Who is eligible for compensation under the proposed CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the right to claim compensation is explicitly granted to "recipients of the cloud computing services" who have suffered "damage or loss" due to a provider's infringement of the sovereignty framework obligations (Article 24(3)). The term "recipient" is not separately defined in CADA's definitions article (Article 2); instead, eligibility is grounded in the operational relationship with a "cloud computing service provider" (Article 2(2)). Consequently, the right extends beyond public contracting authorities to any entity or person utilizing the service, provided they can demonstrate actual harm caused by a breach of Title IV, Chapter I.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services, mandating that providers meet specific Union Assurance Levels (1–4) to serve public sector bodies and critical entities. To enforce these obligations, Article 24 establishes a dual regime: administrative penalties imposed by Member States and a direct civil right to compensation for affected parties.

While Article 24(1) and (2) task Member States with defining penalties for providers (ensuring they are "effective, proportionate and dissuasive"), Article 24(3) creates a distinct, actionable right for private and public claimants.

The Statutory Basis for Compensation

Article 24(3) states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision establishes three cumulative eligibility criteria for a claimant:

1. Status as a "Recipient": The claimant must be a recipient of the cloud computing service.
2. Causation: The damage or loss must be directly "due to an infringement" of the obligations in Title IV, Chapter I (the Cloud Computing Sovereignty Framework).
3. Harm: The claimant must have suffered actual "damage or loss."

Defining the "Recipient" in the Absence of a Specific Definition

A critical nuance in CADA is that the term "recipient" does not appear in the list of definitions in Article 2. The definitions article explicitly defines:

• "cloud computing service provider" (Article 2(2)): "a legal entity which provides a cloud computing service;"
• "cloud computing service" (Article 2(1)): referencing the definition in Article 6(30) of Directive (EU) 2022/2555 (NIS2), which covers "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources."

Because "recipient" is not defined, its scope must be interpreted contextually against the definition of the service provider and the service itself. A "recipient" is therefore any natural or legal person who accesses, utilizes, or benefits from the cloud computing service under a contractual or operational arrangement with the provider.

This interpretation implies a broad scope of eligibility:

• Public Sector Bodies: Government agencies, ministries, and public authorities procuring services under Article 30 are clearly recipients.
• Private Sector Entities: Businesses, including those in critical sectors listed in Annex I of the NIS2 Directive, that subscribe to cloud services are recipients.
• Downstream Users and Sub-contractors: The text does not limit the right to the direct contracting party. If a sub-contractor or an end-user suffers direct damage due to a provider's infringement (e.g., a data breach caused by a failure to maintain Union Assurance Level 2), they may qualify as a "recipient" depending on the interpretation of "Union and national law" referenced in Article 24(3).

Crucially, the term "recipient" is broader than "contracting authority." While Article 30 imposes specific procurement obligations on contracting authorities, Article 24(3) extends the right to compensation to any recipient. This distinction ensures that the sovereignty framework protects the entire value chain of cloud usage, not just the initial procurement decision.

The Scope of Infringements Triggering Compensation

Eligibility for compensation is strictly limited to infringements of Title IV, Chapter I ("Cloud computing sovereignty framework"). This chapter encompasses:

• Failure to obtain or maintain recognition for a Union Assurance Level (Article 17).
• Failure to undergo required independent audits (Article 20) or to provide necessary audit evidence (Article 21).
• Failure to report material changes affecting assurance status (Article 23).
• Violations of the specific criteria for Union Assurance Levels 1–4 set out in Annex II (e.g., data leaving the Union without authorization, personnel lacking required Union citizenship, or failure to prevent third-country control).

Infringements of other parts of CADA—such as data centre deployment rules in Title III or research initiative obligations in Title II—do not trigger the specific compensation right under Article 24(3). The right is tethered exclusively to the sovereignty and autonomy framework.

Interaction with National Law

Article 24(3) explicitly defers to "Union and national law" for the mechanism of seeking compensation. This means:

• Procedural Rules: The specific court jurisdiction, filing deadlines, and burden of proof will be determined by the national law of the Member State where the claim is brought.
• Quantum of Damages: CADA does not set a fixed compensation amount. The "damage or loss" is calculated according to national civil law principles (e.g., actual loss, lost profits, and potentially moral damages where applicable).
• Causation Standards: The threshold for proving that the infringement "caused" the damage will be governed by national tort or contract law.

What this means for you

For in-house counsel, compliance officers, and legal teams, understanding the scope of Article 24(3) is critical for risk management, contract negotiation, and litigation strategy.

1. Broadening the Scope of Liability

When procuring cloud services, especially for public sector or critical infrastructure roles, recognize that liability is not limited to the direct contracting authority. If your organization relies on a cloud provider that fails to meet sovereignty criteria (e.g., unauthorized data transfer to a third country), and this failure causes you direct loss, you may be a "recipient" eligible for compensation. Standard limitation of liability clauses in contracts may be challenged if they attempt to cap liability for breaches of mandatory EU law obligations under Title IV.

2. Evidence Preservation and Causation

To succeed in a compensation claim, you must prove the causal link between the infringement and the damage. Implement rigorous logging and monitoring of your cloud provider's compliance status. If a provider fails to report a material change (Article 23) that leads to a data breach or service disruption, you must demonstrate that the loss was directly caused by that specific infringement. Maintain records of all communications regarding assurance levels, audit reports, and any notifications of non-compliance.

3. Monitoring Provider Recognition

Verify that your provider is listed in the central repository of recognized services (Article 22). If a provider's recognition is revoked or they fail to maintain their assurance level, you may be exposed to compliance risks under Article 30 (procurement obligations). Documenting this failure is essential for establishing the "infringement" element of an Article 24(3) claim.

4. National Law Interaction

Since Article 24(3) defers to national law for the mechanism of compensation, legal teams must monitor national transposition measures. Procedural rules, statutes of limitations, and the burden of proof will vary by Member State. You must understand the specific procedural hurdles for filing such claims in your jurisdiction.

Common misconceptions

Misconception 1: Only public sector bodies can claim compensation. Reality: Article 24(3) uses the term "recipients of the cloud computing services," not "public authorities." Private sector entities, including SMEs and critical infrastructure operators, are eligible if they suffer loss due to a provider's infringement of the sovereignty framework.

Misconception 2: Compensation covers all CADA violations. Reality: The right to compensation under Article 24(3) is strictly limited to infringements of Title IV, Chapter I (the sovereignty framework). It does not apply to violations of data centre deployment rules (Title III) or research initiative obligations (Title II).

Misconception 3: "Recipient" requires a direct contract. Reality: While a direct contract is the most common scenario, the term "recipient" is not explicitly limited to direct contracting parties in the text. Depending on national law interpretation, downstream users or sub-recipients who suffer direct loss may also have standing, though this will depend on the specific legal framework of the Member State where the claim is filed.

Misconception 4: CADA sets a specific compensation amount. Reality: CADA does not define the quantum of damages. Article 24(3) grants the right to seek compensation, but the amount is determined by national civil law principles (e.g., actual loss, lost profits), not by a fixed penalty schedule within CADA itself.

Related

• Who pays compensation if a cloud provider breaches CADA?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Who sets the penalty rules under CADA? Article 24 explained
• Who is liable for a CADA infringement within a provider group?
• Who enforces CADA (the Cloud and AI Development Act)?

This is general information about a draft EU regulation, not legal advice.