Summary Under the proposed Cloud and AI Development Act (CADA), mutual assistance (Article 27) and cross-border cooperation (Article 28) are distinct enforcement mechanisms serving different regulatory functions. Mutual assistance is a horizontal tool for information exchange and investigative support between national competent authorities, triggered when specific data is needed to exercise investigative powers. Cross-border cooperation is a vertical mechanism where a destination authority or the European Commission triggers the competent authority of establishment to assess suspected non-compliance and enforce remedies. Both mechanisms impose a strict two-month deadline for the receiving authority to communicate its actions or assessment, ensuring timely resolution of sovereignty risks across the Union.
Detail
The proposed Cloud and AI Development Act (CADA) establishes a "one-stop-shop" enforcement model, vesting exclusive competence for enforcement in the national competent authority of the cloud computing service provider's main establishment (Article 25(4)). However, recognizing that cloud services operate across borders, the proposal creates two specific procedural channels to facilitate interaction between the establishment authority and other stakeholders: mutual assistance and cross-border cooperation. While both mechanisms aim to ensure consistent application of the Union cloud computing sovereignty framework, they differ fundamentally in their triggers, the actors involved, and their intended outcomes.
Mutual Assistance: Horizontal Information Exchange (Article 27)
Article 27 establishes the framework for mutual assistance, which functions primarily as a collaborative tool for information exchange and investigative support. This mechanism is designed to assist the competent authority of establishment in exercising its investigative powers under Article 26 when relevant information is located in another Member State.
Triggers and Scope Under Article 27(2), a competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud computing service provider. This request is not a general inquiry but a targeted measure to support the exercise of investigative powers, such as inspecting premises or obtaining explanations from staff. The provision explicitly states that the requesting authority may involve other public authorities of the Member State in question if appropriate.
Obligations and Timelines The receiving competent authority is under a strict obligation to comply with such requests. Article 27(3) mandates that the authority must comply and inform the competent authority of establishment about the action taken "as soon as possible and no later than two months after receipt of the request, unless duly justified." This two-month timeline is critical for maintaining the efficiency of cross-border investigations, preventing administrative delays from stalling enforcement actions in the establishment state.
Nature of the Mechanism Mutual assistance is essentially a horizontal cooperation mechanism. It operates between national competent authorities to facilitate the gathering of evidence. It does not, in itself, trigger a new enforcement action or a reassessment of a provider's recognition status; rather, it supports an existing or planned investigation led by the authority of establishment.
Cross-Border Cooperation: Triggering Assessment and Enforcement (Article 28)
In contrast, Article 28 governs cross-border cooperation, a more reactive and enforcement-oriented mechanism. This article addresses scenarios where a competent authority in a Member State where the service is used (the "destination" authority) or the European Commission itself has reason to suspect that a cloud computing service provider no longer fulfills the requirements of the Union assurance levels set out in Annex II.
Triggers and Actors Article 28(1) states that where a competent authority of destination has reason to suspect non-compliance, it may request the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures. Crucially, Article 28(2) extends this trigger to the European Commission, which may also request the competent authority of establishment to assess the matter and take necessary measures. This inclusion of the Commission underscores the Union-wide interest in maintaining the integrity of the sovereignty framework, allowing the Commission to step in directly if systemic risks are identified or if national authorities fail to act.
The Assessment Obligation The core function of Article 28 is to compel the authority of establishment to act. Since this authority holds the exclusive power to impose fines, order the cessation of infringements, or revoke recognition (Article 26), a destination authority cannot directly penalize a provider established elsewhere. Cross-border cooperation serves as the procedural bridge, allowing a destination authority to flag a risk and formally require the establishment authority to investigate and enforce.
Timelines and Suspension The process under Article 28 is strictly timed. Article 28(4) mandates that the competent authority of establishment must communicate its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged to the requesting authority and the Commission "as soon as possible and in any event not later than two months after receipt of the request."
However, Article 28(3) introduces a specific suspension mechanism. If the competent authority of establishment considers the information provided in the request insufficient, it may request additional information. In such cases, "the period set out in paragraph 4 shall be suspended until that additional information is provided." This ensures that the establishment authority is not penalized for delays caused by incomplete initial requests, while still maintaining pressure to resolve the matter once the necessary facts are available.
Key Differences in Trigger, Actors, and Outcome
The distinction between these two mechanisms is vital for understanding the enforcement architecture of the proposed CADA:
| Feature | Mutual Assistance (Article 27) | Cross-Border Cooperation (Article 28) |
|---|---|---|
| Primary Purpose | Information exchange to support investigations. | Triggering assessment and enforcement of suspected non-compliance. |
| Trigger | Need for specific information located in another Member State. | Reason to suspect non-compliance with Union assurance levels. |
| Initiating Actor | Any competent authority (typically establishment or destination). | Destination authority or the European Commission. |
| Target Actor | Competent authority of another Member State. | Competent authority of establishment. |
| Outcome | Provision of data/evidence to support an investigation. | Formal assessment and potential enforcement measures (fines, revocation). |
| Timeline | 2 months to inform of action taken. | 2 months to communicate assessment (suspended if info requested). |
| Commission Role | Not explicitly mentioned as a direct trigger. | Explicitly empowered to trigger the process (Art 28(2)). |
What this means for you
For in-house counsel, compliance officers, and cloud service providers, understanding the operational differences between Article 27 and Article 28 is essential for managing regulatory risk and preparing for potential enforcement actions.
- Prepare for Multi-Jurisdictional Scrutiny: Even though enforcement is centralized at the establishment state, your organization may face inquiries from destination authorities. Under Article 28, a destination authority can trigger a formal assessment by your establishment authority. This means you must be prepared to defend your compliance posture not just to your home regulator, but to any authority in the EU where your services are used.
- Monitor the Two-Month Clock: Both Article 27 and Article 28 impose a strict two-month deadline on authorities to respond or communicate assessments. As a provider, you should anticipate that if a destination authority raises a concern, your establishment authority will likely need to engage with you quickly to gather the necessary information to meet this deadline. Delays in your response could hinder the authority's ability to comply with CADA's procedural timelines, potentially leading to adverse inferences or escalated enforcement.
- Maintain Robust Audit Trails: Mutual assistance requests under Article 27 may seek specific information located in other Member States. Ensure that your data governance and audit trails are robust enough to provide this information quickly and accurately. The ability to demonstrate compliance across borders will be essential when authorities are exchanging information to support investigations.
- Engage Proactively with the Establishment Authority: Since the establishment authority holds the exclusive enforcement power, maintaining a strong relationship with this regulator is crucial. If a destination authority raises a concern under Article 28, your establishment authority will rely on your cooperation to assess the matter. Proactive engagement can help mitigate risks and ensure that any concerns are addressed efficiently before they escalate to formal enforcement measures.
- Understand the Commission's Role: Be aware that the European Commission can directly trigger cross-border cooperation under Article 28(2). This means that even if no national destination authority has raised a concern, the Commission can initiate an assessment if it identifies systemic risks or inconsistencies in the application of the sovereignty framework.
Common misconceptions
"Destination authorities can fine providers directly."
- Reality: Under CADA, only the competent authority of the provider's main establishment has exclusive competence for enforcement (Article 25). Destination authorities can only trigger an assessment via cross-border cooperation (Article 28). They cannot impose fines or revoke recognition directly.
"Mutual assistance and cross-border cooperation are the same."
- Reality: Mutual assistance (Article 27) is for information exchange to support investigations. Cross-border cooperation (Article 28) is for triggering assessments and enforcement actions based on suspected non-compliance. They serve different purposes and have different triggers.
"The two-month deadline is flexible."
- Reality: Both Article 27 and Article 28 set a strict two-month deadline for authorities to respond or communicate assessments. While Article 28 allows for suspension if additional information is requested, the clock resumes once that information is provided. Providers should not assume these deadlines can be extended without cause.
"Only national authorities are involved."
- Reality: The European Commission plays a direct role in cross-border cooperation under Article 28(2). The Commission can request the establishment authority to assess a matter and take enforcement measures, highlighting the Union-wide nature of the sovereignty framework.
Related
- CADA enforcement deadlines: Mutual assistance and cross-border cooperation timelines
- CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
- CADA Cross-Border Cooperation: How Article 28 Works
- CADA Cross-Border Requests: What the Establishment Authority Must Report
- CADA Mutual Assistance: How Authorities Cooperate Across Borders
This is general information about a draft EU regulation, not legal advice.