Does CADA introduce a one-stop shop with other EU digital authorities?

Summary No, as proposed, the Cloud and AI Development Act (CADA) does not introduce a "one-stop shop" mechanism that consolidates supervision with other EU digital authorities, such as those under the AI Act, NIS2, or DORA. Instead, CADA establishes a distinct, decentralized governance structure where Member States must designate specific national competent authorities (NCAs) under Article 25 to enforce the cloud sovereignty framework. While CADA mandates robust mutual assistance and cross-border cooperation between these NCAs under Articles 27 and 28, it explicitly avoids merging enforcement powers or creating a single point of contact for all digital regulatory obligations. Consequently, entities must manage distinct compliance channels for CADA alongside existing regimes, engaging with separate authorities for sovereignty assurance versus cybersecurity or AI system safety.

Detail

Separate Governance Structures, Not a Consolidated One-Stop Shop

A critical question for legal and compliance teams is whether CADA simplifies the regulatory landscape by creating a unified enforcement body or a "one-stop shop" similar to mechanisms found in other EU digital legislation. The text of the CADA proposal (COM(2026) 502 final) makes clear that it establishes a distinct enforcement architecture that operates parallel to, rather than integrated with, other major EU digital laws.

CADA's National Competent Authorities (NCAs) Under CADA, enforcement of the cloud computing sovereignty framework is decentralized at the Member State level. Article 25(1) requires Member States to designate one or more national competent authorities (NCAs) responsible for enforcing Title IV (Autonomy) of the Regulation by the date of entry into force plus one year. Article 25(4) clarifies that the Member State where the cloud computing service provider has its main establishment (i.e., where the principal financial functions and operational control are exercised) holds exclusive competence for enforcing this chapter.

These NCAs are granted specific investigative and enforcement powers under Article 26, including the power to require information, inspect premises, seize data, and impose fines or periodic penalty payments. Crucially, the proposal does not designate a single EU-wide authority or a designated "lead" authority that would act as a one-stop shop for all digital regulatory matters. Instead, it relies on a network of national authorities that must cooperate but remain legally and operationally distinct from the authorities enforcing the AI Act, NIS2, or DORA.

No Merger with AI Act, NIS2, or DORA Regulators While CADA intersects with several existing EU instruments, it does not consolidate their enforcement bodies. The proposal maintains a "stacking" of regulatory obligations where different authorities oversee different layers of the technology stack:

• AI Act: The AI Act (Regulation (EU) 2024/1689) establishes national competent authorities and market surveillance authorities for AI systems. CADA does not merge these bodies. A provider may face separate investigations by an NCA under CADA for cloud sovereignty violations (e.g., failure to maintain Union assurance levels) and a market surveillance authority under the AI Act for AI system compliance issues (e.g., high-risk system obligations). While Article 7(6) of CADA references the European Artificial Intelligence Board (established by the AI Act) to advise on coordinating national strategies, this is a coordination role for strategy, not an enforcement merger. The AI Act's penalties (up to €35 million or 7% of turnover under Article 99) remain separate from CADA's penalty regime.
• NIS2: The NIS2 Directive (Directive (EU) 2022/2555) imposes cybersecurity risk management obligations on cloud computing service providers. CADA acknowledges NIS2 in its recitals and Annex I but does not transfer NIS2 enforcement powers to CADA's NCAs. Entities remain subject to NIS2's national competent authorities for cybersecurity risk management, while CADA's NCAs focus specifically on sovereignty assurance levels, data location, and third-country control risks. The cybersecurity certification requirements in Annex II (e.g., "substantial" assurance for Levels 2 and 3, "high" for Level 4) complement but do not replace NIS2 compliance.
• DORA: The Digital Operational Resilience Act (DORA) applies to financial entities and their critical ICT third-party service providers. CADA does not replace DORA's supervisory framework. Financial entities must still comply with DORA's ICT risk management requirements, overseen by sectoral supervisors (e.g., EBA, ECB, or national central banks), while also adhering to CADA's procurement and assurance level requirements if they are public sector bodies or if their activities are deemed to affect public order.

Mutual Assistance and Cross-Border Cooperation Instead of a One-Stop Shop Rather than a one-stop shop, CADA relies on specific cooperation mechanisms to ensure consistent application across the EU. Article 27 establishes a framework for mutual assistance between NCAs, requiring them to provide each other with specific information and support investigations. Article 28 sets out principles for cross-border cooperation, allowing a competent authority in one Member State (the authority of destination) to request another (the authority of establishment) to assess suspected infringements.

If an NCA suspects a provider no longer meets the criteria for a Union assurance level, it can request the NCA of the provider's establishment to take investigatory and enforcement measures. The authority of establishment must communicate its assessment and any measures taken within two months. This structure ensures that while there is coordination, there is no single authority that handles all aspects of a provider's EU-wide compliance. A provider established in Germany, for example, would deal primarily with the German NCA for CADA enforcement, but that German NCA must cooperate with other NCAs if the provider operates across borders. This is fundamentally different from a one-stop shop model where a single authority issues binding decisions for the entire Union across multiple regulatory domains.

Implications for Penalties and Enforcement Article 24 outlines penalties and compensation rules for infringements of the sovereignty framework. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." Because enforcement is national, penalty regimes may vary between Member States, further complicating the compliance landscape compared to a harmonized one-stop shop. Article 24(2) lists non-exhaustive criteria for imposing penalties, including the nature, gravity, and duration of the infringement, and the provider's annual turnover in the Union.

Recipients of cloud services also have the right to seek compensation from providers for damages caused by infringements under Article 24(3). This adds a layer of private enforcement that operates alongside public regulatory action, distinct from the liability regimes under the AI Act or NIS2.

What this means for you

For in-house counsel and compliance officers, the absence of a one-stop shop in CADA has several practical implications:

• Distinct Compliance Teams or Channels: You cannot assume that your existing liaison with the AI Act market surveillance authority or NIS2 competent authority will handle CADA compliance. You must identify and engage with the specific national competent authority designated under Article 25 in your Member State of establishment. This may require establishing a new reporting line or contact point within your organization.
• Parallel Reporting Obligations: Prepare for separate reporting and registration processes. CADA requires providers to submit applications for recognition of Union assurance levels to the NCA of establishment (Article 17) and to report material changes under Article 23. These are distinct from AI Act registrations (e.g., for high-risk systems or GPAI models) or NIS2 incident reporting. You must maintain separate evidence files for sovereignty criteria (e.g., data location, personnel citizenship) versus cybersecurity or AI safety criteria.
• Coordinated Defense Strategies: In the event of an investigation, you may face simultaneous or sequential inquiries from different authorities. For example, a cybersecurity incident could trigger NIS2 reporting, an AI Act investigation if AI systems are involved, and a CADA inquiry if the incident affects the provider's Union assurance level (e.g., loss of operational autonomy). Ensure your legal and compliance teams can coordinate responses across these distinct regulatory tracks to avoid conflicting statements or evidence.
• Penalty Risk Management: Since penalty frameworks are set by Member States under Article 24, review the national implementation laws in your establishment country and other key markets. The criteria for fines, including turnover-based calculations and aggravating factors, may differ from those in the AI Act (which has fixed maximums) or NIS2. Be prepared for varying fine structures across the EU.
• Cross-Border Cooperation Awareness: If you operate in multiple Member States, be aware that an NCA in one country can request information from or initiate investigations with the NCA in your establishment country under Articles 27 and 28. Ensure your internal data governance allows for efficient provision of information to the relevant NCA while respecting confidentiality and data protection laws. The "exclusive competence" rule in Article 25(4) means the establishment NCA leads, but the destination NCA can trigger the process.

Common misconceptions

• Misconception: CADA creates a single EU-wide regulator for all cloud and AI services.
  • Reality: CADA designates national competent authorities in each Member State. There is no single EU regulator; enforcement is national, with cooperation mechanisms between NCAs under Articles 27 and 28.
• Misconception: The AI Act's enforcement structure will cover CADA.
  • Reality: The AI Act and CADA are separate legislative acts with separate enforcement structures. The AI Act focuses on AI systems, while CADA focuses on cloud infrastructure sovereignty. They do not merge.
• Misconception: NIS2 authorities will enforce CADA's sovereignty requirements.
  • Reality: NIS2 focuses on cybersecurity risk management. CADA's NCAs focus on sovereignty assurance levels, data location, and third-country control risks. These are distinct mandates, though the same provider may be subject to both.
• Misconception: One-stop shop means one penalty regime for all digital laws.
  • Reality: Even if a one-stop shop existed, penalty regimes are often defined nationally. CADA explicitly leaves penalty details to Member States under Article 24, leading to potential variation across the EU, unlike the AI Act's harmonized maximums.
• Misconception: CADA replaces DORA for financial entities.
  • Reality: CADA does not replace DORA. Financial entities must comply with DORA's sector-specific supervision while also adhering to CADA's procurement and assurance level requirements if applicable.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How should an SME plan compliance across CADA and the other EU digital laws?
• Does complying with all other EU digital laws make CADA automatic?
• What single checklist covers CADA plus the main EU digital laws?
• How does CADA support the Digital Decade Policy Programme?
• CADA and the Preparedness Union Strategy: How Article 29 Secures Digital Resilience

This is general information about a draft EU regulation, not legal advice.