How do I find the CADA competent authority for my Member State?

Summary Under the proposed Cloud and AI Development Act (CADA), your regulatory oversight is determined by your "main establishment." The Member State where your cloud computing service provider has its head office or registered office—where principal financial functions and operational control are exercised—holds exclusive competence for enforcing the sovereignty framework (Article 25(4)). To identify the specific body responsible for your jurisdiction, you must consult the public register that the European Commission is mandated to maintain under Article 25(2). This register will list the names of designated authorities and their specific tasks and powers, serving as the single source of truth for providers across the EU.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonised "single-point-of-entry" model for supervising cloud computing sovereignty. Unlike fragmented national regimes, CADA centralises enforcement responsibility to ensure legal certainty and avoid conflicting oversight for cross-border providers. For any cloud service provider seeking recognition of a Union assurance level, identifying the correct national competent authority is the foundational step in the compliance journey.

The Principle of Main Establishment: Exclusive Competence

The cornerstone of CADA's enforcement architecture is the concept of the "main establishment." Article 25(4) explicitly states that the Member State in which the cloud computing service provider has its main establishment shall have exclusive competence for enforcing Title IV, Chapter I (the Cloud computing sovereignty framework).

The proposal provides a precise definition for this term. The main establishment is defined as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This definition is critical for providers with complex operational footprints. Even if a provider operates data centres, employs staff, or serves customers in multiple Member States, the regulatory "home" is strictly tied to the location of the head office or registered office where strategic and financial control resides. Consequently, the competent authority in that specific Member State is the sole authority empowered to:

• Assess applications for recognition of Union assurance levels (Article 17).
• Conduct investigations into suspected infringements.
• Impose penalties and enforce corrective measures.

Other Member States where the provider operates do not hold primary enforcement competence. Instead, they must rely on mechanisms of mutual assistance and cross-border cooperation (Articles 27 and 28) if they suspect a provider under the jurisdiction of another Member State is non-compliant.

The Public Register of Authorities

To ensure transparency and facilitate access for providers, auditing organisations, and public sector bodies, CADA mandates the creation of a centralised, publicly accessible directory. Article 25(2) establishes the obligation for Member States to notify the Commission of the names of their designated competent authorities, along with a description of their tasks and powers.

Upon receipt of these notifications, the Commission is required to maintain a public register of those authorities. This register is not merely a list of names; it is a functional tool designed to clarify the regulatory landscape. According to the text of Article 25(2), the register will hold the following specific details for each designated authority:

1. The Name: The official designation of the competent authority within the Member State.
2. The Tasks: A description of the specific responsibilities assigned to that authority under CADA (e.g., recognition of assurance levels, supervision of audits).
3. The Powers: A detailed outline of the investigative and enforcement powers granted to the authority (e.g., power to order cessation of infringements, impose fines, or conduct inspections).

By consolidating this information, the Commission ensures that providers can quickly verify the identity and scope of their regulator, reducing administrative friction and preventing confusion regarding jurisdictional boundaries.

Designation and Notification Timeline

The operationalisation of this framework follows a strict timeline. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty chapter by a date set at one year after the entry into force of the Regulation.

Member States have flexibility in their choice of authority. They may designate an existing body—such as a national cybersecurity agency, a data protection authority, or a telecommunications regulator—or they may establish a new dedicated body to handle these specific responsibilities. Once designated, the Member State must formally notify the Commission. The Commission then updates the public register to reflect these appointments. This process ensures that the information available to the market is current and accurate, reflecting any shifts in national administrative structures.

Powers and Resource Obligations

The competent authorities designated under CADA are not passive observers; they are equipped with robust powers to ensure compliance. Article 26 details the investigative and enforcement powers granted to these authorities, including:

• The power to require information from providers and auditing organisations.
• The power to carry out inspections of premises and seize information.
• The power to order the cessation of infringements and impose remedies.
• The power to impose fines or periodic penalty payments.

To ensure these authorities can effectively wield these powers, Article 25(3) imposes a positive obligation on Member States. They must ensure that their competent authorities have all necessary resources, including sufficient technical, financial, and human resources, to adequately supervise all cloud computing service providers within their competence. This provision aims to prevent under-resourcing from becoming a bottleneck in the enforcement of the sovereignty framework.

What this means for you

For cloud computing service providers, data centre operators, and their legal counsel, the path to compliance begins with a precise identification of your regulator. The following steps outline the practical application of Article 25:

1. Determine Your Main Establishment: Conduct an internal audit of your corporate structure. Identify the Member State where your head office or registered office is located and where the principal financial functions and operational control are exercised. This is your "Member State of establishment." Do not confuse this with the location of your data centres or sales offices; the regulatory hook is strictly the location of control.
2. Access the Commission's Public Register: Once CADA enters into force and Member States have completed their designations, access the public register maintained by the European Commission under Article 25(2). This will be the definitive source for identifying your regulator.
3. Verify Tasks and Powers: Use the register to confirm the specific tasks and powers of your designated authority. Understanding the scope of their authority (e.g., whether they handle recognition applications directly or delegate certain audit oversight) is vital for planning your compliance strategy.
4. Initiate Engagement: Your designated authority is your primary point of contact for:
   • Submitting applications for recognition of Union assurance levels (Article 17).
   • Reporting material changes that may affect your assurance status (Article 23).
   • Responding to any investigations or enforcement actions (Article 26).
5. Monitor for Changes: As the legislative process evolves and Member States finalize their designations, regularly check the Commission's register for updates. Ensure your internal compliance teams are aligned with the specific procedures of your designated authority.

For providers operating across the EU with a single main establishment, remember that you primarily answer to the authority in your home Member State. While other Member States may request cooperation under Article 27 if issues arise locally, they cannot bypass your main establishment authority for primary enforcement actions.

Common misconceptions

• Misconception: Every data centre location has its own competent authority.
  • Reality: CADA assigns exclusive competence to the authority in the Member State of the provider's main establishment (Article 25(4)). While data centres may be physically located in other Member States, the primary regulatory oversight remains with the authority of the main establishment. Other Member States may cooperate via mutual assistance, but they do not have primary enforcement competence over the provider.
• Misconception: The competent authority is always the Data Protection Authority (DPA).
  • Reality: Member States have the flexibility to designate any existing authority or create a new one (Article 25(1)). While a DPA could be designated, it could equally be a national cybersecurity agency, a telecommunications regulator, or a newly created body. You must verify the specific designation in your Member State via the Commission's register.
• Misconception: The register is maintained by each Member State individually.
  • Reality: While Member States notify their authorities, the Commission maintains the central public register (Article 25(2)). This ensures a single, EU-wide source of truth, preventing confusion for cross-border providers who might otherwise struggle to navigate disparate national websites.
• Misconception: Competent authorities have limited or advisory powers.
  • Reality: Competent authorities possess robust investigative and enforcement powers, including the ability to impose fines, order the cessation of infringements, and conduct on-site inspections (Article 26). Furthermore, Member States are legally required to ensure these authorities have sufficient resources to perform these tasks effectively (Article 25(3)).

Related

• When must Member States designate a CADA competent authority?
• Can a Member State designate more than one CADA authority?
• Which Member State enforces CADA against a cloud provider?
• What is the competent authority of establishment under CADA?
• What is the competent authority of destination under CADA?

This is general information about a draft EU regulation, not legal advice.