How does a cloud provider respond to a CADA information request?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers face a strict obligation to cooperate with national competent authorities. When an authority suspects an infringement of the Union cloud sovereignty framework, Article 26(1)(a) empowers them to require the provider (and related third parties) to provide relevant information "as soon as possible." This is not a passive right; it is a mandatory duty. Failure to comply with such investigative orders exposes the provider to significant enforcement actions, including fines and periodic penalty payments under Article 26(2). Providers must balance the urgency of this "as soon as possible" requirement with a rigorous legal review to ensure the request falls within the authority's exclusive jurisdiction and respects rights of defence and trade secrets.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a robust enforcement regime to ensure that cloud services recognised at Union assurance levels (1–4) genuinely meet the sovereignty criteria set out in Annex II. To verify this compliance, the Regulation grants national competent authorities extensive investigative powers. For cloud service providers, the mechanism for triggering these powers is the information request, a critical tool that can be deployed at the earliest stages of a suspected infringement.

The Legal Basis: Article 26(1)(a)

The primary authority for demanding information is found in Article 26(1)(a) of the CADA proposal. This provision explicitly grants the "competent authority of establishment" the power:

"the power to require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation, including auditing organisations, to provide that information as soon as possible;"

This clause is broad in scope. It is not limited to the cloud provider itself. The authority can compel any person acting in a trade or professional capacity who might possess relevant information. This explicitly includes auditing organisations and subcontractors involved in the service provision. The phrase "as soon as possible" creates a high standard of urgency. Unlike standard administrative requests that might allow for weeks of preparation, this wording implies that providers must act immediately upon receipt, providing a preliminary response or the requested data without unreasonable delay.

Scope of the Request and Investigative Powers

Information requests under Article 26(1)(a) are typically triggered when a competent authority has reason to suspect that a provider no longer meets the criteria for its recognised Union assurance level. The scope of information requested can be comprehensive, covering the technical, legal, and operational aspects of the service. Based on the criteria in Annex II and the evidence requirements in Annex III, requests may include:

• Ownership and Control Structures: Detailed evidence regarding shareholders, voting rights, and ultimate beneficial owners to verify the absence of third-country control (critical for Levels 2–4).
• Infrastructure and Asset Location: Proof that data centres, servers, and operational assets are physically located within the Union.
• Data Flow and Localisation: Technical diagrams, logs, and contractual agreements demonstrating that customer data remains exclusively within the Union.
• Audit Evidence: Access to the full audit reports, audit opinions, and the underlying evidence used by third-party auditors to assess compliance.
• Subcontractor Details: Information on all subcontractors, including their locations, control structures, and the nature of their involvement.

Beyond document production, Article 26(1)(c) grants authorities the power to ask any member of staff or representative to give explanations regarding the suspected infringement. With the consent of the individual, these answers may be recorded by technical means. This creates a direct line of inquiry into the operational knowledge of the provider's employees.

Procedural Requirements and Legal Review

While the duty to respond is urgent, the exercise of these powers is not arbitrary. Article 26(4) mandates that measures taken by competent authorities must be subject to adequate safeguards under applicable national law, complying with the general principles of Union law. Providers must conduct an immediate legal review of any request to ensure:

1. Exclusive Jurisdiction: The request must come from the competent authority of establishment. Article 25(4) establishes that the Member State where the provider has its main establishment (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence for enforcing this Chapter. A request from a "destination" authority (where the service is used) must be routed through the authority of establishment via mutual assistance mechanisms (Article 27).
2. Relevance and Proportionality: The information requested must be relevant to the suspected infringement. Authorities must respect the principle of proportionality, ensuring that the burden on the provider is not excessive relative to the investigative goal.
3. Rights of Defence: Providers retain the right to be heard and to have access to the file. Article 26(4) explicitly states that measures must be taken in accordance with the right to respect for private life and the rights of defence.

If a provider believes a request is overly broad, irrelevant, or infringes on legally protected confidentiality (such as trade secrets), the correct course of action is to engage in dialogue with the authority to narrow the scope or propose alternative evidence. A blanket refusal or ignoring the request is not a valid legal strategy and carries severe consequences.

Consequences of Non-Compliance

The CADA proposal treats non-cooperation with investigative orders as a serious infringement. Article 26(2) outlines the enforcement powers available to authorities if a provider fails to comply:

• Fines: Under Article 26(2)(b), authorities have "the power to impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1." While CADA does not set a fixed maximum fine amount in the text (leaving this to Member States under Article 24), the penalties must be "effective, proportionate and dissuasive."
• Periodic Penalty Payments: Under Article 26(2)(c), authorities can impose periodic penalty payments to ensure that an infringement is terminated or to enforce compliance with investigative orders. This means a provider could face accumulating daily or weekly fines until they provide the requested information.
• Revocation of Recognition: Beyond financial penalties, persistent non-compliance can lead to the revocation of the provider's recognition for a specific Union assurance level. Under Article 17(11), a competent authority may revoke recognition if a provider "intentionally or negligently, supplied incorrect or misleading information." Failure to provide information at all can be interpreted as a failure to demonstrate compliance, leading to the loss of the right to serve public sector bodies.

What this means for you

For cloud service providers, the CADA information request regime requires a proactive and structured internal response protocol. The "as soon as possible" standard leaves little room for bureaucratic delay.

1. Establish a Dedicated Response Team: Designate a specific legal or compliance officer to receive and triage all communications from national competent authorities. This ensures that requests are logged, deadlines are tracked, and the "as soon as possible" clock is managed effectively.
2. Maintain Audit-Ready Documentation: Because requests often relate to sovereignty criteria (ownership, data location, supply chain), providers should maintain up-to-date technical and legal documentation. This includes Software Bills of Materials (SBOMs), data flow diagrams, ownership charts, and subcontractor registers, as detailed in Annex III of CADA. Having this data readily available is the only way to meet the "as soon as possible" requirement.
3. Legal Privilege and Trade Secrets: When responding, clearly mark any information that constitutes trade secrets or legally privileged material. While Article 26 grants broad investigative powers, it also requires authorities to respect confidentiality. Proactively identifying sensitive data allows for negotiated handling (e.g., redacted versions or sealed submissions) rather than a blanket refusal, which would trigger fines.
4. Verify Jurisdiction Immediately: Before responding, confirm that the request originates from the competent authority of your main establishment as defined in Article 25(4). If the request comes from another Member State, verify that it has been properly routed through the mutual assistance channels of Article 27.
5. Do Not Ignore the Clock: The requirement to provide information "as soon as possible" means that immediate acknowledgment and a preliminary timeline for full response are expected. Delays without justification can be interpreted as obstruction, triggering the penalty mechanisms in Article 26(2).

Common misconceptions

"I only need to respond if I am already under a formal investigation." Incorrect. The power in Article 26(1)(a) applies to "suspected infringements." An authority may issue an information request at the earliest stage of their inquiry, even before a formal case file is opened or a penalty is proposed. The request itself is the start of the enforcement process.

"I can refuse to provide information if it is commercially sensitive." Misleading. While trade secrets are protected under Union law and Article 26(4), a blanket refusal is not a valid defense. Providers must engage with the authority to demonstrate why specific data is sensitive and propose alternative ways to provide the necessary evidence (e.g., aggregated data, redacted documents, or on-site inspection). Refusal without justification leads to fines under Article 26(2)(b).

"Only my main EU office needs to respond." Partially correct, but nuanced. While the competent authority of the main establishment has exclusive enforcement competence (Article 25(4)), the information request can be directed at any person "acting for purposes related to their trade... who may reasonably be expected to be aware of information." This explicitly includes subcontractors and auditing organisations. If you are a subcontractor or auditor, you are directly liable to provide information "as soon as possible" if requested.

"The authority can ask for anything they want." No. The request must be relevant to a "suspected infringement" of the Regulation. The authority must respect the principles of proportionality and the rights of defence. If a request is manifestly irrelevant or overly broad, the provider has the right to seek clarification or challenge the request through national judicial remedies, but this must be done while maintaining cooperation where possible.

Related

• How do CADA authorities request information from each other?
• Can CADA authorities require information from a provider's suppliers?
• Can CADA authorities demand information from a cloud provider?
• Can a CADA authority ask for more information on a cross-border request?
• Who pays compensation if a cloud provider breaches CADA?

This is general information about a draft EU regulation, not legal advice.