How does a Member State set CADA penalties for cloud providers?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States are required to establish national rules for penalties applicable to infringements by cloud computing service providers of the Union cloud computing sovereignty framework (Title IV, Chapter I). As proposed in Article 24, these penalties must be "effective, proportionate and dissuasive." Member States must notify the Commission of these rules and any subsequent amendments. When determining penalties, authorities must consider a non-exhaustive list of criteria, including the nature, gravity, scale and duration of the infringement, any financial benefits gained or losses avoided, and the infringing party's annual turnover in the Union. Additionally, recipients of cloud services would have a right to seek compensation for damages caused by such infringements.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive sovereignty framework to reduce the Union's dependence on non-European cloud providers. While the framework defines technical and operational assurance levels, its enforceability relies heavily on the penalty regime established in Article 24. This article places the primary responsibility for sanctioning non-compliance on Member States, while setting strict EU-wide principles and criteria to ensure consistency across the internal market.

The Obligation to Establish Penalties

Article 24(1) explicitly mandates that Member States "shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented." The "Chapter" referenced is Chapter I of Title IV, which covers the Union cloud computing sovereignty framework, including the four Union assurance levels, the recognition mechanisms, and the transparency obligations for providers.

The proposal does not prescribe a specific monetary cap (e.g., a fixed percentage of turnover) within the text of the Regulation itself. Instead, it imposes a qualitative standard: the penalties provided for "shall be effective, proportionate and dissuasive." This tripartite standard is a cornerstone of EU administrative law, ensuring that sanctions are not merely symbolic but are calibrated to deter non-compliance effectively while remaining fair relative to the severity of the offense.

Notification to the Commission

To prevent regulatory fragmentation and ensure the Commission can monitor the consistency of enforcement across the single market, Article 24(1) imposes a strict notification duty. Member States must "notify the Commission of those rules and of those measures and shall notify the Commission of any subsequent amendment affecting them."

This requirement ensures that the European Commission maintains a real-time overview of national penalty frameworks. It facilitates the identification of divergent approaches that could distort competition or undermine the sovereignty objectives of the Act. If a Member State fails to notify or if the rules are deemed insufficiently effective, the Commission may intervene through infringement procedures, though the primary legislative design delegates the specific quantification of fines to national law.

Non-Exhaustive Criteria for Imposing Penalties

To guide national authorities in setting and applying penalties, Article 24(2) provides a detailed, non-exhaustive list of criteria that "Member States shall take into account for the imposition of penalties for infringements of this Regulation." These criteria are designed to ensure that penalties are tailored to the specific circumstances of each case, balancing the need for deterrence with the principles of proportionality.

The specific criteria listed in the proposal are:

1. Nature, gravity, scale and duration: Authorities must assess the inherent severity of the infringement, the extent of its impact (scale), and how long the non-compliance persisted.
2. Mitigation actions: The list considers "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement." Proactive remediation, such as voluntarily correcting a breach or implementing corrective measures before detection, can serve as a mitigating factor.
3. Previous infringements: A history of non-compliance is an aggravating factor. The criteria explicitly include "any previous infringements by the infringing party," ensuring that repeat offenders face escalating consequences.
4. Financial benefits or losses avoided: Crucially, the proposal requires authorities to consider "the financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established." This prevents non-compliance from becoming a profitable strategy by ensuring that any competitive advantage gained through cutting corners is disgorged.
5. Aggravating or mitigating factors: The list allows for flexibility, noting "any other aggravating or mitigating factor applicable to the circumstances of the case."
6. Annual turnover: Perhaps the most significant economic indicator, the criteria include "the infringing party's annual turnover in the preceding financial year in the Union." This links the penalty directly to the economic size of the provider within the EU, ensuring that fines are impactful for large entities and not merely a cost of doing business.

It is vital to note that Article 24(2) states this list is "non-exhaustive." This grants national authorities the flexibility to consider other relevant factors under their domestic legal frameworks, provided they respect the overarching EU principles of effectiveness, proportionality, and dissuasiveness.

Right to Compensation

Beyond administrative penalties imposed by public authorities, Article 24(3) establishes a civil remedy for affected parties. It states that "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision empowers public sector bodies, Union entities, and potentially private sector entities (where they fall under the scope of the Regulation) to seek redress for damages resulting from a provider's failure to comply with sovereignty framework obligations. Examples of such damages could include costs incurred due to service disruption, data breaches resulting from inadequate security measures, or the costs of migrating to a compliant provider after a recognition is revoked.

Interaction with National Competent Authorities and Enforcement Powers

The enforcement of these penalties falls under the purview of the national competent authorities designated by Member States. Article 25 requires each Member State to designate one or more national competent authorities responsible for enforcing Chapter I of Title IV. Article 26 grants these authorities specific investigative and enforcement powers.

Under Article 26(2), competent authorities have the power to "impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation." Furthermore, Article 26(3) reiterates that measures taken must be "effective, dissuasive and proportionate," having regard to the nature, gravity, recurrence and duration of the infringement, as well as the economic, technical and operational capacity of the service provider concerned. This mirrors the criteria in Article 24 but applies them specifically to the exercise of enforcement powers.

Procedural Safeguards

While Article 24 focuses on the substantive criteria for penalties, Article 26(4) ensures that the exercise of these powers is subject to adequate safeguards under applicable national law, in compliance with the general principles of Union law. These safeguards include the right to respect for private life, the rights of defense (including the right to be heard and to have access to the file), and the right of all affected parties to an effective judicial remedy. This ensures that the penalty regime, while stringent, adheres to fundamental rights standards.

What this means for you

For in-house counsel, compliance officers, and general counsels at cloud computing service providers, the penalty regime under the proposed CADA represents a significant operational and financial risk vector. Unlike regulations that offer a single, predictable fine cap, CADA creates a dynamic risk environment dependent on national transposition and specific case circumstances.

1. Monitor National Transposition Closely: Since Member States have discretion in laying down the specific penalty rules (e.g., whether fines are administrative or criminal, specific procedural timelines, and exact calculation methods), you must monitor the transposition of CADA into national law in every Member State where you have an establishment. Pay close attention to the notification of penalty rules to the Commission, as this will provide early visibility into national approaches and potential divergence.
2. Align Internal Governance with Assurance Levels: Ensure that your internal controls, documentation, and audit trails robustly demonstrate compliance with the specific Union assurance level you claim (Level 1, 2, 3, or 4). Given that penalties explicitly consider "financial benefits gained," any competitive advantage gained through non-compliant status (e.g., avoiding the cost of EU-based infrastructure) will be heavily scrutinized and could form the basis of a significant penalty.
3. Prepare for Turnover-Based Fines: Unlike some regulations that cap fines at a fixed absolute amount, CADA explicitly considers "annual turnover in the Union" as a primary criterion. Ensure your financial reporting is accurate and that your risk management frameworks are scaled to the size of your EU operations. Large providers should anticipate that penalties could be substantial if the gravity and duration of an infringement are high.
4. Review Contractual Indemnities and Liability: Article 24(3) allows service recipients to seek compensation for damages. Review your master service agreements (MSAs) and data processing agreements (DPAs) to ensure they include appropriate indemnification clauses and liability limitations, where permissible under applicable national law. Be aware that contractual limitations may not shield you from statutory compensation claims if the infringement is deemed severe.
5. Document Mitigation Efforts: Since "any action taken by the infringing party to mitigate or remedy the damage" is a statutory criterion for reducing penalties, establish clear internal protocols for self-reporting and immediate remediation. Proactive engagement with the national competent authority and demonstration of mitigation efforts can be critical in mitigating penalty severity in the event of an infringement.
6. Assess Recidivism Risks: The criteria explicitly include "any previous infringements." A history of non-compliance will likely lead to escalated penalties. Ensure that your compliance program is robust enough to prevent repeat offenses, as the "recurrence" of an infringement is a specific aggravating factor.

Common misconceptions

"CADA sets fixed fine amounts like the GDPR." Incorrect. Unlike the AI Act or GDPR, which specify maximum fines as percentages of global turnover (e.g., 7% or 4%), CADA Article 24 does not prescribe specific monetary caps or percentages in the Regulation text. Instead, it requires Member States to define penalties that are "effective, proportionate, and dissuasive," considering factors like turnover and gravity. The actual fine amounts will vary by Member State and case specifics.

"Only administrative fines apply." Incorrect. In addition to administrative penalties imposed by national competent authorities, Article 24(3) explicitly grants recipients of cloud services the right to seek compensation for damages in civil proceedings. This creates a dual layer of liability: regulatory fines and civil damages.

"The criteria for penalties are exhaustive." Incorrect. Article 24(2) lists criteria that Member States "shall take into account," but the text explicitly states the list is "non-exhaustive." National authorities may consider other relevant factors under national law, provided they do not contradict the principles of the Regulation.

"Penalties only apply to large hyperscalers." Incorrect. The Regulation applies to all cloud computing service providers seeking recognition under the sovereignty framework. While "annual turnover" is a criterion, small and medium-sized enterprises (SMEs) are not exempt. However, the principle of proportionality would likely influence the scale of penalties for smaller entities compared to large incumbents.

"The penalty regime is identical to the AI Act." Incorrect. While both acts aim for effective, proportionate, and dissuasive penalties, the AI Act (Article 99) sets specific maximum fines (up to €35 million or 7% of turnover). CADA leaves the specific quantification to Member States, creating a more decentralized penalty landscape.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Member State obligations: strategies, zones, NCAs and penalties
• CADA penalties for cloud providers: Article 24 fines, mitigation & compensation
• What happens if another Member State objects to my CADA recognition?
• How does a Member State include cloud and AI procurement in its CADA national strategy?
• How does a Member State designate a national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.