How does CADA enforcement reach hyperscale cloud providers?

Summary As proposed, the Cloud and AI Development Act (CADA) establishes a "one-stop-shop" enforcement model where the national competent authority of the provider's main establishment holds exclusive power to enforce the sovereignty framework. While penalties are calibrated using the infringing party's annual turnover in the Union, the regulation relies on robust cross-border cooperation (Articles 27–28) to ensure that local risks in any Member State trigger action by the lead authority. This structure prevents regulatory fragmentation for global hyperscalers while maintaining strict oversight.

Detail

The proposed Cloud and AI Development Act (CADA) addresses the unique challenge of regulating multinational cloud providers by centralizing enforcement competence while mandating EU-wide cooperation. For hyperscalers operating across the single market, the regulation defines a clear hierarchy of authority, specific investigative powers, and a penalty framework designed to be effective against entities with significant economic capacity.

Exclusive Competence via Main Establishment

The cornerstone of CADA's enforcement architecture is the principle of exclusive competence. Under Article 25(4), the Member State in which the cloud computing service provider has its main establishment shall have exclusive competence for enforcing the sovereignty framework (Title IV, Chapter I).

The proposal defines "main establishment" within Article 25(4) itself as the location where the provider has its "head office or registered office from which the principal financial functions and operational control are exercised." This definition is critical for hyperscalers with multiple EU subsidiaries. It ensures that a provider with operations in ten Member States is not subjected to ten parallel investigations for the same systemic compliance issue. Instead, the authority in the jurisdiction of the main establishment acts as the sole lead evaluator and enforcer for recognition, audits, and penalties.

This exclusivity prevents "forum shopping" by providers and ensures regulatory consistency. However, it places a significant burden on the lead authority to monitor activities that may have cross-border impacts.

Investigative and Enforcement Powers

Once jurisdiction is established, the competent authority of the main establishment is granted robust powers under Article 26 to verify compliance with the Union assurance levels.

Article 26(1) outlines broad investigative powers, including:

• The power to require any cloud computing service provider, as well as "any other persons acting for purposes related to their trade, business, craft or profession" (which explicitly includes auditing organisations), to provide information relating to a suspected infringement.
• The power to carry out inspections of any premises used for trade or business, including the right to seize or copy information in any form.
• The power to ask any member of staff or representative to give explanations and, with consent, record their answers.

Article 26(2) details enforcement powers, allowing authorities to:

• Order the cessation of infringements and impose proportionate remedies.
• Impose fines, or request a judicial authority to do so.
• Impose periodic penalty payments to ensure the termination of an infringement.

Crucially, Article 26(3) mandates that any measures taken must be "effective, dissuasive and proportionate," having regard to the nature, gravity, recurrence, and duration of the infringement, as well as the "economic, technical and operational capacity of the service provider concerned." This ensures that enforcement actions are tailored to the scale of the provider, preventing trivial penalties for massive hyperscalers.

Penalty Calibration: Turnover and Capacity

CADA explicitly ties financial penalties to the economic scale of the infringing party to ensure dissuasiveness. Article 24(2) lists non-exhaustive criteria that Member States must consider when imposing penalties, including:

• The nature, gravity, scale, and duration of the infringement.
• Any financial benefits gained or losses avoided by the infringing party (Article 24(2)(d)).
• The infringing party's annual turnover in the preceding financial year in the Union (Article 24(2)(f)).

By incorporating Union turnover as a specific criterion, the proposal ensures that penalties for global providers reflect their actual market presence and financial resilience within the EU. This aligns with the broader EU regulatory trend of using turnover-based metrics to maintain a level playing field. While CADA does not set a fixed maximum fine (leaving the specific amounts to Member States), the requirement to consider Union turnover ensures that fines can reach significant levels for hyperscalers.

Cross-Border Cooperation and Mutual Assistance

While the authority of establishment holds exclusive competence, CADA recognizes that hyperscalers operate across borders and that risks may manifest locally. To prevent regulatory gaps, Articles 27 and 28 establish mandatory frameworks for mutual assistance and cross-border cooperation.

Article 27 (Mutual Assistance) mandates that competent authorities cooperate closely and provide each other with mutual assistance, including the exchange of information. If an authority in Member State A needs information located in Member State B regarding a provider established in Member State C, it can request assistance. The receiving authority must comply with the request and inform the authority of establishment of the action taken, no later than two months after receipt of the request, unless duly justified.

Article 28 (Cross-border cooperation) addresses enforcement triggers. If a competent authority in a destination Member State suspects that a provider no longer fulfills the requirements of the sovereignty framework, it may request the authority of establishment to assess the matter and take necessary investigatory or enforcement measures. The authority of establishment must communicate its assessment and any measures taken no later than two months after receipt of the request.

Furthermore, Article 28(2) empowers the Commission to request the authority of establishment to assess a matter and take necessary measures, ensuring a Union-level safety net. This mechanism ensures that local concerns in one Member State can trigger enforcement action by the lead authority, maintaining EU-wide consistency without fragmenting enforcement power.

What this means for you

For cloud service providers, particularly hyperscalers, CADA introduces a "single point of contact" model for sovereignty compliance, but with heightened scrutiny and financial exposure.

1. Identify Your Lead Authority: Determine your "main establishment" under Article 25(4). This jurisdiction will be your primary interface for enforcement, recognition procedures, and penalty negotiations. Ensure your local legal and compliance teams are prepared to engage with this specific authority as the sole enforcer.
2. Prepare for Financial Scrutiny: Since penalties are linked to annual turnover in the Union (Article 24(2)(f)) and the provider's operational capacity (Article 26(3)), maintain accurate records of your EU financial performance. Non-compliance could result in significant financial exposure proportional to your market size.
3. Facilitate Cross-Border Requests: Establish internal protocols to respond swiftly to information requests from both your lead authority and other Member States under Articles 27 and 28. Delays in providing data or access to premises can exacerbate penalties and trigger periodic penalty payments.
4. Audit Readiness: Given the investigative powers in Article 26, ensure your technical documentation, audit trails, and agreements with auditing organisations are readily accessible. Authorities can inspect premises and seize information, so operational continuity plans should account for potential regulatory interventions.

Common misconceptions

• "Every Member State can enforce against me." False. Article 25(4) grants exclusive competence to the Member State of the main establishment. Other Member States can flag issues and request assistance, but enforcement actions (fines, cessation orders) originate from the lead authority.
• "Fines are fixed amounts." False. CADA uses a criteria-based approach (Article 24), with Union turnover being a key factor. Fines are not static; they scale with your financial footprint and the severity of the breach.
• "Cross-border requests are optional." False. Article 27 imposes a duty to provide mutual assistance. Refusing to share information with another Member State's authority can lead to separate enforcement actions and damage your standing with the lead regulator.
• "Only the provider is liable." Incorrect. Article 26(1) allows authorities to require information from "any other persons acting for purposes related to their trade," explicitly including auditing organisations. Your supply chain partners and auditors may also face direct regulatory scrutiny.

Related

• CADA Enforcement Readiness: The Compliance Checklist for Providers
• What does CADA enforcement mean for cloud providers?
• Does CADA enforcement apply to providers established outside the EU but serving it?
• CADA Investigations: What safeguards protect cloud providers?
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers

This is general information about a draft EU regulation, not legal advice.