How are CADA penalties calculated?

Summary CADA is a proposal (COM(2026) 502 final) and is not yet in force. As proposed, it would not calculate penalties through a single EU-wide formula or cap. Article 24(1) would leave Member States to lay down penalty rules that are "effective, proportionate and dissuasive", and Article 24(2) would require them to take into account a non-exhaustive list of six criteria — the nature, gravity, scale and duration of the infringement; mitigation; prior infringements; financial benefits gained or losses avoided; any other aggravating or mitigating factor; and the infringing party's annual Union turnover in the preceding financial year. There is no fixed percentage of turnover in the text. The arithmetic would be set by national law and applied by the national competent authority of the provider's main establishment.

Detail

CADA's penalty provision is Article 24 ("Penalties and compensation"), within Title IV ("Autonomy"), Chapter I ("Cloud computing sovereignty framework"). Understanding how penalties would be "calculated" therefore means understanding two things the proposal does not do, and one thing it does.

What it does not do: it does not fix a maximum fine, and it does not set a percentage of turnover. This contrasts with the EU AI Act, which provides for fines up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher, for its most serious infringements (AI Act Article 99). CADA, as drafted, contains no equivalent ceiling.

What it does do: it delegates the level of penalties to Member States (Article 24(1)) and then channels that discretion through a list of factors (Article 24(2)). The result, as proposed, is harmonised inputs to the calculation but national outputs.

The legal basis (Article 24(1))

As proposed, Article 24(1) would require Member States to "lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence" and to ensure they are implemented; the penalties "shall be effective, proportionate and dissuasive." The reference to "this Chapter" ties the penalties to Title IV, Chapter I — the sovereignty framework — and not to CADA as a whole. The "effective, proportionate and dissuasive" formula echoes the GDPR and the AI Act, signalling that the penalties are meant to bite even though no figure is named. Member States would notify the Commission of their rules and of any later amendment.

The criteria that drive the calculation (Article 24(2))

To keep some consistency across the Union, Article 24(2) would require Member States to "take into account the following non-exhaustive criteria for the imposition of penalties for infringements of this Regulation":

1. Nature, gravity, scale and duration of the infringement (point (a)) — how serious it was, how far it reached, and how long it lasted.
2. Mitigation or remedy — any action the infringing party took to mitigate or remedy the damage caused (point (b)).
3. Prior infringements by the same party (point (c)).
4. Financial benefits gained or losses avoided because of the infringement, "insofar as such benefits or losses can be reliably established" (point (d)).
5. Any other aggravating or mitigating factor applicable to the circumstances of the case (point (e)).
6. Annual turnover in the preceding financial year in the Union (point (f)) — a reference base limited to Union turnover, not worldwide turnover.

Because the list is expressly non-exhaustive, a national authority could weigh additional factors. In practice, the same nominal breach could attract very different penalties depending on these inputs: a large provider with substantial Union turnover that negligently fails to report a material change under Article 23 might be assessed differently from a small provider that knowingly supplied misleading evidence during the Article 17 recognition procedure.

It is worth reading the criteria as a structured framework rather than a checklist. Points (a) and (c)-(d) speak to the seriousness and culpability of the conduct (how grave, how repeated, how profitable the breach was); point (b) and the mitigating limb of point (e) pull in the opposite direction, rewarding remediation and cooperation; and point (f) anchors the result to the provider's capacity to pay and to distort the market, by reference to Union turnover. Point (e) — "any other aggravating or mitigating factor" — is the open texture that lets an authority tailor the figure to the facts, but it also means a provider cannot reliably predict the outcome from the listed factors alone. Because the criteria are common across the Union but the resulting amounts are not, two Member States could lawfully reach materially different penalties on identical facts, constrained only by the shared "effective, proportionate and dissuasive" standard.

A second, separate track: compensation (Article 24(3))

Administrative penalties are not the only financial consequence. Article 24(3) would give recipients of the service the right to seek, in accordance with Union and national law, compensation from providers for any damage or loss suffered due to an infringement of the chapter. This is civil liability owed to the customer, separate from any fine owed to the state, and it is not "calculated" under Article 24(2) at all — its measure is governed by the applicable national law of damages.

How authorities apply the calculus (Articles 25-26)

The calculation would be performed by the national competent authority of the provider's main establishment (Article 25(4)), exercising the powers in Article 26. Article 26(3) would add its own proportionality test: measures must be "effective, dissuasive and proportionate", having regard in particular to the nature, gravity, recurrence and duration of the infringement and, where relevant, "the economic, technical and operational capacity of the service provider concerned." Article 26(2) would let the authority impose fines and periodic penalty payments, or ask a judicial authority to do so.

What this means for you

For in-house counsel and compliance officers, the absence of a fixed ceiling means you cannot compute a single worst-case exposure. Exposure would turn on the national rules of your main establishment and on the Article 24(2) factors as applied to the facts.

• Map your governing regime. Article 25(4) would give exclusive enforcement competence to the Member State of your main establishment — "where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised." Identify that Member State and track its transposition of Article 24; that regime, and its cap (if any), would be the primary one for your organisation.
• Build the mitigation record. Article 24(2)(b) makes remediation a live factor. Maintain incident-response and remediation protocols, and document corrective action and notifications (for example, reporting a material change under Article 23) so you can evidence mitigation if a penalty is assessed.
• Be able to isolate financial benefit. Article 24(2)(d) lets authorities count benefits gained or losses avoided "insofar as such benefits or losses can be reliably established." If cutting a sovereignty corner saved cost, that saving could be treated as a benefit gained. Ensure your finance function can produce or rebut such figures.
• Keep Union-turnover data ready. Because Article 24(2)(f) keys to Union turnover, accurate, current Union-wide turnover data will matter for both your own risk assessment and any dialogue with an authority.
• Plan for multi-track exposure. A single infringement could generate an administrative penalty under Article 24(1)-(2), a periodic penalty payment if you fail to comply with a cessation order or an investigative order (Article 26(2)(c)), and a separate compensation claim from an affected recipient under Article 24(3). Model these as cumulative, not alternative, outcomes.

Common misconceptions

"CADA fines are capped at a percentage of global turnover." As proposed, Article 24 names no percentage and no ceiling. Unlike the AI Act (EUR 35 million or 7% of worldwide turnover for its gravest breaches, Article 99), CADA only lists Union turnover as one of several non-binding factors. The final figure would depend on national law, which may or may not impose its own cap.

"The Article 24(2) criteria are exhaustive." The text expressly calls them "non-exhaustive." Authorities may consider other relevant factors, so addressing only the six listed points would not guarantee a favourable assessment.

"Only the Commission imposes penalties." Enforcement is decentralised. The Commission does not fine providers directly; Article 25 designates national competent authorities, and the authority of the main establishment has exclusive competence (Article 25(4)). You would deal with a national regulator, not the Commission.

"Penalties only follow technical failures." Article 24 would reach any infringement of the sovereignty framework, including transparency breaches and recognition-process failures. Failing to report a material change under Article 23, or supplying incorrect information during recognition under Article 17, could trigger a penalty even where the underlying technical controls were met.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Penalties vs GDPR: How Fines Are Calculated and Capped
• Which CADA obligations can lead to penalties?
• What should a startup cloud provider know about CADA penalties?
• What penalties apply under the Cloud and AI Development Act (CADA)?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties

This is general information about a draft EU regulation, not legal advice.