Summary As proposed, the Cloud and AI Development Act (CADA) explicitly mandates a coordinated enforcement approach that integrates national competent authorities (NCAs) with other public bodies. Under Article 26(1)(b), an NCA may request "other public authorities" to conduct inspections on its behalf, while Article 27(2) allows a receiving authority to involve "other public authorities of the Member State in question" when processing mutual assistance requests. This framework ensures that cloud sovereignty investigations can leverage the technical expertise and jurisdictional reach of cybersecurity, data protection, and energy regulators, preventing providers from evading scrutiny through regulatory fragmentation.

Detail

The Cloud and AI Development Act (CADA) is designed to address complex, cross-sectoral risks inherent in cloud infrastructure, such as data sovereignty, supply chain security, and operational continuity. Recognizing that these risks often overlap with existing regulatory domains, the proposal establishes a robust legal framework for inter-agency cooperation. This framework ensures that the enforcement of Union assurance levels is not conducted in isolation but is supported by the broader ecosystem of EU and national regulators.

The Power to Request Inspections from Other Public Authorities (Article 26)

The primary investigative engine for CADA lies with the national competent authority of establishment. However, the proposal acknowledges that these authorities may lack specific technical mandates or statutory powers to inspect certain types of infrastructure, such as energy grids, telecommunications networks, or specialized cybersecurity facilities. To bridge this gap, Article 26 grants NCAs the power to delegate or request assistance from other public bodies.

Specifically, Article 26(1)(b) empowers a competent authority to:

"carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium;"

This provision is critical for cross-regulator coordination. It explicitly authorizes the NCA to bypass its own operational limitations by requesting "other public authorities" to perform the physical or technical inspection. For example, if a suspected infringement involves the integrity of a data centre's cooling system (potentially an energy authority matter) or the security of a network backbone (a cybersecurity authority matter), the CADA NCA can formally request the relevant specialized body to conduct the inspection and gather the necessary evidence. This ensures that the investigation into sovereignty criteriaβ€”such as the location of infrastructure or the control of third-country entitiesβ€”is technically robust and legally sound.

Mutual Assistance and the Involvement of Other Public Authorities (Article 27)

While Article 26 addresses intra-Member State cooperation, Article 27 governs the mutual assistance required for cross-border enforcement. Under CADA, the "competent authority of establishment" holds exclusive competence for enforcement. However, when evidence or infrastructure is located in a different Member State, the establishment authority must rely on the cooperation of the destination authority.

Article 27(2) creates a flexible mechanism for this cooperation, explicitly allowing for the involvement of additional public bodies beyond the NCA itself:

"A competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud computing service provider to exercise its investigative powers under Article 26 regarding specific information located in their Member State. Where appropriate, the competent authority receiving the request may involve other competent authorities or other public authorities of the Member State in question."

This clause is pivotal for holistic enforcement. It recognizes that a cloud provider's operations in a destination Member State may be subject to multiple regulatory regimes. If the requesting NCA (from the establishment state) needs information located in the destination state, the receiving NCA is not limited to acting alone. It may "involve other public authorities of the Member State in question." This could include national cybersecurity agencies, data protection authorities, or sector-specific regulators who already hold relevant data or possess the technical capacity to verify specific sovereignty claims.

This mechanism supports a unified regulatory front. It prevents cloud providers from exploiting jurisdictional gaps where a specific piece of evidence might be held by a non-NCA body. By allowing the receiving authority to tap into the broader public authority network, CADA ensures that mutual assistance requests are comprehensive and that evidence gathering is not bottlenecked by the specific competencies of a single NCA.

Synergy with Existing EU Frameworks

The cooperation provisions in Articles 26 and 27 are designed to complement, not replace, existing EU legislation such as the NIS2 Directive, the GDPR, and the Cybersecurity Act. The CADA proposal explicitly notes that it supplements the Cybersecurity Act's focus on technical cybersecurity with sovereignty considerations.

By enabling NCAs to request inspections from other public authorities (Article 26) and to involve them in mutual assistance (Article 27), CADA creates a "whole-of-government" approach to cloud sovereignty. This ensures that:

  1. Technical Expertise is Leveraged: Investigations into complex infrastructure can draw on the specialized knowledge of energy, telecom, and cybersecurity regulators.
  2. Procedural Efficiency is Enhanced: Evidence already held by other public authorities can be accessed without duplicating inspection efforts.
  3. Regulatory Consistency is Maintained: The involvement of multiple public bodies under the CADA framework ensures that sovereignty requirements are interpreted and enforced consistently with other critical infrastructure regulations.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the cooperation mechanisms in Articles 26 and 27 of CADA have significant operational implications. The era of dealing with a single regulator for cloud compliance is over; CADA as proposed envisions a multi-agency enforcement environment.

  • Prepare for Multi-Agency Inspections: Do not assume that only the designated CADA NCA will conduct on-site inspections. Under Article 26(1)(b), the NCA may request "other public authorities" to carry out inspections. Your legal and technical teams must be prepared to engage with a diverse range of regulators, including cybersecurity agencies, energy regulators, or data protection authorities, who may be acting on behalf of the CADA NCA. Ensure your incident response plans account for simultaneous engagement with multiple public bodies.
  • Anticipate Cross-Border Evidence Sharing: If you operate across the EU, be aware that an investigation initiated by your establishment state's NCA can trigger a chain of assistance under Article 27. The receiving authority in another Member State may involve its own domestic regulators to gather evidence. This means that data governance and audit trails must be consistent across all jurisdictions, as evidence gathered by a national cybersecurity authority in one country could be used to enforce sovereignty rules in another.
  • Leverage Existing Regulatory Interactions: Since CADA encourages the involvement of other public authorities, interactions you already have with regulators under NIS2 or GDPR may become relevant to CADA compliance. Documenting your cooperation with these bodies and demonstrating compliance with their standards could streamline the CADA verification process. However, ensure that the scope of your existing compliance aligns with CADA's specific sovereignty criteria, as the two regimes are distinct.
  • Monitor Response Timelines: Be aware of the procedural deadlines in Article 27(3), which requires the receiving authority to inform the requesting authority of actions taken "as soon as possible and no later than two months after receipt of the request, unless duly justified." In cross-border investigations involving multiple public authorities, this timeline may be tight. Ensure your internal processes can respond rapidly to information requests that may originate from a coordinated effort between several regulators.

Common misconceptions

  • Misconception: CADA enforcement is siloed and conducted exclusively by the designated cloud sovereignty authority.
    • Reality: Article 26(1)(b) and Article 27(2) explicitly empower NCAs to request and involve "other public authorities." This includes cybersecurity, energy, and data protection bodies, ensuring a coordinated, multi-agency approach to enforcement.
  • Misconception: Cloud providers can limit their exposure to a single regulator by operating in a specific sector.
    • Reality: The broad scope of inspections under Article 26(1)(b) covers "any premises" used for business purposes. If a cloud provider's infrastructure intersects with other regulated sectors, the CADA NCA can request the relevant sectoral authority to inspect those premises.
  • Misconception: Mutual assistance under CADA is limited to direct communication between two NCAs.
    • Reality: Article 27(2) allows the receiving authority to "involve other competent authorities or other public authorities of the Member State in question." This creates a networked enforcement model where evidence gathering can span multiple regulatory domains within a single Member State.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.