Summary Under the proposed Cloud and AI Development Act (CADA), recipients of cloud computing services have a statutory right to seek compensation from providers for damages caused by infringements of the sovereignty framework. As explicitly stated in Article 24(3), these claims are not processed by EU regulators or a central fund; they must be routed through national courts and governed by applicable Union and national law. This civil remedy operates cumulatively alongside administrative penalties, meaning a provider can face both state-imposed fines and civil liability to affected customers for the same infringement.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous "Union cloud computing sovereignty framework" (Title IV, Chapter I). This framework categorizes cloud services into four "Union assurance levels" based on criteria such as establishment in the Union, data localization, personnel citizenship, and the absence of third-country control. To ensure these standards are met, the proposal imposes strict obligations on cloud computing service providers, including mandatory independent audits for higher assurance levels, transparency regarding material changes, and adherence to specific cybersecurity certification standards.

When a provider fails to meet these obligations, the Regulation provides for two distinct and parallel consequences:

  1. Administrative Penalties: Imposed by national competent authorities on the provider, payable to the state.
  2. Civil Compensation: Paid by the provider to the customer (recipient) for damages suffered.

While the administrative enforcement mechanism is detailed in Articles 24(1) and 24(2), the right to civil redress is anchored in Article 24(3). This provision is the primary legal hook for any entity seeking financial recovery from a non-compliant cloud provider under the proposed Act.

The Statutory Right to Compensation (Article 24(3))

Article 24(3) of the CADA proposal is the definitive source for the right to compensation. It states verbatim:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This text establishes three critical legal principles for in-house counsel and compliance teams:

  1. The Right is Substantive: The Regulation creates a direct right to compensation for "any damage or loss." It does not merely suggest that national laws might allow for such claims; it affirms the right exists.
  2. The Scope is Limited to "This Chapter": The right applies specifically to infringements of obligations under Title IV, Chapter I (Articles 16–24). This covers the sovereignty framework, including recognition procedures, conformity assessments, audit requirements, and transparency obligations. It does not automatically cover general service outages or data breaches unless those events stem directly from a breach of these specific sovereignty obligations (e.g., a breach caused by a provider failing to maintain the required "substantial" cybersecurity certification for Level 2).
  3. The Mechanism is Delegated: Crucially, the phrase "in accordance with Union and national law" indicates that CADA does not create a harmonized EU civil liability regime. It does not define the statute of limitations, the standard of proof (e.g., strict liability vs. fault-based), or the procedural rules for filing. These elements remain entirely dependent on the national law of the Member State where the claim is brought, potentially supplemented by relevant Union private international law rules (such as the Rome I and Rome II Regulations).

How the Claim Process Works in Practice

Because CADA defers to national legal systems, there is no single "CADA court" or EU-wide compensation fund. The process for a recipient seeking compensation involves navigating the domestic legal landscape of the relevant Member State.

1. Jurisdiction and Venue

Claims would typically be brought in the national courts of the Member State where:

  • The damage occurred (e.g., where the recipient's operations were disrupted).
  • The defendant (the cloud provider) is domiciled.
  • The contract was performed.

If the provider is established in a different Member State than the recipient, the claimant must determine the correct forum under the Brussels I bis Regulation (Regulation (EU) No 1215/2012). The "establishment" of the provider is a key factor in CADA (Article 25), which may influence jurisdictional arguments.

2. Legal Basis: Contract vs. Tort

The claim will likely be framed under one of two national legal theories, depending on the jurisdiction:

  • Contract Law: If the provider's infringement constitutes a breach of the service agreement (e.g., a warranty that the service meets Union Assurance Level 3), the claim is a breach of contract. The infringement of CADA obligations serves as the factual basis proving the breach.
  • Tort/Delict Law: If there is no direct contract, or if the claim is based on negligence or strict liability for the harm caused by the regulatory breach, the claim proceeds under national tort law. The infringement of CADA obligations establishes the "wrongful act."

3. Elements of Proof

To succeed, the recipient must prove three elements, consistent with general principles of civil liability in the EU:

  • Infringement: Evidence that the provider violated an obligation under Title IV, Chapter I. This could be a revoked recognition status (Article 22), a failure to undergo a required audit (Article 20), or a failure to report material changes (Article 23).
  • Damage or Loss: Actual financial loss. This could include:
    • Costs of migrating data to a compliant provider.
    • Operational downtime and lost productivity.
    • Fines or penalties the recipient faced because they relied on a non-compliant provider (e.g., a public body forced to procure a non-compliant service).
    • Reputational damage or legal costs.
  • Causation: A direct causal link between the provider's infringement and the loss suffered. The recipient must demonstrate that the loss would not have occurred "but for" the provider's failure to comply with CADA.

Relationship to Administrative Penalties

A common point of confusion is the relationship between the fines imposed by the state and the compensation paid to the customer. Article 24 makes it clear that these are cumulative mechanisms.

  • Administrative Penalties (Article 24(1)-(2)): Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." These are imposed by national competent authorities (designated under Article 25) and are paid to the state treasury. The criteria for these fines include the nature, gravity, and duration of the infringement, as well as the provider's annual turnover.
  • Civil Compensation (Article 24(3)): This is a private right of action. The compensation is paid directly to the recipient.

The existence of an administrative fine does not extinguish the right to civil compensation. Conversely, a civil settlement between the provider and the recipient does not prevent the competent authority from imposing an administrative penalty. The state's interest in enforcing the sovereignty framework (public order) is distinct from the private interest of the recipient in recovering losses.

Scope of "Infringement" Under This Chapter

The right to compensation is triggered by infringements of obligations under Title IV, Chapter I. This includes, but is not limited to:

  • Article 16: The establishment of the sovereignty framework itself.
  • Article 17: The recognition procedures for Union assurance levels.
  • Article 19: The conformity self-assessment for Level 1.
  • Article 20: The requirement for independent third-party audits for Levels 2, 3, and 4.
  • Article 21: The content and quality of audit evidence.
  • Article 22: The maintenance of the central repository of recognized services.
  • Article 23: The transparency obligations to report material changes.

Example Scenario: A cloud provider claims to offer Union Assurance Level 3. A public sector body relies on this claim to procure the service, as required by Article 30(3). However, the provider has not undergone the required independent audit (breach of Article 20) and has failed to report that a third-country entity now controls its infrastructure (breach of Article 23).

  • Administrative Consequence: The national competent authority investigates, finds the infringement, and imposes a fine under Article 24(1).
  • Civil Consequence: The public sector body, having been forced to migrate its critical data to a compliant provider at significant cost, sues the original provider under Article 24(3) for the migration costs and operational disruption.

What this means for you

For in-house counsel, procurement officers, and compliance teams, understanding the mechanics of Article 24(3) is essential for risk management, contract drafting, and incident response.

1. Contractual Safeguards and Indemnities

While Article 24(3) provides a statutory right to compensation, relying solely on litigation can be costly and uncertain due to varying national procedural rules.

  • Action: When procuring cloud services, especially those requiring Union Assurance Levels 2, 3, or 4, ensure your Master Service Agreements (MSA) and Service Level Agreements (SLA) explicitly reference CADA compliance.
  • Clause Strategy: Include specific indemnification clauses that cover all losses resulting from the provider's failure to maintain their recognized assurance level or their breach of transparency obligations (Article 23). Define "infringement" broadly to include any breach of Title IV, Chapter I. This creates a contractual pathway for recovery that may be faster and more predictable than a tort claim.

2. Evidence Preservation

To successfully claim compensation, the burden of proof lies with the recipient. You must be able to demonstrate the infringement and the resulting damage.

  • Action: Maintain rigorous records of:
    • The provider's stated assurance level and the evidence provided (e.g., the EU statement of conformity for Level 1, or the audit report for Level 2+).
    • Any notifications from the provider regarding material changes (as required by Article 23).
    • Documentation of any losses incurred due to service disruption, data migration, or regulatory non-compliance stemming from the provider's actions.
    • Records of the provider's status in the central repository (Article 22) at the time of procurement.

3. Monitoring the Central Repository

Article 22 requires the Commission to maintain a central repository of recognized services. National competent authorities must register services here, and revocations must be published.

  • Action: Implement a monitoring process to check the repository regularly. If a provider's recognition is revoked or amended, and they fail to notify you promptly (a breach of Article 23), this delay could form the basis of a compensation claim if you suffer loss as a result of continuing to use a non-compliant service.

4. Distinction from General Liability

Article 24(3) is specific to infringements of the sovereignty framework.

  • Clarification: General data breaches (e.g., a hack due to poor password hygiene) or general service outages not linked to a CADA sovereignty obligation (e.g., a server failure in a compliant data center) may still be claimable under general contract law or the GDPR. However, the specific statutory hook provided by CADA applies only to sovereignty-related failures (e.g., data leaving the Union, lack of EU citizenship for personnel, or lack of required certification).

5. Cross-Border Complexity

If your provider is established in a different Member State than you are, or if the data processing occurs across borders, determining the applicable national law for the compensation claim can be complex.

  • Action: The Rome I Regulation (contractual obligations) and Rome II Regulation (non-contractual obligations) will likely apply to determine the governing law. Early legal advice is recommended to navigate these jurisdictional issues, as the standard of proof and available damages can vary significantly between Member States.

Common misconceptions

Misconception 1: CADA creates a new EU-wide liability regime. Reality: CADA does not harmonize civil liability rules across the EU. Article 24(3) explicitly states that compensation is sought "in accordance with Union and national law." This means the procedural rules, statutes of limitations, standards of proof, and caps on damages will vary significantly depending on the Member State where the claim is brought.

Misconception 2: You can claim compensation directly from the European Commission. Reality: The Commission plays a role in maintaining the central repository and adopting delegated acts, but it does not adjudicate private compensation claims. Claims are strictly between the recipient and the provider, enforced through national courts. The Commission has no role in awarding damages.

Misconception 3: Administrative fines replace civil compensation. Reality: The two mechanisms are cumulative. A fine paid to the state does not compensate the victim for their losses. Conversely, a civil settlement does not prevent the state from imposing administrative penalties. Both can occur simultaneously for the same infringement.

Misconception 4: Only public sector bodies can claim compensation. Reality: Article 24(3) refers to "Recipients of the cloud computing services." While the procurement obligations in Articles 29-30 focus on the public sector, the recognition and transparency obligations in Chapter I apply to providers offering services to both public and private sectors. Any recipient (including private enterprises) who suffers loss due to a provider's infringement of Chapter I obligations could potentially have a claim, provided they can establish damage under national law.

Misconception 5: Compensation is automatic upon finding an infringement. Reality: As with any civil claim, the recipient must actively seek compensation. They must file a claim in the appropriate court, prove the infringement, prove the damage, and prove the causal link. The existence of a right to seek compensation does not mean damages are awarded automatically or without litigation. The burden of proof remains on the claimant.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.