Summary No, the proposed Cloud and AI Development Act (CADA) does not set a specific maximum fine amount or a fixed percentage cap on penalties. As proposed in Article 24, the regulation mandates that Member States establish their own national penalty regimes for infringements by cloud computing service providers. While the text requires these penalties to be "effective, proportionate and dissuasive," it deliberately leaves the specific monetary ceilings and calculation methods to national implementation. Crucially, Article 24(2)(f) requires Member States to consider the "infringing party's annual turnover in the preceding financial year in the Union" when determining penalties, but this is a factor for assessment, not a statutory cap.

Detail

The legislative architecture of the proposed Cloud and AI Development Act (CADA) regarding enforcement differs significantly from other major EU digital regulations, such as the AI Act. While the AI Act harmonizes penalty ceilings across the Union, CADA adopts a decentralized approach to financial sanctions, focusing on the principles of punishment rather than the quantum.

The Legal Framework of Article 24

Article 24 of the CADA proposal, titled "Penalties and compensation," establishes the foundational rules for enforcement within the sovereignty framework (Title IV, Chapter I). It does not function as a penalty schedule but rather as a directive to national legislators.

1. National Discretion on Amounts Under Article 24(1), the obligation falls squarely on Member States: "Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence." The regulation explicitly states that "The penalties provided for shall be effective, proportionate and dissuasive."

This phrasing is legally significant. By using the terms "effective, proportionate and dissuasive" without attaching a specific numerical value (e.g., "€20 million" or "4% of turnover"), the proposal grants Member States the legislative freedom to design penalty structures that fit their national legal traditions and enforcement capacities. Consequently, a cloud provider operating in multiple Member States could face vastly different maximum fines for the same infringement depending on the jurisdiction.

2. Mandatory Criteria for Imposition Although CADA does not fix the cap, it does not leave the calculation entirely to chance. Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties. These criteria ensure a degree of harmonization in the logic of penalty calculation, even if the amounts differ. The criteria include:

  • The nature, gravity, scale and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage caused.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party due to the infringement.
  • Turnover as a Criterion: Article 24(2)(f) explicitly mandates that authorities consider "the infringing party's annual turnover in the preceding financial year in the Union."

It is vital to distinguish this from the AI Act's approach. In CADA, turnover is a factor to be weighed, not a multiplier that automatically generates a fine. The regulation does not state that a fine shall be X% of turnover; it states that turnover shall be taken into account.

3. Civil Liability and Compensation Beyond administrative penalties, Article 24(3) introduces a private right of action. It stipulates that "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter." This creates a dual layer of financial risk: public enforcement penalties set by national authorities and private compensation claims from affected customers.

Comparison with the EU AI Act

The distinction between CADA and the AI Act (Regulation (EU) 2024/1689) is a frequent source of confusion. The AI Act, under Article 99, establishes a rigid, harmonized penalty structure:

  • Breaches of prohibited practices (Article 5): Up to €35 million or 7% of total worldwide annual turnover.
  • Other infringements: Up to €15 million or 3% of total worldwide annual turnover.

CADA does not replicate this structure. The Commission's explanatory memorandum and the text of Article 24 confirm that the proposal focuses on the sovereignty and resilience aspects of cloud infrastructure, leaving the specific financial deterrence mechanisms to the Member States. This means that while the AI Act guarantees a known maximum liability across the EU, CADA creates a variable liability landscape where the "dissuasive" nature of the penalty is defined by national law.

What this means for you

For legal counsel, compliance officers, and cloud service providers, the absence of a fixed EU-wide cap in CADA introduces specific strategic considerations.

1. Mapping the National Landscape

Because Article 24 delegates the setting of penalty amounts to Member States, you cannot rely on a single EU-wide risk model. You must monitor the transposition of CADA into national law in every Member State where you operate or seek recognition under the Union assurance levels. A penalty deemed "dissuasive" in one jurisdiction might be significantly lower or higher in another. Early engagement with national competent authorities during the transposition phase is advisable to understand the emerging penalty frameworks.

2. Turnover as a Primary Exposure Driver

Even without a statutory cap, Article 24(2)(f) ensures that your financial exposure is tied to your economic footprint. Authorities are required to consider your "annual turnover in the preceding financial year in the Union."

  • Data Hygiene: Ensure your internal reporting clearly distinguishes EU turnover from global turnover, as the regulation specifically references the Union figure.
  • Risk Scaling: Be prepared for penalties that scale with your market share. A large hyperscaler will likely face a higher absolute penalty than a smaller provider for the same infringement, as the "proportionate" requirement will be applied against a larger turnover base.

3. Mitigation and Remediation

Article 24(2)(b) highlights the importance of proactive remediation. If an infringement occurs, the criteria for penalty imposition explicitly include "any action taken by the infringing party to mitigate or remedy the damage."

  • Incident Response: Develop protocols that prioritize immediate remediation and cooperation with the national competent authority.
  • Documentation: Maintain detailed records of mitigation efforts. Demonstrating that you actively worked to reduce the impact of a breach could be a decisive factor in lowering the final penalty amount.

4. Civil Liability Risks

Do not focus solely on administrative fines. Article 24(3) opens the door to significant civil liability. Public sector bodies and other recipients of your services can sue for damages resulting from your non-compliance with sovereignty obligations. In the context of public procurement, where contracts often involve critical infrastructure, the potential for compensation claims could far exceed administrative fines.

Common misconceptions

"CADA fines are capped at a percentage of global turnover like the AI Act." This is incorrect. CADA does not set a global turnover cap, nor does it mandate a percentage-based fine. It only requires that EU turnover be considered as a criterion for determining the penalty. The final cap is determined by national law.

"The European Commission sets the fine amounts for CADA violations." No. The Commission monitors the framework and ensures Member States implement the "effective, proportionate and dissuasive" requirement, but the power to set specific penalty amounts and rules lies exclusively with the Member States, as per Article 24(1).

"There are no financial penalties in CADA, only compliance orders." This is false. Article 24 explicitly mandates that Member States establish penalties that are "effective, proportionate and dissuasive." In EU legal practice, these terms invariably include financial sanctions (fines) as a primary tool of enforcement.

"Turnover is the only factor that matters for CADA fines." While turnover is a mandatory criterion under Article 24(2)(f), it is just one of several factors. Authorities must also weigh the nature, gravity, scale, and duration of the infringement, as well as any mitigating actions taken by the provider.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.