Does the Commission cooperate with CADA national authorities?

Summary Yes, as proposed in the Cloud and AI Development Act (CADA), the European Commission plays a central coordinating role in the enforcement of the cloud sovereignty framework, working in close tandem with national competent authorities. Article 27(1) mandates that the Commission and authorities "cooperate closely and provide each other with mutual assistance" to ensure consistent application of the law. Crucially, Article 28(2) empowers the Commission to directly request a national authority to assess a suspected infringement and take enforcement measures, acting as a top-down trigger for action. To facilitate this network, Article 25(2) requires Member States to notify the Commission of their designated authorities, which the Commission must then maintain in a public register.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a governance model that balances national enforcement competence with Union-level oversight. While the primary responsibility for investigating and penalizing infringements lies with the national competent authority of the Member State where the cloud computing service provider is established, the Commission acts as the hub for consistency, information exchange, and escalation. This structure is designed to prevent regulatory fragmentation and ensure that the four Union assurance levels are applied uniformly across the single market.

The Foundation: Close Cooperation and Mutual Assistance

The operational backbone of this enforcement network is Article 27, which governs mutual assistance. Article 27(1) explicitly states: "Competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply this Chapter in a consistent and efficient manner." The provision further clarifies that "Mutual assistance shall include the exchange of information."

This clause is not merely procedural; it is a substantive obligation. It ensures that a national authority investigating a provider is not siloed. If a competent authority in one Member State requires specific data regarding a provider's operations, control structures, or compliance status that is held by the Commission or another national authority, it can formally request that information. This mechanism is vital for the CADA framework, as cloud infrastructure often spans multiple jurisdictions, and the "control" of a provider (a key criterion for Union assurance levels) may involve complex corporate structures or third-country legal entities that require cross-border verification.

The Commission's Power to Trigger Enforcement

While national authorities hold the exclusive competence to enforce the regulation against providers established in their territory (as per Article 25(4)), the Commission retains a significant "trigger" mechanism to ensure that systemic risks or serious breaches are not ignored. This power is codified in Article 28(2).

Under Article 28(2), "The Commission may also request the competent authority referred to in Article 25 to assess the matter and take the necessary investigatory and enforcement measures to ensure compliance." This provision allows the Commission to intervene when it identifies a potential infringement or a systemic risk to the Union's cloud sovereignty. Unlike a standard information request, this is a directive to act. The Commission can formally request the national authority of establishment to launch an investigation and, if warranted, impose remedies or penalties.

The process is bound by strict timelines to ensure efficiency. Article 28(4) stipulates that the competent authority of establishment must communicate its assessment and any measures taken or envisaged to the requesting authority and the Commission "as soon as possible and in any event not later than two months after receipt of the request." This creates a binding deadline for national authorities to respond to Commission-led concerns, preventing delays in addressing critical sovereignty risks.

Transparency and the Public Register

For this cooperative framework to function effectively, the identity and powers of the enforcing bodies must be transparent. Article 25(2) establishes the registration duty: "Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers."

Following this notification, the Commission is obligated to "maintain a public register of those authorities." This register serves as the definitive source for cloud service providers, public sector bodies, and other stakeholders to identify which national authority holds jurisdiction over a specific provider. It is particularly critical for determining the "competent authority of establishment," which, under Article 25(4), has "exclusive competence for enforcing this Chapter." Without this central register, the cross-border cooperation mechanisms in Articles 27 and 28 would lack the necessary clarity regarding which authority is responsible for which provider.

Cross-Border Cooperation Dynamics

The enforcement framework also addresses scenarios where a provider is established in one Member State but used in another. Article 28(1) outlines the procedure for "competent authority of destination" (the Member State where the service is consumed) to act if it suspects a provider no longer meets the Union assurance level criteria. In such cases, the destination authority requests the authority of establishment to assess the matter.

The Commission acts as a facilitator and, if necessary, an escalator in these cross-border disputes. If the authority of establishment fails to act or if there is a disagreement, the Commission can step in under Article 28(2) to ensure the matter is assessed. This ensures that the single market is not undermined by inconsistent national interpretations of sovereignty criteria, and that a provider cannot evade scrutiny simply by operating across borders.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, understanding this cooperative enforcement network is critical for risk management.

1. Identify Your Primary Enforcer: Your first step must be to consult the Commission's public register (established under Article 25(2)) to identify your specific "national competent authority of establishment." This is the body with exclusive enforcement competence over you. All recognition applications (Article 17) and primary compliance reporting flow through this authority.
2. Prepare for Commission-Triggered Scrutiny: Be aware that the Commission can bypass standard national prioritization and directly trigger an investigation under Article 28(2). If the Commission identifies a systemic risk or a suspected breach, your national authority is legally bound to assess the matter and report back within two months. You must be prepared to provide immediate, comprehensive evidence to your national authority to facilitate this rapid response.
3. Ensure Information Readiness for Mutual Assistance: Since Article 27(1) mandates the exchange of information between authorities and the Commission, your internal documentation must be audit-ready at all times. This includes your EU statement of conformity, audit reports, transparency notifications (Article 23), and evidence regarding third-country control. Delays in providing information to your national authority can hinder the mutual assistance process and may be interpreted as non-cooperation, potentially aggravating enforcement outcomes.
4. Monitor Cross-Border Risks: If you serve public sector bodies in multiple Member States, a suspicion raised by a "competent authority of destination" can trigger a formal assessment by your home authority. Ensure your compliance posture is consistent across all jurisdictions. Discrepancies in how you operate or report in different Member States could be flagged during these cross-border exchanges, leading to a Commission-triggered review.

Common misconceptions

• Misconception: "The Commission has direct power to fine cloud providers."
  • Reality: The Commission does not have direct investigative or penalty-imposing powers over individual providers. Instead, it relies on national competent authorities to carry out investigations and impose penalties. The Commission's power lies in coordination, requesting assessments (Article 28(2)), and maintaining the register (Article 25(2)).
• Misconception: "National authorities operate in isolation."
  • Reality: Article 27(1) explicitly mandates "close cooperation" and "mutual assistance," including the exchange of information. The Commission is an active participant in the enforcement ecosystem, ensuring that national actions are consistent with Union-wide objectives.
• Misconception: "Only the provider's home country matters for enforcement."
  • Reality: While the authority of establishment has exclusive competence, authorities in other Member States (destinations) can trigger assessments if they suspect non-compliance (Article 28(1)). Furthermore, the Commission can intervene directly if it deems a matter requires Union-level attention (Article 28(2)). Compliance must be robust regardless of where the service is consumed.
• Misconception: "The Commission only monitors and never acts."
  • Reality: The Commission has a proactive role. It can request assessments, demand information, and ensure that national authorities take necessary measures. It acts as a safeguard against regulatory arbitrage and inconsistent enforcement.

Related

• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What powers do CADA national competent authorities have?
• What obligations do CADA authorities have toward the Commission?
• CADA Article 28: Deadline for authorities to act on Commission requests
• CADA Mutual Assistance: How Authorities Cooperate Across Borders

This is general information about a draft EU regulation, not legal advice.