Does financial benefit from an infringement increase a CADA fine?

Summary Under the proposed Cloud and AI Development Act (CADA), financial benefit gained or losses avoided due to an infringement is a mandatory criterion Member States must consider when imposing penalties on cloud computing service providers, as explicitly set out in Article 24(2)(d). However, this factor applies strictly "insofar as such benefits or losses can be reliably established." This creates a high evidentiary bar: authorities cannot impose fines based on speculative, hypothetical, or unproven economic gains. The provision ensures that penalties reflect the actual economic advantage derived from non-compliance with the Union cloud computing sovereignty framework, preventing arbitrary calculations while ensuring that non-compliance does not yield a net economic profit.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework for cloud sovereignty, requiring providers to meet specific Union assurance levels to serve public sector bodies. To enforce these obligations, Title IV, Chapter I of the proposal establishes a penalty regime. Article 24 outlines the rules on penalties and compensation, mandating that Member States lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

Crucially, Article 24(2) provides a non-exhaustive list of criteria that Member States "shall take into account" when imposing penalties. Among these is point (d), which explicitly requires authorities to consider:

"the financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established."

This clause serves as a dual-purpose mechanism: it acts as an aggravating factor for providers who profit from non-compliance, while simultaneously acting as a safeguard against arbitrary enforcement by requiring concrete proof.

The "Reliably Established" Threshold

The qualifying phrase "insofar as such benefits or losses can be reliably established" is a critical legal safeguard for providers. It implies that authorities cannot impose fines based on hypothetical, projected, or speculative financial gains. There must be concrete, verifiable evidence linking the infringement directly to a specific financial benefit or cost saving.

For in-house counsel, this creates a significant evidentiary burden for regulators. To quantify "financial benefits gained" under Article 24(2)(d), authorities would likely need to demonstrate a direct causal link between the infringement and the economic outcome. This typically involves two primary quantification pathways:

1. Direct Revenue Linkage: Authorities must demonstrate how the infringement directly enabled the provider to secure a contract or retain a client they otherwise would have lost. For example, if a provider failed to obtain the required Union assurance level 2 for a public order-relevant activity (as mandated by Article 30(3)) but still secured the contract by misrepresenting their status, the revenue generated from that specific contract could be considered a "financial benefit gained." The "reliable establishment" would require proof that the contract would not have been awarded had the provider been compliant.
2. Cost Avoidance Calculation: Authorities may calculate "losses avoided" by quantifying the costs the provider saved by engaging in the infringing conduct. This could include costs avoided for:
   • Independent Audits: Under Article 20, providers seeking levels 2, 3, or 4 must undergo independent third-party audits. A provider who skips this step to serve a client illegally avoids these audit fees.
   • Infrastructure Restructuring: To meet data localisation requirements in Annex II (e.g., keeping data exclusively within the Union), a provider might need to build or lease new EU-based infrastructure. Avoiding these capital expenditures constitutes a "loss avoided."
   • Personnel Compliance: Meeting the Union citizenship requirements for personnel under Annex II (levels 2, 3, and 4) may require hiring specific staff or reorganising teams. Avoiding these personnel costs is a quantifiable loss avoided.

If the causal link between the infringement and the financial benefit cannot be proven with reasonable certainty, this factor should not inflate the penalty. This prevents double-counting where the financial benefit is already captured by other metrics, such as the provider's overall turnover, which is also a criterion under Article 24(2)(f).

Interaction with Other Penalty Criteria

Article 24(2) lists several other factors that interact with the financial benefit criterion, creating a holistic view of the infringement's severity:

• Nature, Gravity, Scale, and Duration (Article 24(2)(a)): A long-term infringement that generates substantial, reliably established financial benefits will likely result in a higher penalty than a short-term, minor breach with negligible financial impact. The duration of the benefit directly correlates to the gravity of the infringement.
• Previous Infringements (Article 24(2)(c)): If a provider has a history of gaining financial benefits from non-compliance, this may aggravate the penalty, suggesting a systematic strategy to bypass sovereignty requirements for economic gain.
• Annual Turnover (Article 24(2)(f)): The provider's annual turnover in the Union provides a baseline for the penalty's scale. The financial benefit criterion acts as an adjuster on top of this, ensuring that the fine is not just proportional to the company's size, but also punitive of the specific illicit gain.

Quantification Challenges and Methodologies

Quantifying "losses avoided" can be particularly complex and requires a counterfactual analysis: what would the provider have spent had they complied?

For instance, if a provider fails to implement the necessary technical and organisational measures to ensure data remains exclusively within the Union (a requirement for Union assurance levels 2, 3, and 4 under Annex II), the "loss avoided" might be the cost of building or leasing additional EU-based infrastructure. Authorities would need to assess the market rate for such infrastructure and prove that the provider would have incurred these costs had they complied.

Similarly, "financial benefits gained" might include the premium a provider charges for services that are falsely represented as sovereign. If a provider claims to offer Union assurance level 3 without the required independent audit (Article 20) and charges a premium for this "sovereign" status, the difference between the actual cost of providing a non-sovereign service and the price charged for the falsely labelled service could be considered a financial benefit.

However, the "reliably established" constraint means authorities cannot simply apply a generic industry margin. They must rely on the provider's own financial records, audited accounts, or specific contract terms to establish the figure. If the provider's internal accounting does not segregate these costs or revenues, the authority may struggle to meet the "reliable" threshold, potentially limiting the use of this criterion.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the inclusion of financial benefit as a penalty criterion under Article 24(2)(d) necessitates rigorous internal financial tracking and compliance documentation.

1. Document Compliance Costs: Maintain detailed, segregated records of the costs associated with achieving and maintaining Union assurance levels. This includes audit fees under Article 20, infrastructure adjustments for data localisation, and personnel costs for Union citizenship requirements. In the event of an investigation, this documentation defines the baseline of "compliant costs," making it harder for authorities to claim speculative losses were avoided.
2. Audit Pricing Models: Ensure that any price premiums charged for "sovereign" or "Union-assured" services are accurately reflected in your service level agreements (SLAs) and marketing materials. If you are found to have misrepresented your assurance level, the financial benefit will be easier to establish if you can show a direct price differential. Transparency here is key to mitigating the risk of inflated penalties.
3. Prepare for Evidentiary Challenges: Be prepared to challenge authorities on the "reliably established" threshold. If regulators propose a fine based on estimated savings or projected revenues, demand concrete evidence linking the infringement to the specific financial figure. The burden of proof lies with the authority to establish the benefit reliably.
4. Integrate Financial Risk into Compliance Programs: Treat financial benefit not just as a legal metric, but as a business risk. Non-compliance with CADA's sovereignty framework is not just a regulatory violation; it is an economic activity that can be quantified and penalised. Ensure that your compliance team works closely with finance to monitor the economic impact of your cloud service offerings.

Common misconceptions

Misconception 1: Financial benefit is automatically added to the fine. Reality: Article 24(2) lists criteria to be taken into account, not a formulaic addition. The financial benefit is one factor among many, including the nature of the infringement and the provider's turnover. It does not mean the fine equals the financial benefit plus a multiplier, but rather that the benefit informs the proportionality and dissuasiveness of the penalty.

Misconception 2: Authorities can estimate financial benefits using industry averages. Reality: The text specifies "insofar as such benefits or losses can be reliably established." This suggests a need for provider-specific evidence. Industry averages or speculative models may not meet the threshold of "reliable establishment," giving providers grounds to contest fines based on estimated rather than actual financial gains.

Misconception 3: Only direct revenue counts as financial benefit. Reality: "Losses avoided" is explicitly included. This means cost savings from non-compliance (e.g., avoiding the expense of third-party audits or data localisation) are treated similarly to direct revenue gains. Providers cannot argue that they only "saved money" rather than "gained money" to escape this criterion.

Related

• How does a public buyer benefit from CADA enforcement?
• Who is liable for a CADA infringement within a provider group?
• What counts as an infringement under CADA? Penalties & Powers
• How do I claim compensation from a cloud provider under CADA?
• How do CADA authorities request information from each other?

This is general information about a draft EU regulation, not legal advice.