Does CADA enforcement apply to providers established outside the EU but serving it?

Summary Under the proposed Cloud and AI Development Act (CADA), enforcement jurisdiction is strictly anchored to the provider's main establishment within the Union. As proposed, the Member State where a cloud computing service provider has its main establishment holds exclusive competence to enforce the sovereignty framework and oversee compliance (Article 25(4)). This means that even if a provider serves EU customers from a third country, if it maintains a main EU establishment, that single Member State's authority is the sole primary enforcer. However, the proposal includes mechanisms for cross-border cooperation: if a provider established outside the EU offers services without an EU establishment, or if a Member State where the service is used (the "destination") suspects non-compliance, the competent authority of destination and the European Commission can request assessments and enforcement actions from the authority of establishment (Article 28). For providers entirely outside the EU, the proposal creates a high barrier to market access via the recognition mechanism (Article 17) and third-country derogations (Article 18), effectively limiting their ability to serve the EU public sector without engaging the EU enforcement framework.

Detail

The CADA proposal establishes a centralized enforcement model for cloud computing service providers to ensure consistent application of the Union's sovereignty framework across the single market. The regulation distinguishes between providers established within the Union and those operating from outside, though the primary enforcement mechanisms detailed in Title IV, Chapter I are structured around the concept of the "main establishment." This design aims to prevent regulatory fragmentation while ensuring that providers serving the EU public sector remain accountable.

Exclusive Competence of the Member State of Main Establishment

The cornerstone of CADA's enforcement architecture is found in Article 25(4), which states: "The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This provision centralizes regulatory oversight. For a multinational cloud provider with operations in multiple EU Member States, only the authority of the Member State hosting the "main establishment" has the power to enforce the sovereignty requirements, conduct investigations, and impose penalties under Title IV, Chapter I (the sovereignty framework). This prevents a fragmented regulatory landscape where a provider might face conflicting enforcement actions from multiple national authorities.

The "main establishment" is defined by two potential criteria:

1. The head office; or
2. The registered office from which the principal financial functions and operational control are exercised.

If a provider's main establishment is outside the Union, the direct application of Article 25(4) creates a jurisdictional gap for direct enforcement by a national authority, as there is no "Member State" of establishment. However, the proposal implies that providers seeking recognition under the Union assurance levels (Article 17) must engage with a national competent authority of establishment. If no EU establishment exists, the provider may face significant barriers to recognition, as the recognition mechanism (Article 17) requires submission to a "national competent authority of establishment." Without this anchor, the provider cannot be formally recognized as offering a Union assurance level, which is a prerequisite for public sector procurement under Article 30.

Cross-Border Cooperation and the Role of the Destination Authority

While the authority of establishment holds exclusive competence, Article 28 establishes a robust framework for cross-border cooperation to address risks that may manifest in Member States other than the one of establishment. This is critical for providers serving EU customers, as non-compliance in one Member State can threaten public order in another.

Article 28 outlines the following escalation path:

1. Suspicion by Destination Authority: If a competent authority of a Member State where the service is used (the "destination") suspects that a cloud computing service provider no longer fulfills the requirements of Annex II (the Union assurance criteria), it may request the competent authority of establishment to assess the matter.
2. Assessment and Enforcement: The authority of establishment must take the necessary investigatory and enforcement measures to ensure compliance.
3. Commission Involvement: The European Commission may also directly request the competent authority of establishment to assess the matter and take enforcement measures.
4. Timelines: The authority of establishment must communicate its assessment and any measures taken or envisaged to the requesting authority and the Commission "as soon as possible and in any event not later than two months after receipt of the request" (Article 28(4)).

This mechanism ensures that while enforcement is centralized, vigilance is distributed. A Member State hosting sensitive public sector activities (e.g., defense or justice) can trigger an investigation in the provider's home Member State if it detects a breach of sovereignty criteria. If the authority of establishment fails to act, the Commission retains the power to intervene to ensure compliance.

Reach Over Services Offered in the Union

The CADA framework applies to cloud computing service providers that wish to offer services to Union entities and public sector bodies. Article 16(1) establishes that the sovereignty framework (Union assurance levels) is a prerequisite for providing services to these entities. Article 17 mandates that providers submit an application for recognition to the national competent authority of establishment.

For providers established outside the EU, the ability to obtain recognition under Union assurance levels 1, 2, 3, or 4 is contingent on their ability to engage with the EU enforcement mechanism. While Article 18 provides a pathway for third-country providers to be audited for Union assurance level 3 (subject to strict cumulative criteria, including adequacy decisions and absence of extraterritorial access laws), this still requires interaction with the EU regulatory framework. Specifically, Article 18 allows the Commission to adopt implementing acts identifying third countries where providers subject to their control may be audited for Level 3. However, this does not grant the third country's authorities enforcement power; rather, it allows the EU framework to apply to those providers under specific safeguards.

If a non-EU provider cannot demonstrate compliance through the recognized mechanism, they may be excluded from public sector procurement under Article 30, which mandates that contracting authorities procure only recognized services. For activities identified as contributing to the preservation of public order, Article 30(3) requires procurement only of services recognized at Union assurance levels 2, 3, or 4.

Penalties and Sanctions

Article 24 empowers Member States to lay down rules on penalties for infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive." While the specific fine amounts are to be determined by national implementation, Article 24(2) lists criteria for imposition, including the nature and gravity of the infringement, financial benefits gained, and the provider's annual turnover in the Union. This extraterritorial reach of penalty criteria (based on Union turnover) underscores that providers serving the EU market are subject to financial consequences, regardless of where their headquarters are located, provided they fall within the scope of the regulation's applicability.

What this means for you

For in-house counsel and compliance officers at cloud and AI providers, the CADA proposal introduces a specific jurisdictional hook that requires immediate strategic assessment:

1. Identify Your "Main Establishment": If your organization has a head office or central operational control within the EU, that single Member State's authority is your primary regulator for CADA compliance. You must align your internal governance, audit processes, and reporting lines with the expectations of that specific national competent authority.
2. Prepare for Cross-Border Scrutiny: Even if you are compliant with your authority of establishment, be prepared for requests from "destination" authorities. If a public sector client in Germany, for example, suspects a breach of data sovereignty, they can trigger an investigation in your home Member State. Ensure your incident response and compliance reporting channels can facilitate this cross-border information exchange within the two-month statutory window.
3. Non-EU Providers Must Plan for Recognition Barriers: If you are established outside the EU, you cannot simply self-certify. To access the EU public sector market (a significant revenue stream), you must seek recognition under the Union assurance levels. For Level 3, this requires a Commission decision recognizing your third country as providing sufficient assurances (Article 18). Without this, you may be legally barred from procuring critical public sector contracts under Article 30.
4. Monitor Turnover-Based Penalties: Ensure your risk assessments account for potential fines based on your annual turnover within the Union. Even if your global headquarters is outside the EU, significant EU revenue exposes you to substantial financial liability under Article 24.

Common misconceptions

• "CADA applies only to EU-based companies." Incorrect. While enforcement is centralized on the "main establishment," the market access rules (Article 30) and recognition mechanisms (Article 17) apply to any provider wishing to serve EU public sector bodies. Non-EU providers must navigate the recognition framework or risk exclusion from the market.
• "Each EU country where I have customers can enforce CADA against me." Incorrect. Article 25(4) grants exclusive competence to the Member State of the main establishment. Other Member States can only request an assessment via Article 28; they cannot directly impose fines or conduct independent enforcement actions under this chapter.
• "The European Commission is the primary enforcer for all cloud providers." Incorrect. The Commission plays a supervisory and coordinating role, particularly in cross-border disputes (Article 28) and third-country recognition (Article 18). However, day-to-day enforcement, investigations, and penalty imposition remain the responsibility of the national competent authority of the main establishment.
• "Non-EU providers are completely outside CADA's reach." Incorrect. While they may lack a "main establishment" in the EU, they are subject to the market access rules. If they wish to serve the public sector, they must engage with the recognition framework (Article 17/18) or face exclusion. Furthermore, if they have a subsidiary or establishment in the EU, that entity becomes the anchor for enforcement.

Related

• CADA Enforcement Readiness: The Compliance Checklist for Providers
• What does CADA enforcement mean for cloud providers?
• How does CADA enforcement reach hyperscale cloud providers?
• CADA Penalties: Do They Apply to AI Model Providers?
• CADA Investigations: What safeguards protect cloud providers?

This is general information about a draft EU regulation, not legal advice.