Summary Under the proposed Cloud and AI Development Act (CADA), Member States must designate one or more national competent authorities to enforce the Union cloud computing sovereignty framework within one year of the Regulation's entry into force. These authorities, which may be existing bodies, are granted exclusive competence based on the main establishment of the cloud computing service provider and must operate with impartiality, transparency, and sufficient technical and financial resources. Member States are required to notify the Commission of the designated authorities, their tasks, and their powers, enabling the Commission to maintain a public register.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous governance structure to ensure the sovereignty, security, and resilience of cloud computing services used by the public sector. Central to this framework is the role of the national competent authority, which acts as the primary regulator for cloud computing service providers seeking recognition under the Union assurance levels. The designation, powers, and operational requirements for these authorities are codified in Article 25 of the CADA proposal.
Designation Timeline and Scope
Member States are required to designate one or more national competent authorities responsible for enforcing Title IV of the Regulation (Autonomy) within a strict timeframe. According to Article 25(1), this designation must occur by the date of entry into force of the Regulation plus one year. This deadline ensures that the regulatory infrastructure is in place before the substantive obligations for cloud providers and public procurers become fully active.
The designation is flexible regarding the institutional structure. Article 25(1) explicitly states that Member States may designate an existing authority or existing authorities, referred to as 'competent authorities'. This provision allows Member States to leverage existing regulatory bodies, such as data protection authorities, cybersecurity agencies, or telecommunications regulators, rather than creating new administrative entities from scratch. However, the designation must be clear and formalized to ensure legal certainty for market participants.
Exclusive Competence and Territorial Application
A critical aspect of the CADA framework is the principle of exclusive competence to avoid regulatory fragmentation and conflicting national rulings. Article 25(4) establishes that the Member State in which the cloud computing service provider has its main establishment holds exclusive competence for enforcing the sovereignty framework chapter.
The 'main establishment' is defined as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. This single-point-of-contact approach simplifies compliance for providers operating across the EU, as they deal primarily with the competent authority in their home Member State, while that authority cooperates with counterparts in other Member States through mutual assistance mechanisms outlined in later articles.
Notification and Public Transparency
Once designated, Member States must formally communicate this information to the European Commission. Article 25(2) requires Member States to notify the Commission of the names of the competent authorities, along with a detailed description of their tasks and powers.
Following this notification, the Commission is mandated to maintain a public register of these authorities. This transparency measure serves multiple purposes: it provides legal certainty for cloud computing service providers seeking recognition, allows public sector procurers to verify the legitimacy of the supervising body, and facilitates cross-border cooperation by clearly identifying the points of contact in each Member State.
Impartiality, Transparency, and Resource Requirements
The effectiveness of the sovereignty framework hinges on the capability and independence of the national competent authorities. Article 25(3) imposes strict obligations on Member States to ensure that their designated authorities perform their tasks in an impartial, transparent, and timely manner.
Crucially, Member States must ensure that their competent authorities possess all necessary resources to carry out their tasks effectively. This includes:
- Technical resources: The ability to audit complex cloud architectures, understand cybersecurity standards, and assess software supply chain risks.
- Financial resources: Sufficient budget to conduct investigations, maintain registers, and engage in cross-border cooperation.
- Human resources: Adequate staffing with the specific expertise required to supervise all cloud computing service providers within their competence.
This resourcing requirement is vital given the technical complexity of the Union assurance levels (Levels 1–4), which involve detailed audits of infrastructure location, personnel citizenship, software bills of materials, and data residency. Without adequate resourcing, authorities may struggle to verify compliance, undermining the integrity of the entire sovereignty framework.
Integration with Enforcement Powers
While Article 25 focuses on designation and resources, it operates in tandem with Article 26, which details the investigative and enforcement powers granted to these authorities. The designated authorities will have the power to require information from providers, carry out inspections, and impose fines or periodic penalty payments for non-compliance. The designation process under Article 25 is therefore the foundational step that enables the exercise of these significant regulatory powers.
What this means for you
For public-sector procurement officers, IT leaders, and cloud service providers, understanding the designation of national competent authorities is essential for navigating the new cloud procurement landscape.
1. Verify the Authority's Legitimacy When engaging with cloud computing service providers who claim to offer a specific Union assurance level (e.g., Level 2 or 3), you should verify that the recognition was granted by a legitimate national competent authority. Use the public register maintained by the European Commission to confirm the identity and powers of the authority in the provider's Member State of establishment. This due diligence helps prevent fraud or misrepresentation of sovereignty credentials.
2. Anticipate Regulatory Maturity The one-year deadline for designation means that in the initial phase of CADA's application, some Member States may still be finalizing their institutional arrangements. Procurement officers should monitor the Commission's notifications to ensure that the authority overseeing a preferred provider is fully operational and resourced. If an authority is under-resourced or newly established, it may impact the speed and rigor of the recognition process for providers, potentially affecting supply chain timelines.
3. Leverage Cross-Border Cooperation If you are part of a cross-border procurement initiative or the EuroCloud Federation, understanding which authority has exclusive competence over a provider is crucial. In case of disputes or compliance issues, you will need to engage with the competent authority in the provider's home Member State. Knowing that these authorities are mandated to cooperate and provide mutual assistance (under Article 27) can streamline resolution processes.
4. Focus on Resource Adequacy As a public procurer, you have an interest in the robustness of the audit and recognition process. The requirement for authorities to have sufficient technical and financial resources (Article 25(3)) is a safeguard for you. It implies that the providers you are procuring from have been vetted by a body with the capability to perform deep-dive audits. If you encounter a provider whose recognition seems superficial, you may have grounds to question whether the competent authority has met its resourcing obligations.
5. Understand the "Main Establishment" Rule For cloud providers, the designation rule means you will primarily interact with the regulator in the country where your head office or registered office is located, provided that is where your principal financial functions and operational control are exercised. This centralizes your compliance burden but requires you to ensure that your home Member State has designated a competent authority with the necessary expertise.
Common misconceptions
Misconception 1: Every Member State must create a new agency. Reality: CADA does not require the creation of new agencies. Article 25(1) explicitly allows Member States to designate existing authorities. Many Member States will likely assign these tasks to existing bodies such as data protection supervisory authorities, cybersecurity agencies, or national cloud governance bodies, depending on their national administrative structures.
Misconception 2: The authority in the Member State where the public sector body is located enforces the rules. Reality: Enforcement is based on the provider's location, not the customer's. Article 25(4) grants exclusive competence to the Member State where the cloud computing service provider has its main establishment. A public sector body in Germany procuring from a provider established in France will be subject to the oversight of the French competent authority, not the German one, although the German authority may request cooperation or information.
Misconception 3: Designation is optional or flexible in timing. Reality: The deadline is strict. Member States must designate their authorities within one year of the Regulation's entry into force. Failure to do so would leave a gap in the regulatory framework, potentially hindering the recognition of providers and the ability of public sector bodies to procure sovereign cloud services.
Misconception 4: Competent authorities only handle administrative paperwork. Reality: These authorities have significant investigative and enforcement powers. Beyond designation, they are tasked with ensuring impartiality and transparency (Article 25(3)) and have the power to impose fines, order cessation of infringements, and conduct inspections (Article 26). They are active regulators, not just passive registrars.
Misconception 5: The designation applies to all aspects of CADA. Reality: The designation under Article 25 specifically relates to enforcing Title IV (Autonomy), which covers the cloud computing sovereignty framework. Other parts of CADA, such as data centre acceleration zones or the Cloud and AI Leadership Initiatives, may involve different national bodies or coordination mechanisms, though the competent authority remains central to the sovereignty recognition process.
Related
- Which National Competent Authority Do I Apply to for CADA Recognition?
- How does a Member State include cloud and AI procurement in its CADA national strategy?
- How does a Member State designate a data centre acceleration zone under CADA?
- How to respond to a CADA investigation by a national competent authority
- CADA Member State obligations: strategies, zones, NCAs and penalties
This is general information about a draft EU regulation, not legal advice.