Summary Under the proposed Cloud and AI Development Act (CADA), the enforcement of cloud sovereignty relies on a mandatory mutual assistance framework. When a national competent authority of establishment needs specific information located in another Member State to investigate a cloud computing service provider, it may formally request that information from the competent authority of the other Member State, as explicitly outlined in Article 27(2). This request must be targeted to enable the exercise of investigative powers under Article 26. Crucially, the receiving authority is obligated to comply and may involve other public authorities within its jurisdiction to fulfill the request. The receiving authority must inform the requesting authority of the action taken "as soon as possible and no later than two months after receipt of the request, unless duly justified." This mechanism ensures that investigations into cloud sovereignty compliance are not hindered by national borders, allowing for consistent enforcement across the EU.
Detail
The Cloud and AI Development Act (CADA) establishes a harmonized framework for cloud computing sovereignty, recognizing that cloud services are inherently cross-border. To ensure effective supervision, CADA designates a "national competent authority of establishment" in the Member State where a cloud computing service provider has its main establishment (Article 25(4)). This authority holds exclusive competence for enforcing the sovereignty framework (Title IV) for that provider. However, because infrastructure, data, personnel, and subcontractors may be distributed across multiple Member States, the authority of establishment cannot always access the evidence it needs directly.
To bridge this gap, CADA introduces a mutual assistance mechanism in Article 27. This provision mandates that competent authorities and the Commission cooperate closely to apply the sovereignty framework consistently. The core operational mechanism for information exchange is found in Article 27(2), which defines the specific procedural steps for requesting data across borders.
The Request Mechanism under Article 27(2)
Article 27(2) specifies the precise conditions under which one competent authority can request information from another. A competent authority may request other competent authorities to provide "specific information in their possession relating to a specific cloud computing service provider." This request is not a general fishing expedition; it must be targeted to allow the requesting authority to exercise its investigative powers under Article 26 regarding specific information located in the other Member State.
The scope of these investigative powers, detailed in Article 26(1), includes the power to require any cloud computing service provider (or persons acting for their trade) to provide information, the power to carry out inspections of premises, and the power to ask staff for explanations. If the relevant data, documents, or personnel are physically located in a different Member State than the provider's main establishment, the authority of establishment cannot unilaterally compel access under its national law. Instead, it must trigger the mutual assistance process defined in Article 27(2).
Crucially, Article 27(2) allows for broader cooperation beyond just the competent authority. It states that "where appropriate, the competent authority receiving the request may involve other competent authorities or other public authorities of the Member State in question." This flexibility acknowledges that information relevant to cloud sovereignty might be held by data protection authorities, cybersecurity agencies, or other regulatory bodies within the destination Member State. The receiving competent authority acts as the coordinator, ensuring that all relevant domestic entities contribute to fulfilling the request. This ensures that the investigation is comprehensive and not limited by the siloed nature of national regulatory bodies.
Deadlines and Compliance Obligations
The proposal places a strict timeline on the receiving authority to ensure enforcement efficiency. Under Article 27(3), the competent authority receiving the request "shall comply with such request and inform the competent authority of establishment about the action taken." This communication must occur "as soon as possible and no later than two months after receipt of the request, unless duly justified."
This two-month deadline is critical for compliance officers and in-house counsel. It suggests that investigations into sovereignty compliance (such as audits for Union assurance levels or enforcement of recognition decisions) are expected to move with urgency. Delays in providing information could stall the recognition process or enforcement actions. The "unless duly justified" clause provides a safety valve for complex cases, such as those requiring coordination with multiple public authorities or involving sensitive data, but the burden would likely be on the receiving authority to justify any extension beyond the two-month window.
Cross-Border Cooperation and Enforcement Synergy
While Article 27 focuses on mutual assistance and information sharing to support investigations, Article 28 addresses cross-border cooperation in the context of enforcement triggers. If a competent authority of destination suspects that a provider no longer fulfills the requirements under Annex II (the criteria for Union assurance levels), it can request the authority of establishment to assess the matter and take necessary investigatory and enforcement measures.
This creates a two-way street for regulatory oversight:
- Article 27: The authority of establishment pulls information from other states to conduct its own investigation using powers under Article 26.
- Article 28: An authority of destination pushes a suspicion to the authority of establishment to trigger an investigation.
In both scenarios, the underlying goal is to prevent regulatory arbitrage and ensure that a cloud provider recognized in one Member State meets the sovereignty criteria uniformly across the Union. The central repository of recognized services (Article 22) serves as the public-facing record of these outcomes, but the behind-the-scenes verification relies heavily on the cooperation mechanisms in Articles 27 and 28.
Role of the Commission
The Commission also plays a pivotal role in this ecosystem. Article 27(1) states that competent authorities and the Commission shall cooperate closely. Furthermore, Article 28(2) allows the Commission to directly request the competent authority of establishment to assess a matter and take enforcement measures. This central oversight ensures that systemic risks are addressed even if national authorities are slow to act or lack the resources to investigate complex, multi-jurisdictional cloud providers.
What this means for you
For in-house counsel and compliance officers at cloud computing service providers, understanding Article 27 is essential for managing regulatory risk and preparing for audits.
1. Prepare for Cross-Border Data Requests Your provider's "main establishment" determines which national competent authority has primary jurisdiction. However, do not assume that only that authority will contact you. If your infrastructure, support staff, or subcontractors are located in other Member States, those local authorities may be asked to provide information to the authority of establishment under Article 27(2). Ensure that your internal compliance teams are aware of this dynamic. You may receive inquiries from multiple national bodies, all stemming from a single coordinated investigation.
2. Maintain Organized Records for Rapid Access The two-month deadline for authorities to respond to assistance requests implies that investigations are time-sensitive. While this deadline applies to the authorities, not directly to you, the pressure will trickle down. If an authority of establishment requests information from an authority of destination, and that information resides with your local entity, your local entity must be able to produce it quickly. Maintain centralized, accessible records of your sovereignty compliance evidence (e.g., audit reports, SBOMs, data flow diagrams, personnel records) to facilitate rapid response.
3. Clarify Roles with Subcontractors and Public Bodies Article 27(2) allows receiving authorities to involve other public authorities. This could mean that data protection authorities, cybersecurity agencies, or even law enforcement in other Member States may become involved in your sovereignty audit. Ensure that your contracts with subcontractors include clauses that allow for the sharing of necessary information with competent authorities, respecting confidentiality and data protection laws. You need to know who holds what data and whether they can legally disclose it to foreign regulators upon request.
4. Monitor for "Duly Justified" Delays If you are involved in a recognition process for a Union assurance level and experience delays, it may be due to the mutual assistance process. While the two-month deadline is strict, authorities can request extensions if "duly justified." Be patient but proactive. If you suspect that a delay is hindering your business operations, you may need to engage with the authority of establishment to understand the status of the cross-border information exchange.
Common misconceptions
Misconception 1: Only the authority of establishment can investigate. It is true that the authority of establishment has exclusive competence for enforcement (Article 25(4)). However, this does not mean other authorities are passive. Article 27 allows them to actively gather and transmit information. Furthermore, Article 28 allows an authority of destination to trigger an investigation if they suspect non-compliance. Therefore, any national competent authority in the EU can play a role in your oversight.
Misconception 2: Mutual assistance is limited to the competent authority. Article 27(2) explicitly states that the receiving authority "may involve other competent authorities or other public authorities of the Member State in question." This means that the investigation is not siloed within the cloud sovereignty regulator. Data protection authorities, cybersecurity agencies, or other relevant bodies could be involved in providing information.
Misconception 3: The two-month deadline is for the provider to respond. The two-month deadline in Article 27(3) applies to the competent authority receiving the request, not to the cloud provider. The authority must inform the requesting authority of the action taken within two months. However, this creates an implicit pressure on providers to respond to local authority inquiries quickly, as delays on the provider's part will cause the authority to miss its own deadline.
Misconception 4: Information sharing is optional. The language in Article 27(3) is mandatory: "The competent authority receiving the request pursuant to paragraph 2 shall comply with such request." This is not a discretionary courtesy between states; it is a legal obligation under the proposed Regulation. Authorities cannot refuse to share information simply because it is inconvenient or because they interpret national laws differently.
Related
- Can CADA authorities require information from a provider's suppliers?
- Can CADA authorities demand information from a cloud provider?
- Can a CADA authority involve other public authorities in an assistance request?
- How does a cloud provider respond to a CADA information request?
- Can a CADA authority ask for more information on a cross-border request?
This is general information about a draft EU regulation, not legal advice.