How does CADA ensure consistent enforcement across the EU?

Summary As proposed, the Cloud and AI Development Act (CADA) ensures consistent enforcement across the EU by establishing a "single market" approach to sovereignty compliance. The national competent authority of the cloud provider's main establishment holds exclusive competence for enforcement, preventing fragmented investigations. This centralization is supported by mandatory mutual assistance obligations for information sharing (Article 27) and structured cross-border cooperation mechanisms for handling suspected infringements (Article 28), with the Commission acting as a final coordinator to resolve disputes and ensure uniform application.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, proposes a harmonized regulatory framework to strengthen Europe's cloud and AI ecosystem. A critical component of this framework is the enforcement mechanism, designed specifically to avoid the regulatory fragmentation that often plagues cross-border digital services. Unlike general market surveillance where multiple authorities might intervene, CADA adopts a "home country control" model for the sovereignty framework, supported by rigorous cooperation protocols.

Exclusive Competence: The "One Authority" Principle

The cornerstone of CADA's enforcement consistency is the principle of exclusive competence. Under Article 25(4) of the proposal, the Member State in which the cloud computing service provider has its main establishment holds exclusive competence for enforcing the sovereignty framework chapter.

The proposal defines the "main establishment" strictly as the location where the provider has its head office or registered office from which the principal financial functions and operational control are exercised. This definition is crucial; it prevents providers from artificially shifting their regulatory burden to a Member State with a lighter regulatory touch.

This centralization ensures that a cloud provider operating across all 27 Member States is supervised by a single national authority. Consequently, the interpretation of complex sovereignty criteria—such as the requirements for Union Assurance Levels 1 through 4—remains uniform. It eliminates the risk of a provider facing conflicting investigations, divergent penalty regimes, or contradictory remedial orders from every Member State where it has customers.

Mutual Assistance: Mandatory Information Sharing

While enforcement competence is centralized, the risks associated with cloud services are inherently cross-border. Data may be processed in one Member State, while infrastructure is located in another, and the provider's customers may be spread across the Union. To address this, Article 27 establishes a robust framework for mutual assistance.

Article 27(1) explicitly mandates that competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply the chapter in a consistent and efficient manner. This provision is vital for authorities to verify claims made by cloud providers regarding their infrastructure locations, data residency, and third-country control structures.

Under Article 27(2), a competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud service provider. This allows the authority of establishment to access evidence located in other Member States, such as server logs, subcontractor contracts, or local operational records held by entities within their jurisdiction.

Crucially, Article 27(3) imposes a binding time limit on this cooperation. The competent authority receiving the request must comply and inform the requesting authority of the action taken as soon as possible, and no later than two months after receipt, unless duly justified. This time-bound obligation prevents authorities from stalling investigations by withholding critical data or engaging in bureaucratic delays, ensuring that the "single market" enforcement model functions in practice.

Cross-Border Cooperation and Escalation

Mutual assistance handles the flow of information, but Article 28 addresses active enforcement actions and suspected infringements across borders. This article outlines the principles of cross-border cooperation to ensure that a suspicion raised in one Member State is handled by the authority with the proper jurisdiction.

If a "competent authority of destination" (a Member State where the service is used or where a suspected infringement is observed) suspects that a cloud service provider no longer fulfills the requirements of the sovereignty framework—for example, if data is being processed outside the Union contrary to the assurance level—it cannot unilaterally penalize the provider. Instead, Article 28(1) requires it to request the "competent authority of establishment" to assess the matter and take the necessary investigatory and enforcement measures.

This process ensures that the authority with the deepest knowledge of the provider's overall structure and the exclusive competence to enforce the rules handles the case. The authority of establishment must communicate its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged to the requesting authority and the Commission within two months (Article 28(4)).

Furthermore, Article 28(2) grants the European Commission a direct coordination role. The Commission may request the competent authority of establishment to assess a matter and take necessary measures. This provides a central oversight mechanism, ensuring that if national authorities fail to act on serious sovereignty risks, or if there is a risk of inconsistent application across the Union, the Commission can trigger an investigation. This backstop is essential for maintaining the integrity of the single market.

The Role of National Competent Authorities and Penalties

To support this framework, Member States must designate one or more national competent authorities by one year after the Regulation's entry into force (Article 25(1)). These authorities are granted significant investigative and enforcement powers under Article 26, including the power to require information, inspect premises, order the cessation of infringements, and impose fines or periodic penalty payments.

Article 24 sets out the framework for penalties, requiring Member States to lay down rules on penalties that are effective, proportionate and dissuasive. While the exact fine amounts are left to national law, the criteria for imposition include the nature, gravity, scale, and duration of the infringement, as well as the provider's annual turnover in the Union. This harmonization of penalty criteria, combined with the centralized enforcement structure, aims to create a level playing field where non-compliance carries a predictable cost regardless of where the provider is established.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, CADA's enforcement structure brings both clarity and heightened responsibility.

1. Identify Your Authority of Establishment: You must clearly determine which Member State hosts your main establishment. This authority will be your sole regulator for sovereignty compliance. Ensure your legal entity structure, registered office details, and documentation of where "principal financial functions and operational control" are exercised are robust and defensible. Any ambiguity here could lead to disputes over jurisdiction.
2. Prepare for Cross-Border Data Requests: Under Article 27, your local entities in other Member States may be asked to provide information to the authority of establishment, or vice versa. Internal data governance policies must allow for the secure and timely transfer of audit evidence, infrastructure logs, and contractual documents across borders. You must be ready to facilitate these exchanges within the two-month statutory window.
3. Monitor Destination Market Feedback: Even if you are regulated by one authority, you must monitor compliance in all destination markets. Under Article 28, a complaint or suspicion from a user in Germany could trigger an investigation by your authority of establishment in Ireland. Proactive monitoring of local market concerns and rapid response to local authorities are essential to prevent escalation.
4. Engage with the Commission: If you believe a national authority is not acting consistently or is misinterpreting the sovereignty criteria, the Commission's role in coordination (Article 28(2)) provides a potential avenue for resolution. The Commission can intervene if it identifies systemic risks or if national authorities fail to act. Maintain open lines of communication with both national authorities and the Commission.

Common misconceptions

• "Every Member State can fine me for sovereignty violations." Incorrect. As proposed, Article 25(4) grants exclusive enforcement competence to the Member State of the provider's main establishment. Other Member States cannot directly impose penalties for infringements of the sovereignty chapter; they must refer concerns to the authority of establishment.
• "Mutual assistance is optional or slow." Incorrect. Article 27(3) creates a binding obligation for competent authorities to comply with information requests within a two-month timeframe, unless duly justified. Failure to cooperate is a breach of the Regulation's cooperation framework and can hinder the entire enforcement ecosystem.
• "The Commission directly investigates all providers." Incorrect. The Commission does not act as the primary investigator for every case. It relies on national competent authorities to conduct investigations. However, it can trigger investigations under Article 28(2) if it identifies systemic risks or if national authorities fail to act, ensuring a backstop for consistent enforcement.
• "The authority of destination can block my service immediately." Incorrect. While the authority of destination can raise suspicions, it cannot unilaterally order the cessation of an infringement or impose penalties. It must request the authority of establishment to take action under Article 28(1).

Related

• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What records should a provider keep for CADA enforcement?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures
• What is the role of judicial authorities in CADA enforcement?

This is general information about a draft EU regulation, not legal advice.