Does CADA require Member States to set criminal penalties?

Summary No, as proposed, the Cloud and AI Development Act (CADA) does not explicitly mandate Member States to establish criminal penalties for infringements. Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive," but it leaves the specific nature of those penalties—whether administrative, civil, or criminal—to national discretion. While the proposal harmonizes the criteria for determining penalty severity, it does not harmonize the type of sanction, nor does it impose a criminal law obligation on Member States.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework for cloud sovereignty, including a tiered system of "Union assurance levels" and strict obligations for providers serving public sector bodies. To ensure compliance with this framework, the proposal assigns significant enforcement powers to national competent authorities. However, unlike some other EU digital regulations that prescribe specific sanction types, CADA adopts a flexible approach regarding the nature of penalties, focusing instead on the effectiveness of the enforcement regime.

The Legal Basis: Article 24(1) and National Discretion

The core provision governing sanctions is Article 24 of the CADA proposal. The text of Article 24(1) states:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive."

This formulation is a standard "minimum harmonization" clause in EU law. It creates a binding obligation for Member States to establish a penalty regime, but it deliberately avoids specifying the legal classification of those penalties. The phrase "effective, proportionate and dissuasive" is a well-established principle in EU jurisprudence (often associated with the principle of effectiveness) that allows national legislatures to choose the most appropriate enforcement mechanism under their domestic legal systems.

Consequently, a Member State could choose to enforce CADA infringements through:

• Administrative penalties: Such as fines, warnings, or suspension of recognition status.
• Civil penalties: Such as damages or contract termination.
• Criminal penalties: Such as imprisonment or criminal fines, particularly for intentional or grossly negligent violations.

The proposal contains no explicit mandate requiring Member States to criminalize infringements of the sovereignty framework. The choice remains entirely within the competence of the Member State, provided the resulting regime meets the "effective, proportionate and dissuasive" threshold.

Harmonized Criteria for Severity

While CADA leaves the type of penalty to national discretion, it provides a detailed, non-exhaustive list of criteria that Member States must take into account when determining the severity of any sanction. Article 24(2) requires authorities to consider the following factors:

• The nature, gravity, scale and duration of the infringement;
• Any action taken by the infringing party to mitigate or remedy the damage caused by the infringement;
• Any previous infringements by the infringing party;
• The financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established;
• Any other aggravating or mitigating factor applicable to the circumstances of the case;
• The infringing party's annual turnover in the preceding financial year in the Union.

By including "annual turnover" as a specific criterion, the proposal signals that penalties should be scaled to the economic power of the provider, ensuring that sanctions are truly "dissuasive" for large hyperscalers. However, this scaling mechanism applies regardless of whether the penalty is administrative or criminal.

Private Right to Compensation

In addition to public enforcement, Article 24(3) introduces a private right of action. It stipulates that:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This civil liability component runs parallel to the public penalty regime. It ensures that customers (including public sector bodies) can seek redress for damages resulting from a provider's failure to meet Union assurance level criteria or transparency obligations. This provision operates independently of whether the Member State has chosen to impose criminal or administrative penalties for the same infringement.

Comparison with the AI Act and GDPR

It is crucial to distinguish CADA's penalty structure from that of the EU AI Act (Regulation (EU) 2024/1689) and the GDPR.

• AI Act: The AI Act explicitly sets maximum administrative fines in Article 99, capping them at specific amounts (e.g., €35 million or 7% of total worldwide annual turnover for prohibited practices). This creates a harmonized, predictable ceiling for administrative sanctions across the Union.
• GDPR: Similarly, the GDPR sets specific percentage-based fines (up to 4% of turnover) in Article 83.
• CADA: In contrast, CADA does not set EU-wide monetary caps in the primary text. It does not specify a maximum fine amount. This difference reflects the distinct regulatory objectives: while the AI Act focuses on product safety and fundamental rights with harmonized deterrents, CADA focuses on market sovereignty and procurement compliance, allowing Member States greater flexibility in how they enforce the sovereignty framework. The absence of a criminal mandate in CADA further underscores this flexibility, allowing Member States to align CADA enforcement with their existing national administrative or criminal codes.

The Role of National Competent Authorities

The enforcement of these penalties is the responsibility of national competent authorities, not the European Commission. Article 25 requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty chapter. Article 26 grants these authorities investigative and enforcement powers, including the power to "impose fines" or request a judicial authority to do so.

The text of Article 26(2)(b) states that authorities have "the power to impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation." The phrasing "impose fines" typically refers to administrative fines, while the option to "request a judicial authority" leaves the door open for criminal proceedings if national law so provides. However, the proposal does not compel the judicial authority to treat the infringement as a criminal offense.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the absence of a harmonized criminal mandate or specific fine caps in CADA creates a compliance landscape that requires granular, national-level monitoring.

1. Monitor National Transposition: Since Member States have full discretion to define the penalty type, you must track the national laws implementing CADA in each jurisdiction where you operate. One Member State may impose heavy administrative fines, while another might pursue criminal prosecution for willful non-compliance with audit requirements or data localization rules. The "effective, proportionate and dissuasive" standard will be interpreted differently in each legal system.
2. Risk Assessment Focus: When assessing compliance risks under the Union assurance levels (1–4), consider not just the loss of market access (e.g., removal from the central repository), but the potential for severe financial penalties based on your annual turnover in the Union. Article 24(2)(f) explicitly allows authorities to consider your turnover, meaning large providers could face substantial fines even if specific caps are not defined in the EU text.
3. Civil Liability Exposure: Be aware that Article 24(3) exposes providers to civil claims from customers. If a provider falsely claims a higher Union assurance level or fails to report material changes affecting their status, customers may sue for damages. Ensure your internal governance and transparency reporting mechanisms (under Article 23) are robust to mitigate this risk.
4. Mitigation Strategies: Document all actions taken to remedy infringements. Under Article 24(2)(b), mitigation efforts can reduce the severity of penalties. Maintaining a clear audit trail of corrective actions will be crucial in any enforcement proceeding, whether administrative or criminal.
5. Judicial Cooperation: Be prepared for the possibility that a Member State might refer a case to its judicial authorities if the infringement is deemed severe. While CADA does not mandate this, the power to "request a judicial authority" in Article 26(2)(b) exists, and national laws may trigger criminal proceedings for certain types of fraud or obstruction.

Common misconceptions

Misconception 1: CADA imposes criminal penalties by default. This is incorrect. The text of Article 24(1) uses the neutral term "penalties" and requires them to be "effective, proportionate and dissuasive." It does not mandate criminal sanctions. Member States may choose administrative fines, which are the norm for regulatory compliance in the EU digital space. The proposal does not contain a "criminalization clause."

Misconception 2: Penalties are harmonized across the EU like GDPR fines. Unlike the GDPR, which sets specific percentage-based fines, CADA does not harmonize the maximum amount of fines. While the criteria for imposing penalties are harmonized in Article 24(2), the actual quantum of the penalty will vary by Member State. A provider could face different financial consequences for the same infringement depending on which national competent authority enforces the rule.

Misconception 3: Only the Commission can impose penalties. This is incorrect. Article 25 and Article 26 assign enforcement powers to national competent authorities. It is the Member States that lay down and impose the penalties, not the European Commission. The Commission's role is primarily oversight and coordination through mutual assistance mechanisms under Article 27 and Article 28.

Misconception 4: CADA requires criminal penalties for "high" assurance levels. There is no such requirement. The severity of the penalty is determined by the infringement's nature and the provider's turnover, not by the assurance level (1–4) involved. While infringements related to Level 4 (high sovereignty) might be considered more "grave" under Article 24(2)(a), the type of penalty remains a national choice.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Are CADA penalties harmonised across Member States?
• When must Member States designate a CADA competent authority?
• Do Member States notify the Commission of their CADA penalty rules?
• Which Member State enforces CADA against a cloud provider?
• Which CADA obligations can lead to penalties?

This is general information about a draft EU regulation, not legal advice.