculation method and daily amount will be determined by national law, provided they are "effective, proportionate and dissuasive."

Related

• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers
• Which CADA obligations can lead to penalties?
• What should a startup cloud provider know about CADA penalties?
• What penalties apply under the Cloud and AI Development Act (CADA)?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties

This is general information about a draft EU regulation, not legal advice.