How do CADA authorities supervise cloud providers day to day?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities supervise cloud providers through a centralized "exclusive competence" model. The authority in the Member State where the provider has its main establishment holds sole enforcement power, preventing fragmented oversight. Day-to-day supervision is not continuous manual monitoring but is triggered by the provider's mandatory transparency obligations under Article 23, which require immediate notification of any material changes affecting their Union assurance level. Authorities exercise robust investigative and enforcement powers under Article 26 only when necessary to verify compliance or investigate suspected infringements, relying heavily on independent audit reports for levels 2–4.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous yet streamlined supervisory framework for cloud computing service providers seeking recognition under the Union assurance levels (1–4). The system is designed to balance the need for strict sovereignty compliance with the operational reality of cross-border cloud services, avoiding the inefficiencies of multiple national regulators inspecting the same provider.

Exclusive Competence and the "Single Point of Contact"

The cornerstone of CADA's supervisory architecture is the principle of exclusive competence. Article 25(4) explicitly states that the Member State in which the cloud computing service provider has its "main establishment"—defined as the location of its head office or registered office from which principal financial functions and operational control are exercised—shall have exclusive competence for enforcing the sovereignty framework.

This provision ensures that a provider operating across the EU is not subject to conflicting supervisory orders or duplicate inspections from multiple Member States. Instead, all enforcement actions, recognition decisions, and investigations are centralized in the authority of the establishment state. This "single point of contact" approach is critical for legal certainty and administrative efficiency.

To ensure this exclusive authority can function effectively, Article 25(3) imposes a strict obligation on Member States. It mandates that competent authorities must have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence." This clause acknowledges that supervising complex cloud architectures, verifying data localization, and assessing third-country control risks requires specialized expertise and funding, which Member States must guarantee as a condition of the regulation.

Investigative and Enforcement Powers (Article 26)

While the model relies on centralized competence, the powers available to these authorities are extensive. Article 26 outlines the specific investigative and enforcement powers that competent authorities may exercise "where needed to carry out their tasks under Article 17" (the recognition of assurance levels). These powers are not intended for continuous, daily monitoring but are triggered by specific needs, such as verifying evidence submitted for recognition, investigating suspected non-compliance, or responding to material change notifications.

Investigative powers under Article 26(1) include:

• Information Requests: The power to require any cloud computing service provider, subcontractors, or auditing organizations to provide information relating to a suspected infringement.
• Inspections: The power to carry out, or request a judicial authority to order, inspections of any premises used for trade, business, or profession. This includes the right to examine, seize, take, or obtain copies of information in any form, irrespective of the storage medium.
• Questioning: The power to ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with consent, to record their answers.

Enforcement powers under Article 26(2) include:

• Cessation Orders: The power to order the cessation of infringements and impose proportionate remedies necessary to bring the infringement to an end.
• Fines: The power to impose fines for failure to comply with the Regulation or with investigative orders.
• Periodic Penalty Payments: The power to impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order.

Crucially, Article 26(3) requires that all measures taken be "effective, dissuasive and proportionate." Authorities must consider the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. This ensures that enforcement is tailored to the specific risk and the provider's ability to comply.

The Role of Transparency and Audits in Daily Supervision

Day-to-day supervision under CADA is largely event-driven rather than continuous. Providers do not face daily regulatory audits or constant manual monitoring of their infrastructure. Instead, the supervisory loop is fed by the provider's own transparency obligations and the independent audit process.

Transparency Obligations (Article 23): Article 23 creates a critical feedback mechanism for supervision. It requires recognized cloud computing service providers to notify the auditing organization and the national competent authority "as soon as possible" of any information or material change in circumstances that may affect their audit report, audit opinion, or recognition.

This obligation transforms the provider into an active participant in its own supervision. The process typically follows this flow:

1. Detection: The provider identifies a material change (e.g., a change in subcontractor location, a shift in ownership structure, or a modification of data residency).
2. Notification: The provider notifies the competent authority immediately.
3. Assessment: The auditing organization assesses whether the audit report or opinion needs amendment or revocation.
4. Regulatory Action: The competent authority assesses whether the recognition needs amendment or revocation.

If the authority amends or revokes recognition, it must notify other Member States and the Commission (Article 23(3)). This mechanism ensures that supervision is responsive to real-world changes without requiring constant regulator intervention.

Audit-Driven Supervision: For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits (Article 20). The competent authority relies heavily on these audit reports and opinions to maintain recognition. The authority's role is to verify the auditor's work and the provider's compliance with the recognition procedure (Article 17), rather than to re-audit the technical infrastructure itself. This leverages private-sector expertise while maintaining public oversight.

Cross-Border Cooperation and Mutual Assistance

Supervision is not entirely siled within the state of establishment. Article 27 establishes principles of mutual assistance between competent authorities. If an authority in a Member State where the service is used (the "destination" authority) suspects non-compliance, it can request the "establishment" authority to investigate. Article 28 further details cross-border cooperation, allowing destination authorities to request the establishment authority to assess suspected infringements and take necessary investigatory or enforcement measures. This ensures that issues detected in one Member State can be addressed by the authority with exclusive competence, maintaining consistency across the Union.

What this means for you

For in-house counsel and compliance officers, the CADA supervisory model implies a shift from reactive defense to proactive documentation and transparency.

1. Identify Your Competent Authority: Determine your main establishment in the EU. This single authority will be your primary regulatory counterpart for sovereignty recognition. Ensure your compliance team knows their contact details and procedures.
2. Implement Material Change Monitoring: Your internal systems must be able to detect "material changes" in circumstances (e.g., changes in subcontractor locations, data residency, or corporate control) that could affect your assurance level. Under Article 23, you must notify the competent authority immediately upon detection. Delayed notification is a compliance risk.
3. Prepare for Investigative Requests: While daily oversight is light, the powers under Article 26 are significant. Ensure your legal and technical teams are prepared to provide information, grant access to premises, and answer questions from regulators if an investigation is triggered. Document your internal controls to demonstrate compliance efficiently.
4. Engage with Auditors: Since supervision is audit-driven for levels 2–4, your relationship with your auditing organization is critical. Ensure they have the access and cooperation needed to perform thorough audits, as their reports directly feed the regulator's supervision.
5. Budget for Compliance: Article 25(3) implies regulators will have resources to supervise effectively. Do not assume oversight will be lax. Invest in robust documentation, audit readiness, and legal support to handle potential enforcement actions, including fines under Article 24.

Common misconceptions

• "Each Member State can inspect my EU-wide service." Incorrect. Article 25(4) grants exclusive competence to the authority in the Member State of establishment. Other Member States can request assistance, but they cannot directly enforce against the provider.
• "Regulators will continuously monitor my infrastructure." Incorrect. Supervision is primarily based on self-declaration (Level 1), independent audits (Levels 2–4), and provider notifications of material changes (Article 23). Regulators intervene when audits fail, notifications indicate risk, or complaints arise.
• "Only technical cybersecurity matters for supervision." Incorrect. CADA supervision covers sovereignty criteria, including data localization, personnel citizenship, absence of third-country control, and software supply chain transparency (Annex II). Compliance with these non-technical sovereignty aspects is as critical as cybersecurity.
• "I can ignore changes if they don't affect my audit opinion immediately." Incorrect. Article 23 requires notification of any material change that may affect the audit report or recognition. Waiting for an audit to fail is a compliance violation. Proactive notification is mandatory.

Related

• What remedies can CADA authorities impose on providers?
• CADA Public Register of Competent Authorities: What Providers Need to Know
• Can CADA authorities impose fines on cloud providers?
• CADA Investigations: What safeguards protect cloud providers?
• CADA Competent Authorities: Required Resources & Obligations

This is general information about a draft EU regulation, not legal advice.