Summary Under the proposed Cloud and AI Development Act (CADA), enforcement of the cloud sovereignty framework is the exclusive responsibility of the national competent authority in the Member State where the cloud computing service provider has its main establishment (Article 25(4)). While the NIS2 Directive establishes cybersecurity obligations for essential and important entities, CADA introduces a distinct sovereignty regime. Member States may reuse existing authorities designated under NIS2 or other legislation to enforce CADA, provided they have the necessary resources (Article 25(1)). The two regimes intersect operationally in public procurement and risk assessments: entities in sectors listed in Annex I or II of NIS2 must conduct risk assessments to determine the required Union assurance level for cloud services, ensuring that cybersecurity and sovereignty risks are managed cohesively.

Detail

The interaction between CADA enforcement and the NIS2 Directive is defined by a clear division of labor between cybersecurity compliance and sovereignty assurance, coordinated through overlapping public sector obligations and shared supervisory structures. CADA is a proposal (COM(2026) 502 final) and is not yet in force; the following analysis reflects its provisions as proposed.

Designation of Competent Authorities and Reuse of Existing Structures

CADA establishes a specific enforcement mechanism for the Union cloud computing sovereignty framework. Under Article 25(1), Member States must designate one or more national competent authorities responsible for enforcing Chapter I of Title IV. Crucially, the proposal explicitly allows for regulatory efficiency to avoid administrative duplication: "Member States may designate an existing authority or existing authorities ('competent authorities')."

This provision enables Member States to reuse authorities already designated under other Union legislation, such as those supervising cybersecurity under NIS2 or data protection under the GDPR. However, the designation is not automatic; the authority must be granted the specific powers and resources required by CADA. Article 25(3) mandates that Member States ensure their competent authorities have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

Exclusive Competence and Territorial Jurisdiction

While authorities may be reused, jurisdiction is strictly territorial and centralized. Article 25(4) mandates that the Member State where the cloud computing service provider has its main establishmentβ€”defined as the head office or registered office from which principal financial functions and operational control are exercisedβ€”has "exclusive competence for enforcing this Chapter."

This single-point-of-entry model prevents fragmented enforcement across the EU. It contrasts with some sectoral NIS2 implementations where local supervision might occur for specific incidents. Under CADA, a provider established in France but serving clients in Germany, Italy, and Spain is supervised exclusively by the French competent authority regarding its sovereignty compliance. This ensures a unified standard for the provider's recognition status across the Union.

Investigative and Enforcement Powers

The powers granted to these national competent authorities under Article 26 are robust and mirror those found in other significant EU digital regulations. To carry out their tasks under Article 17 (recognition of cloud services), competent authorities have investigative powers, including:

  • The power to require cloud providers and auditing organisations to provide information (Article 26(1)(a)).
  • The power to carry out inspections of premises and seize or copy information (Article 26(1)(b)).
  • The power to ask staff or representatives to give explanations (Article 26(1)(c)).

For enforcement, authorities can order the cessation of infringements, impose fines, or impose periodic penalty payments (Article 26(2)). These measures must be "effective, dissuasive and proportionate" (Article 26(3)). While NIS2 focuses on cybersecurity risk management and incident reporting, CADA's enforcement targets compliance with the sovereignty criteria in Annex II, such as data localization, personnel citizenship, and the absence of third-country control.

Cross-Border Cooperation and Mutual Assistance

Because cloud providers often operate across borders, CADA includes mechanisms for cross-border cooperation that may interact with NIS2's cross-border enforcement structures. Article 27 outlines mutual assistance, allowing competent authorities to exchange information and request specific data from other Member States to exercise investigative powers.

Article 28 establishes cross-border cooperation for enforcement. If a competent authority in a destination Member State (where the service is used) suspects a provider no longer fulfills the requirements in Annex II, it may request the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures (Article 28(1)). The authority of establishment must communicate its assessment and any measures taken within two months (Article 28(4)). This mechanism ensures that while enforcement is exclusive to the country of establishment, the concerns of the destination country are formally addressed.

Intersection with NIS2 Entities and Risk Assessments

The most direct operational interaction between CADA and NIS2 occurs in the procurement and risk assessment phases for entities in critical sectors. Article 29 requires Member States and Union entities to conduct risk assessments to determine which Union assurance level (2, 3, or 4) is appropriate for public sector activities. These assessments must consider sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2).

Furthermore, Article 31 explicitly addresses private sector entities. Entities referred to in Annex I of NIS2 (essential entities) who are not public sector bodies "may carry out similar assessments as those set out in Article 29." The Commission may also issue guidance or adopt delegated acts requiring impact assessments and risk mitigation measures for private companies operating in sectors of high criticality (Article 31(2)-(3)). This creates a parallel where NIS2-regulated entities must align their cybersecurity risk management with CADA's sovereignty risk assessments to ensure they are procuring cloud services that meet the necessary assurance levels.

Penalties and Compensation

CADA introduces its own penalty regime for infringements of the sovereignty framework, distinct from NIS2 penalties. Article 24 requires Member States to lay down rules on penalties for infringements by cloud computing service providers. These penalties must be effective, proportionate, and dissuasive. Factors to consider include the nature, gravity, and duration of the infringement, as well as the infringer's annual turnover in the Union (Article 24(2)). Additionally, recipients of cloud services have the right to seek compensation from providers for damage suffered due to infringements of their obligations under the sovereignty chapter (Article 24(3)). This compensation right provides a private enforcement mechanism that complements the public enforcement by national competent authorities.

What this means for you

For in-house counsel and compliance officers at entities subject to NIS2, particularly those in the public sector or critical infrastructure, the interaction with CADA requires a two-track compliance strategy:

  1. Authority Identification: Identify which national competent authority is designated for CADA enforcement in your provider's Member State of establishment. If your organization is a cloud provider, you must engage with the authority in your main establishment country, not necessarily where your clients are located. If your organization is a public body, verify if your national NIS2 authority has also been designated as the CADA authority.
  2. Integrated Risk Assessments: Conduct the CADA-mandated risk assessments (Article 29) in parallel with your NIS2 cybersecurity risk management. For public sector bodies, this determines the mandatory Union assurance level for procurement. For NIS2 Annex I private entities, you should voluntarily conduct similar impact assessments (Article 31) to mitigate sovereignty risks alongside cybersecurity risks.
  3. Contractual Review: Ensure contracts with cloud providers include clauses that allow for the verification of Union assurance levels and provide for compensation in case of sovereignty framework infringements (Article 24(3)).
  4. Audit Preparedness: Prepare for independent third-party audits if you are a cloud provider seeking Union assurance levels 2, 3, or 4. Ensure your documentation meets the criteria in Annex II and that you can cooperate with auditing organisations and competent authorities as required by Articles 20 and 26.

Common misconceptions

  • "NIS2 compliance automatically satisfies CADA sovereignty requirements." This is incorrect. NIS2 focuses on cybersecurity risk management, while CADA focuses on sovereignty, data localization, and operational autonomy. A provider may be NIS2-compliant but fail to meet Union assurance level 3 criteria regarding third-country control or personnel citizenship.
  • "Local NIS2 supervisors enforce CADA rules for foreign providers." No. Under Article 25(4), enforcement is exclusive to the Member State of the provider's main establishment. Local supervisors may request assistance via cross-border cooperation (Article 28), but they do not have direct enforcement jurisdiction over the provider's sovereignty compliance.
  • "Private companies are exempt from CADA assessments." While mandatory risk assessments under Article 29 apply to public sector bodies, NIS2 Annex I entities are explicitly allowed to conduct similar assessments under Article 31, and the Commission may mandate them for high-criticality sectors. Ignoring this overlap may leave critical infrastructure vulnerable to sovereignty risks not covered by NIS2 alone.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.