Does CADA enforcement cover transparency reporting failures?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), enforcement authorities can penalise cloud service providers for failing to meet transparency reporting obligations. Specifically, Article 23 requires providers to notify auditing organisations and national competent authorities of any material changes that could affect their recognised Union assurance level. Failure to report these changes constitutes an infringement of Chapter I of Title IV (the sovereignty framework), making it subject to the "effective, proportionate and dissuasive" penalties outlined in Article 24(1). National competent authorities possess broad investigative powers under Article 26 to detect such failures, including the right to demand information, inspect premises, and impose fines or periodic penalty payments.

Detail

The CADA proposal establishes a rigorous sovereignty framework for cloud computing services, categorised into four Union assurance levels. To maintain trust and ensure the integrity of this framework, the Regulation imposes strict transparency and monitoring obligations on providers who have been recognised as offering specific assurance levels. Unlike static compliance regimes, CADA requires continuous vigilance.

The Transparency Obligation: Article 23

Article 23 of the CADA proposal mandates continuous transparency from cloud computing service providers. Once a provider is recognised as offering a Union assurance level, they must actively monitor their operational and legal circumstances to ensure ongoing compliance with the criteria set out in Annex II.

According to Article 23(1), if a provider becomes aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion" or their recognition, they must notify the auditing organisation and the national competent authority of establishment "as soon as possible."

This obligation is not passive. It requires providers to proactively identify changes that could undermine the criteria they previously met. For example, if a provider's infrastructure moves outside the Union, if new subcontractors are introduced without due diligence, or if the provider comes under the control of a third-country entity in a way that conflicts with sovereignty criteria, these are material changes. The text explicitly states that the provider must notify authorities "on becoming aware" of such changes, creating a strict timeline for action.

Upon receiving this notification, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). Similarly, the national competent authority must assess whether the recognition itself needs to be amended or revoked (Article 23(3)). If the authority amends or revokes the recognition, it must notify other Member States and the Commission to ensure the central repository is updated.

Enforcement and Penalties: Article 24 and Article 26

The consequences of failing to comply with Article 23 are enforced through the powers granted to national competent authorities and the penalty regime established in Article 24.

Investigation and Enforcement Powers

National competent authorities have significant investigative powers under Article 26 to detect non-compliance, including transparency failures. Under Article 26(1), authorities can:

• Require providers to provide information as soon as possible (Article 26(1)(a)).
• Carry out inspections of premises and seize information (Article 26(1)(b)).
• Ask staff or representatives for explanations and record their answers (Article 26(1)(c)).

If an authority suspects a provider has failed to report a material change, they can use these powers to investigate. Furthermore, under Article 26(2), authorities have the power to order the cessation of infringements and impose fines or periodic penalty payments to ensure compliance. These powers are essential for verifying whether a provider has remained silent on changes that should have triggered a notification.

Penalties for Infringements

Article 24(1) explicitly states that Member States must lay down rules on penalties applicable to "infringements of this Chapter" by cloud computing service providers. "This Chapter" refers to Chapter I of Title IV, which encompasses the sovereignty framework, including the transparency obligations in Article 23.

The penalties must be "effective, proportionate and dissuasive." While CADA does not set a specific fixed fine amount for transparency failures (unlike the GDPR or the AI Act), Article 24(2) provides criteria for Member States to determine the severity of the penalty, including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate the damage.
• Previous infringements by the same party.
• Financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the Union.

Additionally, Article 24(3) grants recipients of the cloud services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under this Chapter. This means that a failure to report a material change that subsequently leads to a security breach or data exposure could result in civil liability for the provider, in addition to administrative penalties.

What this means for you

For cloud service providers and data centre operators seeking or holding a Union assurance level, the transparency obligation under Article 23 is a continuous compliance requirement, not a one-time audit hurdle.

1. Establish Internal Monitoring Mechanisms: You must have robust internal processes to detect "material changes." This includes monitoring changes in ownership, subcontractor relationships, infrastructure location, and cybersecurity incidents.
2. Define "Material Change" Clearly: Work with your legal and compliance teams to define what constitutes a material change in your specific context. If a change may affect your audit report, you must report it. When in doubt, report it.
3. Prepare for Rapid Notification: Article 23 requires notification "as soon as possible." Delaying notification until an auditor asks or an authority investigates increases the risk of being deemed non-compliant.
4. Engage with Auditing Organisations: Maintain open lines of communication with your auditing organisation. They are the first point of contact for these notifications. Ensure your contracts allow for the timely sharing of sensitive operational data.
5. Document Everything: Keep detailed records of any material changes and the subsequent notifications sent to authorities and auditors. This documentation is crucial if you face an investigation under Article 26.

Common misconceptions

Misconception 1: Transparency reporting is only required during the initial audit. Reality: Article 23 applies continuously. The obligation to report material changes persists for as long as the service is recognised under a Union assurance level.

Misconception 2: Minor operational changes do not need to be reported. Reality: The threshold is whether the change may affect the audit report or recognition. Even seemingly minor changes in subcontractor chains or data residency configurations can be material if they impact sovereignty criteria.

Misconception 3: Penalties are fixed amounts. Reality: CADA leaves the specific penalty amounts to Member States, guided by the criteria in Article 24(2). This means penalties can vary significantly across the EU and will be tailored to the severity of the failure and the size of the provider.

Misconception 4: Only the auditing organisation needs to be notified. Reality: Article 23(1) requires notification to both the auditing organisation and the national competent authority of establishment. Failing to notify either party constitutes a breach.

Misconception 5: CADA penalties are identical to the AI Act. Reality: While the AI Act sets specific maximum fines (e.g., €35 million or 7% of turnover under Article 99), CADA Article 24 does not set a fixed maximum. Instead, it mandates that penalties be "effective, proportionate and dissuasive" and leaves the specific quantification to Member States, subject to the criteria in Article 24(2).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What records should a provider keep for CADA enforcement?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures
• What is the role of judicial authorities in CADA enforcement?

This is general information about a draft EU regulation, not legal advice.