Summary The proposed Cloud and AI Development Act (CADA) grants national competent authorities robust investigative and enforcement powers to ensure compliance with the Union cloud computing sovereignty framework. However, as proposed in Article 26(4), these powers are strictly conditioned on compliance with the general principles of Union law and the Charter of Fundamental Rights. Specifically, any enforcement measure must be taken in accordance with the right to respect for private life, the rights of defence (including the right to be heard and access to the file), and the right to an effective judicial remedy. This ensures that while authorities can inspect premises and demand information to verify sovereignty levels, they cannot do so in a manner that disproportionately infringes on fundamental rights.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a new regulatory layer focused on cloud sovereignty, data-centre capacity, and supply-chain resilience. To enforce this framework, Title IV, Chapter I (Autonomy) designates national competent authorities with significant powers. However, the proposal explicitly embeds these powers within a robust fundamental rights framework to prevent arbitrary enforcement and ensure legal certainty.

The Scope of Enforcement Powers

Under Article 26, national competent authorities are equipped with two distinct categories of powers to enforce the sovereignty framework:

  1. Investigative Powers (Article 26(1)): Authorities may require cloud computing service providers, auditing organisations, and other relevant persons to provide information. They have the power to carry out, or request judicial authorities to order, inspections of any premises used for the provision of services. This includes the right to examine, seize, or obtain copies of information in any form, regardless of the storage medium. Additionally, authorities may ask staff or representatives to give explanations regarding suspected infringements and, with consent, record their answers.
  2. Enforcement Powers (Article 26(2)): Authorities can order the cessation of infringements and impose proportionate remedies. They possess the power to impose fines or request judicial authorities to do so for failure to comply with the Regulation or investigative orders. Furthermore, they may impose periodic penalty payments to ensure the termination of infringements or compliance with investigative orders.

The Fundamental Rights Safeguard: Article 26(4)

The critical balancing mechanism is found in Article 26(4). This provision acts as a constitutional constraint on the powers described above. It mandates that Member States must set out specific rules and procedures for exercising these powers, ensuring that any exercise is subject to "adequate safeguards under applicable national law in compliance with the general principles of Union law."

Crucially, Article 26(4) explicitly lists the fundamental rights that must be respected during enforcement:

  • The right to respect for private life: Enforcement actions, particularly those involving inspections of premises or the seizure of information, must not violate the privacy of individuals or the private life of the provider's personnel.
  • The rights of defence: This includes the right to be heard and the right to have access to the file. Before a final decision is taken (such as imposing a fine), the provider must be given the opportunity to present their case and review the evidence against them.
  • The right to an effective judicial remedy: All affected parties must have the right to challenge enforcement measures in court.

These safeguards ensure that the "teeth" of the Regulation do not override the procedural protections guaranteed by the EU legal order. The proposal requires that measures be taken only in accordance with these rights, meaning that any national implementing legislation must explicitly codify these protections.

Proportionality and Context

The exercise of these powers is further tempered by the principle of proportionality. Article 26(3) states that measures taken by national competent authorities must be "effective, dissuasive and proportionate." When determining the appropriate measure, authorities must consider:

  • The nature, gravity, recurrence, and duration of the infringement or suspected infringement.
  • The economic, technical, and operational capacity of the service provider concerned.

This ensures that enforcement is tailored to the specific context. For instance, a minor procedural error by a small provider would not warrant the same severity of measure as a systemic breach by a major hyperscaler.

The Charter of Fundamental Rights Context

The fundamental rights safeguards in Article 26(4) are not merely procedural formalities; they are grounded in the Charter of Fundamental Rights of the European Union. The explanatory memorandum to the proposal highlights that the legislation has been subject to a comprehensive assessment of its implications for fundamental rights, with particular emphasis on the protection of personal data under Article 8 of the Charter.

The proposal aims to strengthen the protection of personal data by ensuring that data remains under the effective supervision of EU authorities. By mandating that enforcement respects the right to private life, CADA ensures that the sovereignty framework does not become a vehicle for unchecked surveillance. The distinction drawn in the proposal between technical cybersecurity (addressed by the Cybersecurity Act) and sovereignty considerations further reinforces this: while sovereignty checks may involve reviewing ownership structures and control mechanisms, they must still adhere to data protection standards and privacy rights.

Furthermore, the proposal aligns with the general principles of Union law, which include the principle of legal certainty and the principle of proportionality. The requirement for "adequate safeguards" ensures that providers are not subject to arbitrary or unpredictable enforcement actions. The right to an effective judicial remedy, in particular, serves as a final check, allowing courts to review whether the national authority has acted within the bounds of the Regulation and the Charter.

Interaction with Other Rights

While Article 26(4) focuses on private life, defence, and judicial remedy, these rights interact with other fundamental rights protected under the Charter. For example, the right to conduct a business (Article 16) is relevant when authorities impose fines or order the cessation of operations; such measures must not be so severe as to destroy the business unless strictly necessary. The right to protection of personal data (Article 8) is directly engaged when authorities inspect premises or seize data; any data processing during an investigation must be lawful, necessary, and proportionate.

The proposal also acknowledges the role of national law. By requiring Member States to set out specific rules and procedures, CADA allows for the integration of these EU-level safeguards into the existing national legal frameworks, ensuring that the rights of defence and privacy are enforced through familiar and robust national judicial systems.

What this means for you

For legal counsel, compliance officers, and cloud service providers, understanding the interplay between CADA's enforcement powers and fundamental rights is essential for risk management and strategic planning.

1. Procedural Rights in Investigations

If your organisation is subject to an investigation by a national competent authority under CADA, you have specific procedural rights that must be respected:

  • Right to be Heard: You must be given the opportunity to present your arguments and evidence before a final decision is made. Do not assume that an initial finding is final; actively engage in the defence process.
  • Access to the File: You have the right to access the evidence held by the authority that forms the basis of the suspected infringement. This is critical for preparing an effective defence. Ensure your legal team requests full access to the file.
  • Private Life: If an inspection involves personal data or private communications of employees, ensure that the authority respects the right to private life. Any data collection must be strictly limited to what is necessary for the investigation.

2. Challenging Enforcement Actions

The right to an effective judicial remedy is your ultimate safeguard. If you believe that an enforcement action (such as a fine, an order to cease operations, or an inspection) is disproportionate, violates your rights of defence, or infringes on your private life, you can challenge it in court.

  • Document Everything: Maintain detailed records of all interactions with the authority. If you feel your rights were not respected (e.g., denied access to the file), document this immediately as it may be grounds for a legal challenge.
  • Assess Proportionality: When facing a penalty, assess whether the authority considered the nature, gravity, and duration of the infringement, as well as your economic capacity, as required by Article 26(3). If these factors were ignored, the measure may be challenged as disproportionate.

3. Compliance Strategy

To mitigate the risk of enforcement actions:

  • Internal Audits: Conduct regular internal audits to ensure compliance with Union assurance levels. This proactive approach can prevent the need for external investigations.
  • Data Protection Alignment: Ensure that your data handling practices during any potential investigation comply with the GDPR and the Charter. Limit data access to what is strictly necessary.
  • Legal Preparedness: Have a legal team ready to exercise your rights of defence immediately upon notification of an investigation. Early engagement can prevent procedural errors that might later be used against you.

Common misconceptions

"CADA enforcement powers are unlimited and can override privacy rights."

  • Reality: This is incorrect. Article 26(4) explicitly mandates that enforcement measures must respect the right to respect for private life. Authorities cannot conduct inspections or seize data in a manner that violates fundamental privacy rights.

"Providers have no right to challenge enforcement actions."

  • Reality: Providers have a guaranteed right to an effective judicial remedy under Article 26(4). If an authority acts disproportionately or violates procedural rights, providers can challenge the action in court.

"The right to defence only applies after a fine is imposed."

  • Reality: The rights of defence, including the right to be heard and access to the file, apply during the investigation and before a final decision is taken. Authorities must allow providers to present their case before imposing penalties.

"CADA enforcement bypasses national procedural laws."

  • Reality: CADA requires Member States to set out specific rules and procedures for exercising enforcement powers. These national rules must comply with the general principles of Union law and the fundamental rights safeguards listed in Article 26(4).

"All providers are treated the same regardless of size or capacity."

  • Reality: Article 26(3) requires authorities to consider the economic, technical, and operational capacity of the service provider. Enforcement measures must be proportionate to the provider's capacity and the severity of the infringement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.