Summary Under the proposed Cloud and AI Development Act (CADA), there is no single, EU-wide administrative tribunal to appeal enforcement decisions. Instead, the right to challenge fines, investigative orders, or cessation mandates is exercised exclusively through the national courts of the Member State where the cloud provider has its "main establishment." Article 26(4) of the proposal mandates that national procedures must guarantee the right to an effective judicial remedy, the rights of defence (including the right to be heard and access to the file), and respect for private life. While the substantive rules of CADA are uniform, the procedural mechanics of the appealβ€”timelines, filing requirements, and court structuresβ€”are governed by the national law of that Member State, provided they meet these minimum EU safeguards.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a robust framework for cloud sovereignty and data-centre resilience. A critical component of this framework is the enforcement regime, which grants national competent authorities significant powers to investigate and penalize non-compliance. For cloud service providers, understanding the mechanism to contest these actions is vital. Unlike regulations that centralize enforcement at the EU level (such as certain aspects of the Digital Markets Act), CADA relies on the national judicial systems of Member States to provide remedies, ensuring that enforcement actions respect the procedural guarantees inherent in the rule of law.

The Legal Basis for Appeals: Article 26(4)

The cornerstone of the appeal process under CADA is Article 26(4). This provision explicitly addresses the procedural safeguards required when national competent authorities exercise their investigative and enforcement powers. It states that measures taken by these authorities "shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, and shall be subject to the right of all affected parties to an effective judicial remedy."

This clause creates a dual obligation:

  1. Procedural Guarantees: Before a final decision is rendered, or during the administrative phase, the provider must be afforded the right to be heard (the opportunity to present their case and evidence) and the right to have access to the file (the ability to review the evidence held by the authority).
  2. Judicial Remedy: The final decision is not the end of the road. The provider has a guaranteed right to challenge the decision in court.

Crucially, Article 26(4) specifies that these rights are exercised "under applicable national law in compliance with the general principles of Union law." This means that while the existence of the right to appeal is an EU mandate, the process of appealing is national. You must file your appeal in the courts of the Member State where the competent authority is established, following that country's specific administrative or judicial procedural codes.

Scope of Appealable Decisions

To effectively appeal, a provider must understand which actions are subject to challenge. Article 26(1) and Article 26(2) grant national competent authorities broad powers that can be contested:

  • Investigative Measures: Under Article 26(1), authorities can require information, conduct inspections of premises, seize or copy data, and ask staff for explanations. If a provider believes an inspection was conducted without proper legal basis, exceeded its scope, or violated privacy rights, these actions can be challenged.
  • Enforcement Orders: Under Article 26(2), authorities can order the cessation of infringements, impose fines for non-compliance, or levy periodic penalty payments to force compliance.
  • Proportionality Arguments: Article 26(3) requires that any measure taken be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the provider. A provider can appeal a fine or order by arguing that it fails this proportionality test.

The "Main Establishment" Principle and Jurisdiction

Determining where to appeal is governed by Article 25(4). This article establishes the principle of exclusive competence: the Member State where the cloud service provider has its "main establishment" (defined as the place where the principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter of CADA.

This creates a "single point of contact" for enforcement. Consequently, the appeal path is singular:

  • If your main establishment is in Germany, you appeal to German courts.
  • If your main establishment is in Ireland, you appeal to Irish courts.

This principle applies even in cross-border scenarios. Under Article 28, if a competent authority in a "destination" Member State suspects non-compliance by a provider established elsewhere, it must request the "authority of establishment" to take action. If that authority of establishment issues a fine or order, the appeal is still lodged in the Member State of establishment, not the destination state.

Procedural Safeguards: Access to the File and Right to Be Heard

While the appeal is a national judicial matter, CADA embeds specific procedural rights that providers can invoke to strengthen their defence:

  1. Access to the File: Article 26(4) guarantees the right to access the file. In the context of an appeal, this is critical. It allows the provider to review the evidence the competent authority relied upon to justify the enforcement decision. This includes audit reports, technical assessments, and witness statements. Without access to the file, a provider cannot effectively challenge the factual basis of a fine or order.
  2. Right to Be Heard: Before a final decision is adopted, the provider must be given the opportunity to present their observations. This aligns with the EU principle of audi alteram partem. If an authority fails to hear the provider before issuing a decision, that procedural flaw can be a ground for annulment in national court.
  3. Confidentiality and Trade Secrets: While not explicitly detailed in Article 26, the general principles of Union law and the context of CADA (which deals with sensitive technical data) imply a duty to protect trade secrets. During the appeal process, providers can request that sensitive technical information or audit evidence be treated confidentially, preventing its disclosure to competitors or the public.

Interaction with Other EU Laws

It is important to distinguish CADA's enforcement from other regulatory regimes. For example, the GDPR has its own supervisory authorities and specific appeal mechanisms. CADA's sovereignty framework is distinct. If a provider is penalized for failing to meet Union Assurance Level criteria (e.g., data localization or personnel citizenship requirements under Annex II), the appeal is strictly under CADA's Article 26 framework in national courts.

Furthermore, Article 24 requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." When appealing, a provider can challenge whether the national penalty regime itself complies with these EU standards, though this is a higher bar of review than challenging a specific fine amount.

What this means for you

As a cloud service provider or data centre operator, your compliance strategy must include a robust legal contingency plan for enforcement actions.

  1. Identify Your Jurisdiction Early: Determine your "main establishment" as defined in Article 25(4). This is the Member State whose courts will hear your appeals. Ensure your legal team has specific expertise in the administrative and judicial procedures of that country, as they will govern the appeal process.
  2. Assert Your Rights of Defence Proactively: During any investigation or inspection under Article 26(1), explicitly invoke your right to access the file and your right to be heard. Do not wait for the final decision. Document all interactions with authorities to ensure these rights were respected.
  3. Prepare for Proportionality Challenges: If a fine is imposed, gather evidence of your economic capacity, the steps taken to mitigate the infringement, and the technical complexity of the issue. Article 26(3) allows for consideration of your economic, technical, and operational capacity. A disproportionate fine is a strong ground for appeal in national court.
  4. Protect Sensitive Data: If an enforcement decision relies on sensitive technical data or audit evidence, ensure you have requested confidentiality protections under national law, leveraging the safeguards implied by Article 26(4) and general EU principles.
  5. Monitor National Transposition: Since CADA is a proposal, the final text may change. Once adopted, Member States will have a transition period to designate competent authorities and establish penalty regimes. Stay updated on which national authority is designated in your Member State of establishment and how they have transposed the procedural safeguards.

Common misconceptions

Misconception 1: There is an EU-wide appeal tribunal for CADA. Reality: No. CADA does not create a centralized EU agency with appellate jurisdiction over enforcement decisions. All appeals are handled by national courts in the Member State of the provider's main establishment.

Misconception 2: You can appeal to the European Commission directly. Reality: The Commission plays a coordinating and oversight role, particularly in cross-border disputes (e.g., Article 17(10) for recognition disputes), but it does not act as an appellate court for standard enforcement fines or investigative orders issued by national competent authorities.

Misconception 3: The appeal process automatically pauses all enforcement actions. Reality: While national laws vary, enforcement measures like periodic penalty payments or orders to cease infringements may remain in force during an appeal unless the national court grants a stay of execution. You must actively seek such a stay if necessary.

Misconception 4: CADA penalties are separate from GDPR penalties. Reality: While CADA has its own penalty regime (Article 24), a single action might trigger breaches of multiple laws (e.g., CADA and GDPR). However, the ne bis in idem principle (not being punished twice for the same offense) may apply. Your legal counsel must navigate the interaction between these regimes during an appeal.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.