Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities are strictly bound by the principle of proportionality when exercising enforcement powers. Article 26(3) mandates that any measure taken—whether a fine, an order to cease infringement, or a periodic penalty payment—must be "effective, dissuasive and proportionate." Crucially, authorities must weigh the nature, gravity, recurrence, and duration of the infringement against the "economic, technical and operational capacity" of the service provider. This prevents excessive penalties that could disproportionately harm smaller providers or disrupt critical cloud services, ensuring enforcement is calibrated to the specific context of the violation rather than applied as a rigid maximum.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework for the sovereignty of cloud computing services, yet it embeds a critical safeguard to prevent regulatory overreach. For legal counsel and compliance officers, the interplay between the broad investigative powers granted to authorities and the strict proportionality limits is the defining feature of the enforcement regime.

The Legal Mandate: Article 26(3)

The core constraint on enforcement is explicitly codified in Article 26(3) of the CADA proposal. This provision acts as a binding instruction to national competent authorities, stating:

"Measures taken by national competent authorities of establishment in exercising their powers listed in paragraphs 1 and 2 shall be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement to which those measures relate, and, where relevant, the economic, technical and operational capacity of the service provider concerned."

This text transforms proportionality from a general administrative law principle into a specific statutory requirement for every enforcement action. It applies to the full spectrum of powers listed in Article 26(1) (investigative powers, such as requesting information and inspecting premises) and Article 26(2) (enforcement powers, such as ordering the cessation of infringements, imposing fines, and levying periodic penalty payments).

The Multi-Factor Proportionality Test

To ensure measures are proportionate, authorities must conduct a multi-factor assessment before finalizing any sanction. The proposal identifies five distinct variables that must be considered:

  1. Nature of the Infringement: This distinguishes the type of violation. A procedural oversight, such as a delay in notifying a material change under Article 23, is qualitatively different from a substantive breach of sovereignty, such as failing to prevent unauthorized third-country access to data. The nature of the breach dictates the baseline severity of the response.
  2. Gravity of the Infringement: This assesses the severity of the harm or risk. An infringement that compromises the integrity of the Union assurance framework or exposes sensitive public order data carries significantly higher gravity than a minor administrative error in documentation.
  3. Recurrence: Authorities must determine if the violation is an isolated incident or part of a pattern. A provider that repeatedly fails to meet the criteria for Union assurance levels (as defined in Annex II) demonstrates a systemic failure, warranting stricter measures than a one-off lapse.
  4. Duration: The length of time the infringement persisted is a critical factor. A long-standing failure to maintain a valid software bill of materials (SBOM) as required by Annex III is treated more severely than a temporary, quickly rectified gap.
  5. Provider Capacity: Perhaps the most distinct feature of CADA's enforcement regime is the explicit requirement to consider the "economic, technical and operational capacity of the service provider concerned." This ensures that a penalty calculated to be "dissuasive" for a global hyperscaler does not become economically destructive for a small and medium-sized enterprise (SME). The measure must be calibrated to the provider's ability to pay and operate without being crippled.

Procedural Safeguards and Limits on Excessive Enforcement

While Article 26(2) grants authorities potent tools—including the power to order the immediate cessation of infringements and impose fines—these powers are not absolute. They are circumscribed by the procedural guarantees in Article 26(4). This article mandates that any exercise of these powers must be subject to adequate safeguards under national law, specifically respecting:

  • The right to respect for private life.
  • The rights of defence, including the right to be heard and to have access to the file.
  • The right of all affected parties to an effective judicial remedy.

These safeguards, combined with the proportionality test in Article 26(3), create a robust defense against excessive enforcement. Authorities cannot simply apply the maximum statutory fine for every breach. For example, if a provider unintentionally fails to update its EU statement of conformity for Union assurance level 1 (under Article 19) but immediately corrects the error upon discovery, a heavy fine would likely fail the proportionality test. In such a case, a warning or a nominal penalty would be the legally required response.

Alignment with Penalty Criteria in Article 24

The proportionality framework in Article 26 is not isolated; it operates in tandem with Article 24, which sets out the general rules for penalties. Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Furthermore, Article 24(2) lists non-exhaustive criteria for imposing penalties that mirror and reinforce the factors in Article 26(3):

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken to mitigate or remedy the damage.
  • Any previous infringements.
  • The financial benefits gained or losses avoided.
  • The infringing party's annual turnover in the Union.

This alignment ensures a coherent legal standard. The "economic capacity" factor in Article 26(3) directly informs the "annual turnover" consideration in Article 24(2)(f). Unlike the EU AI Act, which sets specific EU-wide fine caps (e.g., €35 million or 7% of turnover under Article 99), CADA delegates the specific calculation of fines to Member States, provided they adhere to these proportionality principles. This flexibility allows national authorities to tailor penalties to the specific market context while maintaining the EU-wide requirement that measures remain effective and dissuasive.

Practical Implications for Compliance Strategy

For compliance officers, the proportionality principle is a strategic lever. It means that the response to an infringement is as important as the prevention.

  • Mitigation Matters: Demonstrating that a provider took immediate steps to mitigate damage can significantly reduce the "gravity" factor in the authority's assessment.
  • Documentation is Defense: Detailed records of internal audits, self-assessments, and cooperation with auditing organizations are essential to prove that an infringement was not "recurrent" and was of short "duration."
  • Capacity Evidence: SMEs should be prepared to present evidence of their economic and operational capacity if facing enforcement, ensuring that penalties are not set at a level that threatens their viability.

What this means for you

For in-house counsel and compliance teams, the proportionality limits in CADA offer a structured framework for risk management and defense.

  • Document the Timeline: If an infringement occurs, meticulously record the timeline: when it was detected, how it was assessed, and the exact steps taken to rectify it. This evidence directly addresses the "duration" and "recurrence" factors in Article 26(3).
  • Quantify Your Capacity: Be prepared to demonstrate your economic and operational capacity. For smaller providers, this is a critical defense against disproportionate fines. Ensure financial records and operational reports are readily available to support this argument.
  • Prioritize Cooperation: Article 26(1) grants authorities the power to request information. Prompt, transparent, and full cooperation can be viewed favorably in the proportionality assessment, potentially mitigating the severity of the final penalty.
  • Audit Assurance Levels Regularly: Proactively audit compliance with the criteria in Annex II for your specific Union assurance level. A proactive approach reduces the risk of "recurrent" infringements, which carry heavier weight in enforcement decisions.
  • Prepare for Judicial Review: Since Article 26(4) guarantees the right to an effective judicial remedy, ensure your legal team is ready to challenge any enforcement action that appears disproportionate based on the specific factors listed in Article 26(3).

Common misconceptions

"Proportionality means no penalties for small providers." Incorrect. Proportionality means the penalty must fit the crime and the provider's capacity. SMEs are still subject to "dissuasive" measures, but these should not be economically crippling relative to their size. The goal is to deter non-compliance without destroying the provider.

"Only fines are subject to proportionality." Incorrect. Article 26(3) applies to all measures, including orders to cease infringements and periodic penalty payments. An order to stop providing a service must also be proportionate to the infringement; a minor documentation error should not trigger a total service shutdown.

"Proportionality is a blanket defense against any penalty." Incorrect. It is a guiding principle for the level and type of enforcement, not an exemption. Serious infringements, especially those involving intentional misinformation, repeated failures, or threats to public order, will still face significant penalties regardless of provider size.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.