How can a cloud customer report a CADA breach?

Summary As proposed, the Cloud and AI Development Act (CADA) does not establish a direct reporting portal for cloud customers to contact the European Commission. Instead, the enforcement mechanism is anchored in the competent authority of establishment (Article 25(4)). If a cloud customer, particularly a public-sector body, suspects a breach, they must notify the provider, triggering the provider's obligation to inform their auditing organisation and the national competent authority of establishment under Article 23. If the customer is in a different Member State than the provider, their national authority can escalate the matter by requesting an assessment from the provider's home authority under Article 28(1). Crucially, for financial losses, customers retain an explicit right to seek compensation from the provider under Article 24(3), exercisable in accordance with Union and national law.

Detail

The proposed Cloud and AI Development Act (CADA) creates a sophisticated, multi-layered enforcement framework designed to protect the Union's public order and strategic autonomy. Unlike consumer protection regulations that often feature direct complaint hotlines, CADA relies on a structured chain of accountability involving cloud providers, independent auditors, and national competent authorities. For a cloud customer—especially a public-sector body mandated to procure specific Union assurance levels—understanding the precise reporting route is essential to trigger the correct regulatory response.

The Central Role of the Competent Authority of Establishment

The cornerstone of CADA's enforcement architecture is the principle of exclusive competence held by the competent authority of establishment. According to Article 25(4), the Member State in which the cloud computing service provider has its main establishment—defined as the location of its head office or registered office where principal financial functions and operational control are exercised—holds exclusive competence for enforcing the sovereignty framework.

This means that regulatory oversight, including the power to investigate suspected infringements, order the cessation of non-compliance, and impose fines, resides solely with the national authority where the provider is legally established. A customer in France cannot report a breach of a German-based provider directly to the French authority for enforcement action. Instead, the regulatory "home" of the provider is the only entity empowered to take direct enforcement measures against that provider.

The Reporting Trigger: Provider Transparency Obligations

For a customer, the reporting process begins not with a government form, but with a contractual and legal notification to the provider. Article 23 imposes strict transparency obligations on recognised cloud computing service providers. If a provider becomes aware of any information or any material change in circumstances that may affect their audit report, their "positive" audit opinion, or their recognition status, they must notify their auditing organisation and the national competent authority of establishment "as soon as possible."

Therefore, the most effective initial step for a customer suspecting a breach (e.g., unauthorized data transfer outside the Union, a change in third-country control, or a failure in cybersecurity standards) is to formally notify the provider. This notification serves as a trigger. Once notified, the provider is legally compelled to assess the situation and, if the change is material, report it to their home authority. The competent authority of establishment then assesses whether the recognition needs to be amended or revoked.

Cross-Border Escalation: The Article 28 Mechanism

A critical complexity arises when the cloud customer is located in a Member State different from the provider's establishment. In such cases, the customer's local authority (the "competent authority of destination") plays a vital role as a watchdog, even though it lacks direct enforcement power over the foreign provider.

Article 28(1) establishes a specific cross-border cooperation mechanism. If a competent authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirements set out in Annex II (the criteria for Union assurance levels), it may request the competent authority of establishment to assess the matter.

This request is not merely a suggestion; it initiates a formal obligation. The competent authority of establishment must take the necessary investigatory and enforcement measures to ensure compliance. Furthermore, under Article 28(4), the home authority must communicate its assessment and any measures taken to the requesting authority and the Commission within two months. This ensures that while enforcement remains centralized at the provider's home, destination authorities can effectively flag risks to public order and demand action.

The Right to Compensation

While the regulatory framework focuses on compliance and public order, CADA explicitly acknowledges the private financial impact of breaches on customers. Article 24(3) grants a distinct right to recipients of cloud computing services. It states that recipients shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under the sovereignty chapter.

This provision is significant because it decouples the regulatory penalty (paid to the state) from the civil remedy (paid to the customer). A public-sector body that suffers operational disruption or data loss due to a provider's failure to meet Union assurance levels can pursue civil litigation for damages, independent of the administrative fines imposed by the competent authority.

Penalties and Enforcement Powers

The backbone of this system is the robust set of powers granted to competent authorities under Article 26. These include the power to require information, carry out inspections of premises, and order the cessation of infringements. Authorities can also impose fines or periodic penalty payments. While these powers are exercised by the authority of establishment, the existence of such severe sanctions underscores the gravity of CADA obligations. Public-sector bodies should be aware that their reports can catalyse these formal investigations, potentially leading to the revocation of a provider's recognition status across the entire Union.

What this means for you

For public-sector procurement officers and IT directors, navigating the CADA enforcement landscape requires a proactive approach to risk management and contractual governance. Your organization is legally required to procure services meeting specific Union assurance levels based on risk assessments (Article 29 and Article 30). If you suspect a breach, you must act swiftly to protect public order and data integrity.

1. Strengthen Contractual Notification Clauses: Ensure your procurement contracts explicitly require the provider to notify you immediately of any security incidents or material changes affecting their assurance status. Conversely, establish a clear, documented process for notifying the provider of your own suspicions of non-compliance. This creates the necessary trigger for the provider's Article 23 obligations.
2. Engage Your National Competent Authority: If a provider fails to address your concerns, or if the breach involves cross-border implications, contact your national competent authority. They are empowered to initiate the cross-border cooperation process under Article 28(1), formally requesting an investigation by the provider's home authority. Do not attempt to enforce the rules yourself; rely on the authority's statutory powers.
3. Document for Compensation: Maintain meticulous records of any incidents, including the nature of the breach, the timeline of events, and the specific damages incurred. Under Article 24(3), you have a statutory right to seek compensation. Detailed documentation is vital for any legal proceedings to recover losses under national law.
4. Monitor the Central Repository: The Commission maintains a central repository of recognised services (Article 22). Regularly verify your provider's status in this repository. A revocation of recognition will be published here, serving as an official alert that the provider no longer meets the required assurance levels.

By following these steps, you ensure that your organization fulfills its role in the CADA ecosystem, maintaining the security, sovereignty, and compliance of public-sector cloud usage.

Common misconceptions

• Misconception: "I can report a breach directly to the European Commission."
  • Reality: The Commission does not handle individual breach reports or investigations. Enforcement is decentralized to national competent authorities, specifically the authority of the provider's establishment (Article 25(4)). The Commission's role is limited to coordination, maintaining the central repository, and resolving disputes between authorities.
• Misconception: "The destination Member State's authority can directly fine a non-compliant provider."
  • Reality: Only the competent authority of the provider's establishment has the exclusive power to enforce the sovereignty framework and impose penalties (Article 25(4)). The destination authority can only request an assessment and enforcement action from the home authority under Article 28(1).
• Misconception: "CADA provides a specific EU-wide compensation fund for breaches."
  • Reality: CADA recognizes the right to seek compensation under Article 24(3), but it does not create a new EU-wide compensation fund or scheme. Compensation is sought through existing national legal systems in accordance with Union and national law.
• Misconception: "Only severe security breaches need to be reported."
  • Reality: Article 23 requires providers to report any material change in circumstances that may affect their audit report or recognition status. This includes changes in subcontractors, data localization practices, or governance structures, not just active security incidents.

Related

• Can recipients claim compensation and report a breach at the same time under CADA?
• What damages can a cloud customer recover under CADA?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Which CADA obligations can lead to penalties?
• What remedies can CADA authorities impose on providers?

This is general information about a draft EU regulation, not legal advice.