How does CADA enforcement support the sovereignty assurance levels?

Summary As proposed, the Cloud and AI Development Act (CADA) establishes a centralized enforcement architecture to protect the integrity of the four Union assurance levels for cloud sovereignty. National competent authorities in the provider's Member State of establishment hold exclusive competence to enforce the framework, wielding investigative and corrective powers specifically tied to the recognition tasks under Article 17 and compliance with Annex II criteria. This model, supported by cross-border cooperation mechanisms under Article 28, ensures that providers cannot maintain higher assurance levels (2–4) without rigorous, independent verification. Enforcement is not merely punitive; it is structural, designed to safeguard public order and operational autonomy by allowing authorities to revoke recognition if criteria are no longer met.

Detail

The CADA proposal introduces a harmonized sovereignty framework designed to mitigate the risks of dependence on third-country cloud providers. At the heart of this framework are the four Union assurance levels, defined in Annex II, which range from Level 1 (basic establishment and data localization) to Level 4 (strict personnel citizenship requirements and absence of third-country control). Enforcement is the mechanism that ensures these technical and legal guarantees are not merely theoretical but are continuously validated.

Exclusive Competence and Investigative Powers

A cornerstone of CADA's enforcement strategy is the designation of a single point of regulatory oversight to prevent fragmentation. Under Article 25(4), the Member State where the cloud computing service provider has its main establishment—defined as the head office or registered office from which principal financial functions and operational control are exercised—has exclusive competence for enforcing Chapter I of Title IV.

The powers granted to these national competent authorities are detailed in Article 26. Crucially, these powers are explicitly linked to the authorities' tasks under Article 17, which governs the recognition of cloud computing service providers at specific assurance levels. To carry out these recognition tasks effectively, competent authorities possess significant investigative powers, including:

• Information Requests: The power to require any cloud computing service provider, subcontractors, and auditing organizations to provide information relevant to a suspected infringement (Article 26(1)(a)).
• Inspections and Seizure: The power to carry out, or request a judicial authority to order, inspections of any premises used for trade or business purposes. This includes the power to examine, seize, take, or obtain copies of information in any form, irrespective of the storage medium (Article 26(1)(b)).
• Explanations and Recording: The power to ask any member of staff or representative to give explanations regarding suspected infringements and, with their consent, to record their answers by any technical means (Article 26(1)(c)).

Furthermore, Article 26(2) grants enforcement powers to order the cessation of infringements, impose remedies, impose fines, or levy periodic penalty payments. These measures must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Ensuring Compliance with Assurance Level Criteria (Annex II)

The integrity of the assurance levels relies on strict adherence to the cumulative criteria set out in Annex II. For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits. Article 28 establishes principles of cross-border cooperation to support this process and ensure that compliance is maintained even when a provider serves customers in other Member States.

If a competent authority in a "destination" Member State has reason to suspect that a cloud computing service provider no longer fulfills the requirements under Annex II, it may request the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures. This mechanism is critical for maintaining the trustworthiness of the framework across the single market.

For example, if a provider recognized at Level 3 is found to have subcontractors subject to third-country control in violation of Annex II, Section 3.1(g), the competent authority of establishment must act. Article 17(11) explicitly allows the evaluating national competent authority to revoke its recognition where it finds that a provider "intentionally or negligently, supplied incorrect or misleading information." Similarly, auditing organizations can revoke their audit reports and opinions under Article 20(7) if they discover such misrepresentations, which triggers a mandatory reassessment by the competent authority.

Transparency and Continuous Monitoring

Enforcement is bolstered by transparency obligations under Article 23. Recognized providers must notify the auditing organization and the national competent authority of establishment "as soon as possible" upon becoming aware of any material change in circumstances that may affect their audit report or recognition status. This enables the auditing organization to assess whether the audit report or opinion needs to be amended or revoked. If the audit opinion is revoked, the competent authority must reassess its recognition of the cloud computing service.

The Commission maintains a central repository of recognized services under Article 22. Any revocation of an audit report or recognition is published in this repository and remains available for five years. This public transparency acts as a market-driven enforcement tool, allowing contracting authorities to make informed procurement decisions based on the current, verified assurance level of a provider.

Penalties and Compensation

To ensure deterrence, Article 24 requires Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." When determining penalties, Member States must consider non-exhaustive criteria such as:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken to mitigate damage.
• Any previous infringements.
• The financial benefits gained or losses avoided.
• The infringing party's annual turnover in the Union.

Additionally, recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the CADA enforcement framework imposes stringent governance and documentation requirements.

1. Preparation for Investigation: Your organization must be prepared for on-site inspections and information requests from the competent authority in your Member State of establishment. Ensure that all documentation related to your assurance level application, audit reports, and evidence of compliance with Annex II criteria is readily accessible and verifiable.
2. Subcontractor Oversight: Since the criteria for Levels 2–4 extend to subcontractors, you must maintain rigorous oversight of your supply chain. Any subcontractor involved in service provision must also meet the establishment, location, and control criteria. Failure to monitor subcontractor compliance can lead to a loss of recognition for the main provider.
3. Material Change Reporting: Implement internal processes to detect and report material changes in circumstances promptly. Delays in notifying the auditing organization or competent authority of changes that affect your assurance level status can result in penalties and revocation of recognition.
4. Audit Cooperation: Cooperate fully with auditing organizations. Any obstruction or provision of misleading information can lead to the revocation of audit opinions under Article 20 and subsequent enforcement action by national authorities.
5. Cross-Border Coordination: If you operate in multiple Member States, be aware that while enforcement is centralized in your establishment state, authorities in other states can trigger investigations under Article 28. Maintain open lines of communication with all relevant national competent authorities.

Common misconceptions

• Misconception: Enforcement is handled by the Commission centrally.
  • Reality: As proposed, enforcement is primarily the responsibility of the national competent authority in the provider's Member State of establishment. The Commission's role is supervisory and coordinating, including maintaining the central repository and resolving disputes if national authorities cannot agree.
• Misconception: Once recognized, an assurance level is permanent.
  • Reality: Recognition is conditional and continuous. Providers must undergo annual reviews by auditing organizations (for Levels 2–4) and report material changes. Competent authorities can revoke recognition if compliance is no longer met or if incorrect information was provided.
• Misconception: Only the cloud provider is liable.
  • Reality: The enforcement framework extends to subcontractors and auditing organizations. Auditing organizations can face sanctions for failing to maintain independence or competence, and subcontractors must meet the same sovereignty criteria as the main provider for higher assurance levels.

Related

• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What records should a provider keep for CADA enforcement?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures

This is general information about a draft EU regulation, not legal advice.