Summary The proposed Cloud and AI Development Act (CADA) does not establish fixed EU-wide maximum fines for cloud computing service providers, unlike the General Data Protection Regulation (GDPR), which sets strict caps of €20 million or 4% of global turnover. Instead, Article 24 of the CADA proposal requires Member States to define their own penalty regimes. While GDPR fines are harmonised and capped, CADA penalties are nationally determined but must be "effective, proportionate and dissuasive." Crucially, CADA lists "annual turnover in the Union" as a specific criterion for calculation, contrasting with the GDPR's "total worldwide annual turnover." Both regimes require penalties to be effective, proportionate, and dissuasive, but CADA leaves the specific quantum to national discretion.

Detail

The enforcement architecture of the proposed Cloud and AI Development Act (CADA) represents a significant departure from the harmonised, high-stakes penalty model of the GDPR. To understand the financial risk landscape for cloud providers, one must distinguish between the fixed, EU-wide caps of the GDPR and the flexible, Member State-centric approach of CADA.

The GDPR Model: Harmonised Caps and Global Turnover

The GDPR (Regulation (EU) 2016/679) is designed to ensure a consistent level of data protection across the Single Market. To achieve this, Article 83 of the GDPR establishes a uniform framework for administrative fines with explicit maximum ceilings. This structure provides legal certainty: an undertaking knows the absolute maximum liability regardless of the Member State where the violation occurs.

The GDPR operates on two primary tiers:

  1. Lower Tier: Up to €10 million or 2% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is higher. This applies to infringements of procedural obligations, such as record-keeping, security measures, or breach notification.
  2. Higher Tier: Up to €20 million or 4% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is higher. This applies to core principles violations, including lawful basis for processing, consent requirements, and data subject rights.

The phrase "total worldwide annual turnover" is critical. It ensures that fines scale with the size of the offender on a global basis, preventing large multinational corporations from treating fines as a mere cost of doing business. The "whichever is higher" clause guarantees that the penalty is always significant relative to the entity's scale.

The CADA Model: Member State Discretion with EU Criteria

In contrast, the CADA proposal (COM(2026) 502 final) adopts a decentralised approach to penalties. Article 24 of the proposal outlines the framework for penalties applicable to infringements of the sovereignty chapter (Title IV, Chapter I) by cloud computing service providers.

Article 24(1) mandates:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive."

This provision places the burden on individual Member States to define the severity of financial sanctions within their national laws. CADA does not set a fixed maximum fine in euros or as a percentage of turnover at the EU level. Instead, it sets a qualitative standard: penalties must be "effective, proportionate and dissuasive."

However, the EU framework is not entirely silent on how these penalties should be calculated. Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties. These criteria include:

  • The nature, gravity, scale and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage caused by the infringement.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party due to the infringement.
  • The infringing party's annual turnover in the preceding financial year in the Union.

The specific phrasing of the turnover criterion is a key differentiator. CADA explicitly references "annual turnover... in the Union." This contrasts sharply with the GDPR's reference to "total worldwide annual turnover." This geographic limitation suggests that for multinational corporations with significant non-EU revenue, the penalty base under CADA could be lower than under the GDPR, unless a Member State interprets the requirement for "dissuasive" penalties to necessitate a broader financial assessment.

Why the Legislative Divergence?

The difference in penalty architecture stems from the distinct policy objectives and legal bases of the two instruments.

The GDPR is a fundamental rights regulation with a direct effect on the internal market regarding personal data. Its harmonised caps prevent "forum shopping," where companies might choose to operate in Member States with historically lower enforcement cultures. The uniform "stick" is necessary to deter global tech giants from mishandling personal data across borders.

CADA, as proposed, focuses on technological sovereignty, operational resilience, and reducing dependency on third-country providers. The penalties under Article 24 target failures in the sovereignty framework, such as:

  • Providing false information in a conformity self-assessment (Union Assurance Level 1).
  • Failing to undergo independent audits (Levels 2-4).
  • Breaching transparency obligations regarding material changes.
  • Non-compliance with the recognition procedures for Union assurance levels.

The EU legislator appears to have chosen flexibility to allow Member States to align CADA penalties with existing national regulatory traditions for critical infrastructure, cybersecurity, and public procurement. This approach acknowledges that sovereignty risks may manifest differently across Member States and that national authorities are best positioned to calibrate the "dissuasive" nature of fines within their specific legal and economic contexts.

Compensation Rights: A Dual Liability Landscape

A distinct feature of CADA Article 24 is the explicit inclusion of private compensation rights, which operates alongside the regulatory fines. Article 24(3) states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

While the GDPR also allows for compensation under Article 82, CADA explicitly ties this right to infringements of the sovereignty and assurance level obligations. This creates a dual liability landscape for cloud providers:

  1. Regulatory Fines: Imposed by national competent authorities under Article 24(1) and (2).
  2. Civil Liability: Claims for damages from public or private sector clients who suffer losses due to a provider's failure to maintain their declared assurance level.

For example, if a public body relies on a Level 3 cloud service for law enforcement activities and the provider fails to meet the personnel citizenship requirements (Annex II 3.1(d)), the public body could face operational risks. Under Article 24(3), the public body could seek compensation for the resulting damages, in addition to the provider facing a national fine.

What this means for you

For in-house counsel, compliance officers, and risk managers, the lack of fixed caps in CADA introduces a layer of jurisdictional complexity that does not exist under the GDPR.

1. Map National Penalties, Not EU Caps

You cannot assume a single EU-wide fine cap for CADA violations. Unlike the GDPR, where the ceiling is known (€20m/4%), CADA requires you to monitor the transposition of Article 24 in each Member State where your cloud services are recognised or where you have your main establishment. The maximum fine in France may differ significantly from that in Germany or Spain, even for the same infringement. You must review national implementing laws to determine the specific quantum of liability.

2. Audit Trails for Mitigation are Legal Defences

Because Article 24(2)(b) explicitly lists "any action taken by the infringing party to mitigate or remedy the damage" as a mandatory criterion for penalty imposition, robust incident response and remediation protocols are not just operational best practices—they are direct legal defences. If a sovereignty criterion is breached (e.g., accidental data transfer outside the Union), documenting swift corrective actions will be critical in arguing for a reduced penalty.

3. Turnover Calculations: Union vs. Global

Be aware that the turnover criterion in CADA is limited to "in the Union." If your company has minimal EU turnover but significant global revenue, the "dissuasive" threshold set by a Member State might be lower than what you would face under the GDPR. Conversely, if your EU turnover is high, penalties could still be substantial. Financial modelling for CADA risk should focus on EU-specific revenue streams rather than global consolidated figures.

4. Contractual Risk Allocation

With Article 24(3) granting recipients the right to seek compensation, review your cloud service agreements (CSAs) and public procurement contracts. Ensure that liability clauses account for potential breaches of sovereignty assurance levels. Clients may seek damages not just for service downtime, but for the loss of their own compliance status if your service fails to meet the Union Assurance Level they relied upon. Consider whether your current liability caps are sufficient to cover potential CADA-related damages.

5. Dual Compliance Regimes

Remember that CADA operates alongside the GDPR. A single incident could trigger both regimes. For example, unauthorised access to data by a third-country actor could trigger:

  • GDPR fines (Article 83) for a data protection breach (potentially up to 4% of global turnover).
  • CADA penalties (Article 24) for failing to meet the technical/organisational measures of the relevant Assurance Level (e.g., failure to prevent third-country control).

Your compliance framework must address both regulatory bodies simultaneously, as the criteria for infringement and the calculation of penalties differ.

Common misconceptions

Misconception 1: "CADA fines are capped at 4% of global turnover like the GDPR." This is incorrect. Article 24 of CADA does not set a fixed percentage cap. While turnover is a criterion, the maximum amount is determined by Member States. Some Member States may set caps based on EU turnover, others may use fixed amounts, and others may adopt turnover-based models, but there is no harmonised EU ceiling.

Misconception 2: "CADA penalties are only for data privacy breaches." CADA penalties under Article 24 apply to infringements of the sovereignty framework (Title IV, Chapter I). This includes failures in conformity self-assessments, independent audits, transparency obligations, and recognition procedures. While data protection is a component of sovereignty (especially at higher assurance levels), the primary focus is on operational autonomy, data localisation, and freedom from third-country control, not just GDPR compliance.

Misconception 3: "If we comply with the GDPR, we are immune to CADA fines." GDPR compliance is necessary but not sufficient for CADA compliance. You can fully comply with GDPR data transfer mechanisms (like Standard Contractual Clauses) but still fail CADA Assurance Level 2 or 3 criteria if you do not meet the stricter requirements for data localisation, personnel screening, or absence of third-country control. Infringing these CADA-specific criteria triggers Article 24 penalties, regardless of GDPR status.

Misconception 4: "CADA fines are automatic and fixed." No. Like the GDPR, CADA penalties are discretionary. Member State authorities must consider the criteria in Article 24(2), such as the gravity of the infringement, mitigation efforts, and financial benefits gained. The penalties are not automatic; they are imposed based on an assessment of the specific circumstances.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.