Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities (NCAs) rely on a strict mutual assistance framework to enforce the Union cloud computing sovereignty framework across borders. Article 27 mandates that an NCA requesting specific information to exercise its investigative powers must receive a response from the receiving authority within two months, unless duly justified. This information exchange underpins the cross-border recognition process detailed in Article 17, where an "evaluating" NCA may request collaboration from other Member States' authorities to verify a provider's compliance. Crucially, Article 17(2) imposes a much tighter 15-day deadline for those authorities to confirm or refuse their collaboration. This dual-speed mechanism ensures that while market access (recognition) moves quickly, ongoing enforcement and information gathering remain robust and timely.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework comprising four assurance levels. Because cloud services are inherently cross-border, the regulation relies heavily on cooperation between national competent authorities (NCAs) to ensure that a service recognised in one Member State is reliably supervised across the Union. The regulation creates a tiered system of cooperation: a rapid-response mechanism for the initial recognition of services and a standard investigative mechanism for ongoing enforcement.

The Mutual Assistance Framework: Article 27

Article 27 (Mutual assistance) establishes the general obligation for NCAs and the Commission to cooperate closely to apply the sovereignty framework (Title IV, Chapter I) in a consistent and efficient manner. This cooperation is not merely voluntary; it is a statutory requirement to ensure the single market functions without regulatory fragmentation.

The mechanism operates through a formal request process designed to overcome jurisdictional barriers:

  1. The Request: A competent authority (the "requesting authority") may ask another competent authority (the "receiving authority") to provide specific information in its possession relating to a specific cloud computing service provider. This request is specifically made to enable the requesting authority to exercise its investigative powers under Article 26, particularly regarding information located within the receiving authority's Member State.
  2. Scope of Assistance: The receiving authority is not limited to simply forwarding documents. It may involve other competent authorities or public authorities within its own Member State to facilitate the request, ensuring that all relevant data is gathered.
  3. The Deadline: The receiving authority must comply with the request and inform the requesting authority of the action taken "as soon as possible and no later than two months after receipt of the request, unless duly justified."

This two-month deadline is a critical procedural safeguard. It prevents administrative inertia from stalling cross-border investigations. If an NCA in Member State A suspects an infringement by a provider established in Member State B, but the relevant data or evidence is held in Member State C, the process relies entirely on this mutual assistance channel. The phrase "unless duly justified" provides a narrow exception, implying that delays must be substantiated by exceptional circumstances (e.g., complex legal disputes or force majeure), not mere administrative backlog.

Collaboration in the Recognition Process: Article 17(2)

While Article 27 governs general investigative assistance, Article 17 (Recognition of cloud computing service providers) introduces a more time-sensitive form of collaboration specifically for the initial recognition of cloud computing services under the Union assurance levels.

When a cloud computing service provider applies for recognition (e.g., for Union assurance level 2, 3, or 4), the application is submitted to the NCA of the provider's establishment, which becomes the "evaluating national competent authority." However, the evaluating NCA is not always the sole evaluator. The regulation acknowledges that a provider's operations, infrastructure, or personnel may span multiple Member States, requiring input from other jurisdictions.

Article 17(2) states:

"An evaluating national competent authority that has received an application for a candidate recognition, may, where necessary, request one or more competent authorities of the other Member States to collaborate in the procedure for a candidate recognition under this Article. Within 15 days of receiving such a request, the national authority that has received a request for collaboration shall either provide confirmation that it agrees to collaborate with the evaluating national competent authority or refuse the request."

This 15-day window is significantly shorter than the two-month period in Article 27. It reflects the legislative intent to avoid bottlenecks in market access. The recognition process is designed to be efficient; if an NCA refuses to collaborate, it must do so within this short timeframe. A refusal or failure to respond within 15 days could trigger procedural complications later in the review process, potentially affecting the validity of the recognition decision.

Cross-Border Cooperation and Enforcement: Article 28

Beyond information sharing and initial recognition, Article 28 (Cross-border cooperation) outlines the enforcement loop. If an NCA in a "destination" Member State (where the service is used) suspects that a provider no longer fulfils the requirements of Annex II (the criteria for Union assurance levels), it can request the NCA of establishment (the "origin" authority) to assess the matter and take necessary investigatory or enforcement measures.

The NCA of establishment must communicate its assessment and any measures taken to the requesting authority and the Commission "as soon as possible and in any event not later than two months after receipt of the request." This creates a closed loop of accountability: the authority of establishment retains primary enforcement power (as per Article 25(4)), but is obligated to act on credible suspicions raised by other Member States.

The Interplay: How Cooperation Underpins Recognition

The mutual assistance mechanisms are not isolated; they are the backbone of the cross-border recognition process. The efficiency of the 60-day review period described in Article 17(5) depends entirely on the prior collaboration facilitated by Article 17(2) and the information gathered via Article 27.

When an evaluating NCA prepares a draft recognition decision, it notifies other NCAs for a 60-day review. During this period, other NCAs can submit reasoned objections or requests for clarification. If an objection is raised, the evaluating NCA must assess it and maintain or revoke its draft decision. If the evaluating NCA intends to maintain its decision despite the objection, the matter can be referred to the Commission, which may adopt a binding decision.

Without the rapid 15-day collaboration confirmation under Article 17(2), the evaluating NCA might lack the necessary cross-border data to make an informed draft decision. Similarly, without the two-month information exchange under Article 27, the 60-day review period could be rendered ineffective if authorities cannot access the evidence needed to validate or challenge the recognition.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, these provisions mean that your interaction with a single "home" NCA is not the end of the regulatory journey. Your provider's compliance posture will be scrutinised by a network of authorities operating under strict timelines.

  1. Prepare for Multi-Jurisdictional Scrutiny: When applying for recognition under Article 17, anticipate that your home NCA will request collaboration from other Member States. Ensure your documentation is robust enough to withstand review by authorities who may have different interpretations of the criteria in Annex II. The 15-day deadline for NCAs to agree to collaborate means the process moves quickly; delays in your response to information requests can stall the entire recognition procedure.
  2. Monitor Information Requests: Under Article 27, NCAs can request specific information from each other. While the request is formally between authorities, the data often originates from your systems. Ensure your internal compliance teams can rapidly retrieve and provide evidence of compliance (e.g., audit reports, technical documentation, personnel records) to your home NCA, who may then share it or use it to respond to mutual assistance requests.
  3. Understand the Enforcement Trigger: If a complaint is lodged in a Member State where you provide services (but are not established), that NCA can trigger an investigation via Article 28. Your home NCA then has two months to assess and act. Maintain continuous compliance, not just at the point of application. A lapse in compliance detected in one Member State can lead to revocation of recognition across the entire Union.
  4. Document Justifications for Delays: If your provider is subject to an investigation and faces requests for information, understand that NCAs have strict deadlines (15 days for collaboration consent, 2 months for information exchange). If your organization cannot meet the implied timelines for evidence provision, document the reasons clearly. While the "duly justified" exception in Article 27 applies to the NCA's response time, protracted delays in providing evidence to your home NCA can indirectly cause them to miss their own deadlines, potentially harming your relationship with the regulator and jeopardising your recognition status.

Common misconceptions

Misconception 1: Mutual assistance is only for criminal investigations. Reality: Under CADA, mutual assistance (Article 27) is a regulatory and administrative tool. It is used to gather evidence for compliance assessments and enforcement actions related to the sovereignty framework, not just criminal offences. It covers administrative data, technical documentation, and audit evidence required to verify Union assurance levels.

Misconception 2: The "home" NCA has sole discretion in recognition. Reality: While the NCA of establishment leads the process, Article 17(2) explicitly allows them to request collaboration from other NCAs. Furthermore, the 60-day review period allows other NCAs to raise objections. The home NCA cannot unilaterally ignore valid concerns raised by other Member States without risking referral to the Commission.

Misconception 3: The 15-day and 2-month deadlines are rigid and unchangeable. Reality: Article 27 allows for extensions if "duly justified." However, this is not a blanket waiver. NCAs are expected to act efficiently. For in-house counsel, this means that while there is some flexibility, relying on it is risky. Proactive engagement with your home NCA is essential to ensure they can meet their obligations to other Member States.

Misconception 4: Providers can choose which NCA collaborates. Reality: The provider submits the application to the NCA of establishment (Article 17(1)). That NCA decides whether to request collaboration from other NCAs (Article 17(2)). The provider does not select the collaborating authorities, though they may be able to provide input on which jurisdictions are relevant to their service deployment.

Related

This is general information about a draft EU regulation, not legal advice.