Does CADA use a one-stop-shop enforcement model?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) adopts a one-stop-shop enforcement model for its sovereignty framework, centered on the competent authority of establishment. Article 25(4) grants this authority exclusive competence to enforce the Regulation for cloud computing service providers, mirroring the GDPR's lead-authority approach. This ensures a single supervisory regime for EU-wide activities, while mutual assistance (Article 27) and cross-border cooperation (Article 28) mechanisms fill gaps, allowing destination authorities to trigger investigations when sovereignty risks arise in their jurisdiction.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework for cloud sovereignty, addressing the fragmentation of national approaches to third-country control and operational autonomy. A cornerstone of this framework is its enforcement architecture, designed to provide legal certainty for providers while ensuring robust oversight. This architecture relies on a one-stop-shop mechanism, where a single national authority bears the primary responsibility for supervision and enforcement across the Union.

Exclusive Competence of the Authority of Establishment

The legal basis for this model is explicitly set out in Article 25(4) of the proposal. It states that the Member State in which the cloud computing service provider has its main establishment—defined as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised—shall have exclusive competence for enforcing Title IV (the chapter on autonomy and sovereignty).

This provision creates a clear hierarchy of responsibility. If a cloud provider is established in Ireland but delivers services to public sector bodies in Germany, France, and Italy, the Irish competent authority is the sole enforcer regarding the provider's compliance with Union assurance levels. The provider does not face parallel enforcement actions or divergent regulatory interpretations from multiple national authorities. This centralisation is intended to prevent regulatory arbitrage and reduce the administrative burden on providers who would otherwise need to navigate a patchwork of national sovereignty regimes.

The definition of "main establishment" is critical. It is not merely a registered office used for tax purposes; it is the locus of principal financial functions and operational control. This ensures that the authority with the most direct insight into the provider's governance and decision-making processes retains oversight.

Comparison to the GDPR Lead Authority Model

The CADA enforcement model is structurally analogous to the lead supervisory authority mechanism under the General Data Protection Regulation (GDPR). Under the GDPR, the authority in the Member State of the data controller's main establishment acts as the lead authority for cross-border processing, coordinating with other concerned authorities. Similarly, CADA designates the competent authority of establishment as the exclusive enforcer for cloud sovereignty compliance.

However, the scope and objectives differ significantly:

• Subject Matter: The GDPR's one-stop-shop addresses data protection, fundamental rights, and data subject rights. CADA's model addresses technological sovereignty, operational autonomy, and public order. It focuses on mitigating risks related to third-country control, extraterritorial access, and service disruption.
• Exclusivity vs. Coordination: While the GDPR lead authority coordinates with "concerned authorities" through a consistency mechanism, CADA Article 25(4) uses the stronger term "exclusive competence". This suggests a more rigid centralisation of enforcement power, where the authority of establishment has the final say on recognition and penalties, subject only to the specific cross-border triggers in Articles 27 and 28.
• Risk Focus: The GDPR focuses on the impact on individuals' rights. CADA focuses on the integrity of the Union's digital infrastructure and the ability of public bodies to preserve public order against external interference.

Mutual Assistance and Cross-Border Cooperation

While the authority of establishment holds exclusive competence, the proposal recognises that sovereignty risks often manifest across borders. A provider established in one Member State may serve a critical public function in another, creating a risk that the home authority might not fully appreciate the local public order implications. To address this, CADA introduces robust mechanisms for mutual assistance and cross-border cooperation.

Article 27: Mutual Assistance This article mandates close cooperation between competent authorities and the Commission. It ensures that the authority of establishment is not hindered by the location of evidence or assets.

• Information Exchange: If the authority of establishment needs information located in another Member State to exercise its investigative powers under Article 26, it may request that information from the competent authority of that other Member State.
• Obligation to Act: The receiving authority is obliged to comply with such requests and must inform the requesting authority of the action taken.
• Timeframe: The receiving authority must act as soon as possible and, unless duly justified, no later than two months after receipt of the request. This mechanism ensures that the "one-stop-shop" authority has the necessary tools to investigate effectively, even if the technical evidence or personnel involved are physically located in a different Member State.

Article 28: Cross-Border Cooperation This article addresses the scenario where a "destination" authority (where the service is used) suspects non-compliance.

• Trigger: If a competent authority in a Member State where the service is used has reason to suspect that a provider no longer fulfils the requirements of the sovereignty framework (e.g., failing to meet Union assurance level criteria), it may request the competent authority of establishment to assess the matter.
• Action: The authority of establishment must then take the necessary investigatory and enforcement measures to ensure compliance.
• Reporting: The authority of establishment must communicate its assessment and any measures taken to the requesting authority and the Commission within two months. This prevents "regulatory gaps" where a provider might technically comply with its home authority's standards but fail to meet the specific risk requirements of a host Member State. It ensures that while enforcement is centralised, oversight remains responsive to local public order concerns.

Penalties and Enforcement Powers

The competent authority of establishment is equipped with significant powers under Article 26 to enforce the Regulation. These include:

• Investigative Powers: The power to require information from providers and subcontractors, inspect premises, and record explanations from staff.
• Enforcement Powers: The power to order the cessation of infringements, impose remedies, and impose fines or periodic penalty payments.

Article 24 mandates that Member States lay down rules on penalties that are effective, proportionate and dissuasive. Unlike the AI Act, which sets specific maximum fines (e.g., €35 million or 7% of turnover), CADA does not fix a maximum fine amount in the text. Instead, it requires Member States to consider criteria such as the nature, gravity, and duration of the infringement, any financial benefits gained, and the provider's annual turnover. This flexibility allows penalties to be tailored to the specific sovereignty risk, while the "exclusive competence" ensures a consistent application of these penalties across the EU.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the one-stop-shop model offers clarity but demands rigorous internal governance.

1. Pinpoint Your Competent Authority: You must definitively identify your main establishment. This is the location of your head office or registered office where principal financial functions and operational control are exercised. This is the authority you will interact with for recognition under Article 17 and for any enforcement actions. Do not rely on a "letterbox" entity; the authority looks at where real control is exercised.
2. Centralise Your Compliance Data: Since the authority of establishment has exclusive competence, it will be the single point of contact for all EU-wide sovereignty compliance. Maintain comprehensive documentation of your conformity self-assessments (Level 1) or audit reports (Levels 2–4) in a format accessible to this authority.
3. Prepare for Cross-Border Triggers: While you deal primarily with one authority, be prepared for Article 28 requests. If a public body in a host Member State identifies a risk to public order, that Member State's authority can trigger an investigation by your home authority. Ensure your internal processes allow for the timely provision of evidence to your home authority, which may then share it with others under Article 27.
4. Monitor Risk Assessments: Member States and Union entities must conduct risk assessments under Article 29 to determine the required assurance level for their activities. If a host Member State believes your service does not meet the required level, it will trigger a cross-border cooperation request. Stay proactive in communicating changes in your service architecture or control measures to your authority of establishment to preempt such requests.
5. Deadline Awareness: Member States must designate their competent authorities by the date of entry into force plus one year (Article 25(1)). Ensure you are registered with the correct authority as soon as it is designated to avoid gaps in recognition.

Common misconceptions

• "The one-stop-shop means I only answer to one country, period."
  • Correction: While the authority of establishment has exclusive enforcement competence, it does not operate in isolation. It must cooperate with other authorities. If a host Member State identifies a risk to public order, it can trigger an investigation by your home authority under Article 28. You cannot ignore concerns raised by other Member States.
• "CADA's one-stop-shop is identical to the GDPR's."
  • Correction: The mechanisms are similar, but the subject matter and legal consequences differ. CADA focuses on sovereignty, third-country control, and public order, not just data protection. The criteria for compliance (Union assurance levels) are distinct from GDPR adequacy decisions, and the "exclusive competence" language in Article 25(4) is stronger than the GDPR's coordination model.
• "I can choose which Member State's authority regulates me."
  • Correction: No. The competent authority is determined by your main establishment (head office/registered office with principal control). You cannot "shop" for a more favorable regulator by changing your operational control without changing your main establishment.
• "Mutual assistance is optional for other Member States."
  • Correction: Article 27 imposes a duty on competent authorities to provide mutual assistance. If your home authority requests information located in another Member State, that authority is obliged to comply and respond within a set timeframe (typically two months).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What records should a provider keep for CADA enforcement?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures
• What is the role of judicial authorities in CADA enforcement?

This is general information about a draft EU regulation, not legal advice.