Does CADA protect whistleblowers who report cloud-provider breaches?

Summary The proposed Cloud and AI Development Act (CADA) does not contain a dedicated, standalone whistleblower protection scheme within its core enforcement chapters (Articles 24–28). Instead, the proposal relies on general Union legal safeguards and requires Member States to establish penalties for infringements under Article 24. While CADA explicitly empowers national competent authorities to investigate based on information from "any other persons... who may reasonably be expected to be aware of information relating to a suspected infringement" under Article 26(1)(a), it does not explicitly define procedural protections, anonymity guarantees, or anti-retaliation measures for those reporters within the text of the regulation itself. Consequently, whistleblower protections for cloud-provider breaches under CADA would likely depend on the interplay between CADA's reporting triggers and existing EU frameworks, primarily the Whistleblower Directive (Directive (EU) 2019/1937).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen the EU's cloud and AI ecosystem by establishing a sovereignty framework, accelerating data centre deployment, and harmonising public procurement rules. A critical component of this framework is the enforcement mechanism overseen by national competent authorities. However, a meticulous review of the proposal's text reveals a specific legislative choice regarding how breaches are reported and how reporters are protected: CADA creates the substantive rules for sovereignty but leaves the procedural protection of informants to the general EU acquis.

The Enforcement Framework: Articles 24–28

The core enforcement provisions of CADA are located in Title IV, Chapter I, specifically Articles 24 through 28. These articles outline the obligations of cloud computing service providers, the powers of national competent authorities, and the mechanisms for mutual assistance.

Article 24: Penalties and Compensation Article 24 mandates that Member States lay down rules on penalties applicable to infringements of the sovereignty chapter. It specifies that these penalties must be "effective, proportionate and dissuasive." Crucially, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for damage or loss suffered due to infringements. However, Article 24 does not mention whistleblowers, internal reporting channels, or protections for individuals who report these infringements. The article focuses on the consequences for the provider and the remedy for the customer, not the safety of the insider.

Article 25: National Competent Authorities Article 25 requires Member States to designate one or more national competent authorities responsible for enforcing the chapter. These authorities must have the necessary resources, including technical, financial, and human resources, to supervise cloud computing service providers. While this establishes the enforcer, it does not establish the protector of the informer within the text of CADA itself. The article focuses on the capacity of the authority, not the rights of the source.

Article 26: Powers of National Competent Authorities Article 26 details the investigative and enforcement powers of the competent authorities of establishment. Article 26(1)(a) grants the authority the power to require any cloud computing service provider, as well as "any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement," to provide that information.

This phrasing is legally significant. It acknowledges that individuals other than the provider itself—potentially employees, subcontractors, partners, or even competitors—may possess critical information about infringements. By empowering authorities to demand information from "persons... aware of information," CADA implicitly creates a pathway for internal or external reporting. However, the article focuses on the authority's power to compel information, not the individual's right to report safely. There is no provision in Article 26 that mandates confidentiality for the source of the information, prohibits retaliation against the reporter, or establishes a secure channel for such reports. The power is coercive (requiring information) rather than protective (shielding the reporter).

Articles 27 and 28: Mutual Assistance and Cross-Border Cooperation Articles 27 and 28 focus on cooperation between Member States' authorities. Article 27 allows authorities to request specific information from other Member States to exercise investigative powers. Article 28 allows a competent authority in a destination Member State to request an assessment from the authority of establishment if they suspect a provider no longer fulfils the requirements. Neither article addresses the protection of the individual who initially raised the concern; they are purely inter-authority mechanisms.

The Absence of a Dedicated Whistleblower Provision

A careful reading of Articles 24 through 28 confirms that CADA does not contain a dedicated whistleblower provision. Unlike the GDPR, which includes specific provisions for data subject rights, or the NIS2 Directive, which has detailed incident reporting and security obligations, CADA's sovereignty framework relies on the existing EU acquis for procedural safeguards.

This legislative gap means that CADA does not create a new, self-contained legal shield for employees or contractors who report cloud-provider non-compliance with sovereignty criteria (such as data localisation or third-country control). Instead, the protection of such individuals will fall under the general EU legal framework, primarily the Whistleblower Directive (Directive (EU) 2019/1937).

Interaction with General Union Safeguards

The Whistleblower Directive requires Member States to establish secure reporting channels and protect whistleblowers from retaliation. Since CADA regulates cloud computing services, which often involve the processing of personal data and critical infrastructure, breaches of CADA's sovereignty criteria (e.g., unauthorized data transfers or lack of operational autonomy) may constitute infringements of Union law.

If a cloud provider breaches CADA's requirements under Annex II (the Union Assurance Levels), and an employee reports this to the national competent authority, that employee's protection would likely be governed by national laws transposing the Whistleblower Directive. CADA itself does not add an extra layer of protection; it simply creates the substantive rules that, when broken, may trigger the reporting mechanisms established by other laws.

Furthermore, Article 24(3) allows customers to seek compensation. A whistleblower might act in the interest of a customer or the public order, but CADA does not provide a quid pro quo reward or specific legal immunity for whistleblowers, beyond what is already available under national implementation of the Whistleblower Directive. The regulation remains silent on the specific status of the reporter, leaving that to the general principles of Union law and national implementation.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the absence of a dedicated CADA whistleblower provision requires a nuanced compliance strategy:

1. Integrate Existing Whistleblower Channels: Do not assume CADA creates a new reporting mechanism. Ensure that your existing internal reporting channels, mandated by the Whistleblower Directive, are clearly capable of handling reports related to CADA-specific infringements (e.g., violations of Union Assurance Levels 1–4). Map CADA criteria to your existing "infringements of Union law" definitions.
2. Train Staff on CADA Infringements: Employees need to know what constitutes a CADA breach to report it effectively. Train staff on the specific criteria in Annex II, such as data localisation requirements, subcontractor due diligence, and third-country control restrictions. Clarify that reporting these issues falls under the protection of the Whistleblower Directive, not a specific CADA clause.
3. Prepare for Authority Requests: Under Article 26(1)(a), authorities can demand information from any person aware of a suspected infringement. Ensure your internal policies guide employees on how to respond to such requests while maintaining legal privilege and confidentiality where applicable. Be aware that the authority has the power to compel testimony, regardless of whether the reporter initiated the contact.
4. Monitor National Transpositions: Since CADA relies on general Union safeguards, the effectiveness of whistleblower protection will vary by Member State depending on how they have transposed the Whistleblower Directive. Review national laws in each jurisdiction where you operate to understand the specific protections available to reporters, as CADA does not harmonise these procedural rights.
5. Document Compliance Rigorously: With no dedicated whistleblower shield in CADA, the burden of proof in any subsequent litigation or investigation may fall heavily on the provider's compliance records. Maintain robust audit trails and documentation of conformity self-assessments (Level 1) and third-party audits (Levels 2–4) to demonstrate good faith and compliance, reducing the likelihood of an investigation triggered by internal reports.

Common misconceptions

Misconception 1: CADA has its own whistleblower protection scheme. Reality: CADA does not contain any article that explicitly protects whistleblowers, mandates confidentiality for reporters, or prohibits retaliation. It relies on the broader EU legal framework, primarily the Whistleblower Directive, for these protections.

Misconception 2: Reporting a CADA breach is optional for employees. Reality: While CADA does not impose a direct obligation on individual employees to report, Article 26(1)(a) empowers authorities to compel information from anyone aware of an infringement. In practice, this means employees may be legally required to cooperate with investigations once contacted, and their failure to do so could have implications under national law.

Misconception 3: Customers are the only ones who can report breaches. Reality: Article 24(3) gives customers the right to seek compensation, but Article 26(1)(a) explicitly includes "any other persons... who may reasonably be expected to be aware of information relating to a suspected infringement." This broad category includes employees, subcontractors, and potentially competitors.

Misconception 4: Whistleblowers are anonymous by default under CADA. Reality: CADA does not guarantee anonymity. Anonymity protections would depend on national laws implementing the Whistleblower Directive and the specific procedures of the national competent authority. CADA itself is silent on this issue, focusing instead on the authority's power to gather evidence.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?
• Who sets the penalty rules under CADA? Article 24 explained
• Who enforces CADA (the Cloud and AI Development Act)?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress

This is general information about a draft EU regulation, not legal advice.