How to respond to a CADA investigation by a national competent authority

Summary If a national competent authority (NCA) initiates an investigation into your cloud computing service under the proposed Cloud and AI Development Act (CADA), you are legally obligated to cooperate fully. Under Article 26(1) of the proposal, NCAs possess three core investigative powers: the authority to require information from providers and related parties, the power to inspect premises and seize data copies, and the right to request explanations from staff (with consent for recording). While these powers are extensive, Article 26(4) mandates strict procedural safeguards, including the right to be heard, access to the file, respect for private life, and the right to an effective judicial remedy. As CADA is a proposal, these obligations would apply only upon adoption and entry into force.

Detail

The Cloud and AI Development Act (CADA), currently in the proposal stage as COM(2026) 502 final, establishes a comprehensive sovereignty framework for cloud computing services within the EU. A critical component of this framework is the enforcement mechanism vested in national competent authorities (NCAs). For cloud service providers seeking or maintaining recognition at Union assurance levels (1 through 4), understanding the scope of NCA investigations and the correct response protocol is essential for regulatory compliance and market access.

The Legal Basis and Scope of Investigation

The enforcement architecture of CADA is centralized around the Member State where the cloud computing service provider has its "main establishment." Article 25(4) of the proposal establishes that the Member State in which the provider has its head office or registered office, from which principal financial functions and operational control are exercised, holds "exclusive competence for enforcing this Chapter." This means that regardless of where your data centers or customers are located across the EU, your primary regulatory interlocutor for investigations is the NCA of your country of establishment.

When an NCA suspects an infringement of the sovereignty framework, or when it needs to verify compliance for the purpose of recognition under Article 17, it may exercise specific investigative powers. These powers are detailed in Article 26(1) and are designed to be robust, ensuring that authorities can effectively verify the complex technical and organizational measures required for Union assurance levels.

The Three Core Investigative Powers under Article 26(1)

Article 26(1) grants NCAs three distinct but complementary powers to gather evidence and assess compliance. As proposed, these powers are not limited to the cloud provider alone; they extend to any person acting for purposes related to their trade, business, craft, or profession who may reasonably be expected to be aware of information relating to a suspected infringement. This explicitly includes auditing organisations and subcontractors involved in the provision of the service.

1. Power to Require Information

Under Article 26(1)(a), the NCA has the power to "require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession... to provide that information as soon as possible."

• Scope: This covers not only the provider's internal data but also information held by third parties, such as auditing organisations, if they possess relevant details about a suspected infringement.
• Urgency: The requirement is to provide information "as soon as possible," implying a duty of prompt cooperation. Failure to do so can trigger enforcement measures.
• Content: The information requested must relate to a suspected infringement of the Regulation. This could include documentation on data flows, personnel citizenship records, software bills of materials (SBOMs), or evidence of third-country control.

2. Power to Inspect Premises and Seize Data

Under Article 26(1)(b), the NCA has the power to "carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession."

• Physical and Digital Access: The inspection covers any premises used for the relevant business activities. This includes data centers, corporate offices, and remote operational sites.
• Seizure and Copying: During these inspections, the authority is empowered to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium." This ensures that authorities can secure evidence regardless of whether it is stored on physical servers, cloud storage, or portable devices.
• Judicial Oversight: While the NCA can carry out inspections directly, it may also request a judicial authority to order the inspection, adding a layer of judicial oversight for certain intrusive measures.

3. Power to Take Explanations

Under Article 26(1)(c), the NCA has the power to "ask any member of staff or representative of those providers or those persons acting for purposes related to their trade, business, craft or profession, to give explanations in respect of any information relating to a suspected infringement."

• Consent for Recording: The proposal specifies that the authority may "with their consent, to record their answers by any technical means." This highlights that while staff can be asked to explain, the recording of those explanations requires the individual's consent.
• Scope of Questions: Explanations must relate to the suspected infringement. This allows the NCA to clarify ambiguities in documents or understand the operational context of specific technical decisions.

Procedural Safeguards and Rights of Defence

While Article 26(1) grants broad powers, Article 26(4) ensures that these powers are exercised within a framework of fundamental rights and procedural justice. The proposal mandates that Member States set out specific rules and procedures for the exercise of these powers, ensuring they are subject to "adequate safeguards under applicable national law in compliance with the general principles of Union law."

The key safeguards outlined in Article 26(4) include:

• Right to Respect for Private Life: Measures taken by the NCA must be taken only in accordance with the right to respect for private life. This is particularly relevant when inspecting premises or interviewing staff, ensuring that personal data unrelated to the investigation is not unnecessarily exposed.
• Rights of Defence: The investigation must respect the rights of defence. This explicitly includes:
  • The Right to be Heard: The provider and affected persons must have the opportunity to present their case and respond to allegations before final decisions are made.
  • Right to Access the File: Parties have the right to access the file, allowing them to review the evidence collected by the NCA and prepare an effective defense.
• Effective Judicial Remedy: Perhaps most critically, Article 26(4) guarantees that "all affected parties [have] the right to an effective judicial remedy." This means that any measure taken by the NCA—whether it is an information request, an inspection order, or a penalty—can be challenged before a court. This judicial review ensures that the NCA acts within its legal mandate and respects procedural safeguards.

Cross-Border Cooperation and Mutual Assistance

Cloud services often operate across borders, necessitating cooperation between NCAs. Article 27 establishes principles of mutual assistance, allowing an NCA to request specific information from another Member State's competent authority. The receiving authority must comply and inform the requesting authority within two months, unless duly justified.

Furthermore, Article 28 outlines cross-border cooperation for enforcement. If an NCA in a destination Member State suspects a provider no longer meets the requirements of Annex II, it can request the NCA of establishment to assess the matter. The NCA of establishment must communicate its assessment and any measures taken within two months. This framework ensures that a provider cannot evade investigation by operating in multiple jurisdictions, while still respecting the "exclusive competence" of the NCA of establishment for enforcement actions.

Strategic Response for Providers

When facing an investigation under Article 26, providers should adopt a structured, compliant, and rights-aware approach:

1. Immediate Acknowledgement and Compliance: Upon receiving a request for information under Article 26(1)(a), acknowledge receipt immediately. Designate a cross-functional team (legal, technical, and compliance) to gather the requested data. Delays can be interpreted as non-cooperation and may lead to periodic penalty payments under Article 26(2)(c).
2. Prepare for Premises Inspections: Ensure that physical and digital premises are organized for auditability. Maintain up-to-date records of infrastructure locations, personnel, and data flows as required by Annex III. If the NCA requests a judicial order for inspection, cooperate with the legal process while verifying that the scope of the inspection aligns with the suspected infringement.
3. Manage Staff Interviews: When staff are asked to give explanations under Article 26(1)(c), ensure they are briefed on the facts of the investigation. Remind them that recording requires their consent. Consider having legal counsel present to ensure statements are accurate and within the scope of the investigation, protecting the provider's rights of defence.
4. Document the Process: Keep a detailed log of all interactions with the NCA, including requests made, information provided, and any objections raised. This documentation is crucial if you need to exercise your right to an effective judicial remedy under Article 26(4).
5. Coordinate with Auditors: If the investigation involves an audit for Union assurance levels 2, 3, or 4, coordinate closely with your auditing organisation. Since Article 26(1) extends information requests to auditors, ensure they are prepared to provide audit evidence and reports as needed.

What this means for you

For cloud service providers and data centre operators, the investigative powers under CADA represent a significant compliance obligation but also a clear mechanism for verifying sovereignty claims. If you are aiming for Union assurance levels, especially levels 3 and 4 which are required for public sector activities contributing to public order, you must be prepared for rigorous scrutiny.

• Audit Readiness: Your operations must be "audit-ready" at all times. The NCA's power to inspect premises and seize information means that disorganized records can lead to negative findings and potential loss of recognition.
• Legal Preparedness: Ensure you have legal counsel familiar with CADA's procedural safeguards. While cooperation is mandatory under Article 26(1), your rights to privacy and defence under Article 26(4) are protected. Understanding the balance between these obligations is key to navigating an investigation successfully.
• Cross-Border Coordination: If you operate in multiple Member States, coordinate with your local NCAs. While the NCA of establishment has exclusive competence, other NCAs can trigger investigations via mutual assistance. Proactive communication can prevent misunderstandings.
• Penalty Awareness: Non-compliance with investigative orders can lead to fines and periodic penalty payments under Article 26(2). The cost of non-cooperation is high, so it is in your best interest to engage constructively with the NCA while asserting your rights.

Common misconceptions

"The NCA can only investigate after a formal penalty is issued." No. The investigative powers under Article 26(1) are triggered by the need to carry out tasks under Article 17 (recognition) or to investigate suspected infringements. They are not limited to post-penalty scenarios. The NCA can investigate proactively to verify compliance for recognition or upon suspicion of non-compliance.

"You can refuse to provide information if it is commercially sensitive." While confidentiality is protected under general data protection and trade secret laws, the NCA has the power to require information under Article 26(1). Refusal can lead to enforcement actions. However, the NCA must respect confidentiality obligations under Article 26(4) and general Union law. You should negotiate the scope and handling of sensitive information rather than refusing outright.

"Only the cloud provider is subject to investigation." No. Article 26(1) explicitly includes "any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement, including auditing organisations." Subcontractors and auditors are also in scope.

"Investigations are purely administrative with no legal recourse." No. Article 26(4) guarantees the right to an effective judicial remedy. You can challenge measures taken by the NCA if they violate procedural safeguards or your rights of defence.

Related

• Which National Competent Authority Do I Apply to for CADA Recognition?
• How does a Member State designate a national competent authority under CADA?
• How do national competent authorities use mutual assistance under CADA?
• How does a Member State include cloud and AI procurement in its CADA national strategy?
• How do I respond to a CADA request for further information during recognition?

This is general information about a draft EU regulation, not legal advice.