CADA vs AI Act

Summary As proposed, the Cloud and AI Development Act (CADA) and the AI Act establish fundamentally different enforcement architectures. CADA relies on a "home country" control model where a single national competent authority in the provider's state of establishment holds exclusive competence for sovereignty compliance (Articles 25–28). In contrast, the AI Act employs a hybrid model: national market surveillance authorities enforce rules for high-risk AI systems, while the AI Office (European Commission) holds exclusive supervisory powers over general-purpose AI (GPAI) models with systemic risks. Crucially, CADA mandates that Member States define penalties that are "effective, proportionate and dissuasive" but does not set EU-wide fine ceilings, whereas the AI Act imposes strict maximum fines of up to €35 million or 7% of global turnover for the most serious breaches.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, and the AI Act (Regulation (EU) 2024/1689) address distinct layers of the digital stack, resulting in divergent enforcement mechanisms. While both frameworks utilize national competent authorities to ensure compliance, the distribution of power, the structure of penalties, and the mechanisms for cross-border resolution differ significantly.

1. Centralization vs. Hybrid Distribution of Authority

CADA: The "Home Country" Control Model CADA is designed to prevent market fragmentation in the cloud sovereignty framework by centralizing enforcement at the national level. Article 25(4) explicitly states that the Member State where the cloud computing service provider has its "main establishment" (defined as the head office or registered office from which principal financial functions and operational control are exercised) shall have exclusive competence for enforcing the sovereignty chapter.

This means a provider operating across the EU is supervised by a single primary authority, rather than facing multiple regulators in every Member State where they offer services. Article 26 empowers these national competent authorities with broad investigative and enforcement tools, including:

• Information Requests: The power to require any provider or person acting for them to provide information regarding suspected infringements (Article 26(1)(a)).
• Inspections: The power to carry out, or request judicial authorities to order, inspections of premises and seize information (Article 26(1)(b)).
• Enforcement Orders: The power to order the cessation of infringements, impose remedies, and levy fines or periodic penalty payments (Article 26(2)).

AI Act: A Hybrid Model with Centralized GPAI Oversight The AI Act distributes enforcement differently based on the risk profile and type of AI. For high-risk AI systems, national market surveillance authorities retain primary enforcement powers, similar to traditional product safety regulations. However, for general-purpose AI (GPAI) models, particularly those posing systemic risks, the AI Office (housed within the European Commission) assumes exclusive supervisory and enforcement powers. This centralization at the EU level for foundational models contrasts sharply with CADA's delegation to national authorities, reflecting the AI Act's focus on managing borderless, systemic risks associated with large-scale models.

2. Penalty Structures: National Discretion vs. Harmonized Ceilings

CADA: Member State Discretion Under Article 24(1) of CADA, Member States are required to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." However, the proposal does not specify maximum fine amounts or percentages of turnover in the text itself.

Instead, Article 24(2) provides a non-exhaustive list of criteria for Member States to consider when imposing penalties, including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

This approach leaves significant discretion to national legislators, potentially leading to variation in penalty severity and calculation methods across the EU.

AI Act: Strict EU-Wide Ceilings The AI Act establishes harmonized maximum administrative fines directly in the regulation to ensure a level playing field. Under Article 99, non-compliance with the prohibited practices (Article 5) can result in fines of up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For other infringements, such as breaches of obligations for high-risk AI systems, fines can reach up to €15 million or 3% of turnover. This creates a predictable, high-stakes penalty landscape that is uniform across all Member States, unlike the variable landscape proposed under CADA.

3. Cross-Border Cooperation Mechanisms

CADA: Mutual Assistance and Objection Procedures CADA emphasizes structured cooperation between national competent authorities to ensure consistent application of the sovereignty framework. Article 27 establishes a mutual assistance framework, requiring authorities to exchange information and support investigations. Article 28 outlines cross-border cooperation for enforcement actions.

If a competent authority in a "destination" Member State suspects a provider no longer meets sovereignty requirements, it may request the "establishment" authority to assess the matter and take necessary measures. The establishment authority must respond within two months. Furthermore, the recognition procedure for Union assurance levels (Article 17) includes a review period where other Member States can submit reasoned objections. If objections arise and cannot be resolved, the matter can be referred to the Commission for a binding decision (Article 17(10)), ensuring that sovereignty recognition remains consistent EU-wide.

AI Act: The Board and AI Office Coordination The AI Act relies on the European Artificial Intelligence Board (AI Board) to coordinate national market surveillance authorities and ensure consistent application of the rules. For GPAI models, the AI Office can request information and conduct evaluations directly (AI Act Articles 91–92). While the AI Act also includes mutual assistance provisions, the presence of the AI Office as a central enforcer for systemic risks creates a different dynamic compared to CADA's purely inter-governmental cooperation model.

4. Scope of Enforcement: Sovereignty vs. Safety

CADA enforcement is narrowly focused on sovereignty and operational autonomy. The criteria enforced under Articles 25–28 relate to Union assurance levels, which mandate requirements such as:

• Data remaining exclusively within the Union.
• Personnel being Union citizens (for higher assurance levels, conditional at L2, mandatory at L3/L4).
• Absence of third-country control over the provider.
• Independent audits by accredited organizations (Article 20).

AI Act enforcement is focused on fundamental rights, safety, and transparency. Market surveillance authorities enforce requirements such as:

• Risk management systems and data governance.
• Transparency and human oversight.
• Compliance with prohibited practices (e.g., social scoring, real-time biometric identification).

What this means for you

For in-house counsel and compliance officers, these differences dictate distinct operational strategies:

1. Identify Your Primary Regulator: Under CADA, you must identify your "main establishment" in the EU. The competent authority in that Member State will be your primary point of contact for sovereignty audits and enforcement. Under the AI Act, you may face multiple national market surveillance authorities depending on where your high-risk AI systems are deployed, plus the AI Office if you develop GPAI models.
2. Prepare for Variable Penalty Landscapes: When assessing CADA compliance risks, you cannot rely on a single EU-wide fine ceiling. You must monitor national penalty laws in your establishment state and other key markets. In contrast, AI Act compliance requires budgeting for the possibility of fines up to 7% of global turnover, which is a material financial risk for large enterprises.
3. Audit Readiness: CADA requires independent third-party audits for Union assurance levels 2–4 (Article 20). Ensure your cloud provider contracts allow auditors full access to premises, data, and code. The AI Act also requires conformity assessments, but these are often internal or conducted by notified bodies for high-risk systems, with different documentation requirements.
4. Cross-Border Coordination: If you operate cloud services across multiple EU states, leverage CADA's mutual assistance mechanisms (Articles 27–28) to resolve disputes. If a destination authority raises concerns, your establishment authority is the primary resolver. In the AI Act, engage early with the AI Board's coordination mechanisms to ensure consistent treatment across borders.

Common misconceptions

• "CADA and the AI Act are enforced by the same authorities." Incorrect. While both use "national competent authorities," CADA centralizes sovereignty enforcement in the provider's state of establishment. The AI Act distributes enforcement among national market surveillance authorities for high-risk AI and centralizes it in the AI Office for GPAI models. The roles and powers differ significantly.
• "CADA fines are as high as AI Act fines." Incorrect. The AI Act sets explicit, high maximum fines (up to 7% of turnover). CADA leaves penalty amounts to Member States, requiring them only to be "effective, proportionate, and dissuasive." This could result in lower or less predictable fines, but also requires monitoring of national law.
• "Sovereignty compliance under CADA is just another AI Act requirement." Incorrect. CADA's sovereignty framework (Union assurance levels) is a distinct regulatory layer focused on data localization, personnel citizenship, and absence of third-country control. It is not covered by the AI Act, which focuses on safety, fundamental rights, and transparency. Compliance with one does not guarantee compliance with the other.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What penalties apply under the Cloud and AI Development Act (CADA)?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers

This is general information about a draft EU regulation, not legal advice.