How is sovereignty enforced once a service is recognised under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), sovereignty recognition is not a one-time certification but a dynamic status subject to continuous supervision. Once recognised, providers must immediately report any "material change" affecting their assurance level to both their auditing organisation and the national competent authority (NCA) under Article 23. Failure to comply triggers a reassessment cascade that can lead to the revocation of recognition. Furthermore, Article 24 empowers Member States to impose "effective, proportionate and dissuasive" penalties for infringements, while granting service recipients the right to seek compensation for damages. As clarified in Recital 53, enforcement powers are centralised in the NCA of the provider's main establishment, ensuring a single point of oversight across the Union.

Detail

The CADA proposal establishes a rigorous post-recognition framework designed to prevent "sovereignty drift"—where a service initially compliant with Union assurance levels gradually deviates due to operational changes, corporate restructuring, or supply-chain shifts. The enforcement mechanism relies on a triad of continuous transparency, independent audit verification, and active NCA oversight.

Centralised Supervision by National Competent Authorities (NCAs)

The proposal explicitly centralises enforcement responsibility to ensure consistency and avoid regulatory fragmentation. Recital 53 states that "the powers to supervise and enforce the obligations relating to the cloud sovereignty framework should be conferred to the competent authorities in the Member State where the main establishment of the cloud computing service provider is located."

This means the NCA of the provider's main establishment holds exclusive competence for enforcing the sovereignty chapter. While other Member States may raise objections during the initial recognition process, ongoing supervision, investigation, and enforcement actions are the sole responsibility of this single authority. This NCA is granted broad investigative powers under Article 26, including the ability to:

• Require information from the provider, auditors, and subcontractors.
• Conduct inspections of premises and seize information.
• Order the cessation of infringements.
• Impose fines or periodic penalty payments.

This structure ensures that a provider is not subject to conflicting enforcement actions from multiple Member States, streamlining compliance while maintaining strict oversight.

Transparency and Material-Change Reporting (Article 23)

The cornerstone of ongoing enforcement is the transparency obligation set out in Article 23. Providers cannot remain passive after achieving recognition; they must actively monitor their operations and report any developments that could undermine their sovereignty status.

Article 23(1) imposes a strict duty on recognised providers to notify both the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect:

• The audit report and the 'positive' audit opinion under Article 20; or
• The recognition under Article 17.

This obligation is critical because the criteria for Union assurance levels (detailed in Annex II) are cumulative and sensitive to operational changes. For example, a change in the location of data centres, a shift in the nationality of key personnel, a new subcontractor arrangement outside the Union, or a change in corporate control could instantly invalidate a provider's assurance level. The "material change" trigger ensures that the NCA and auditor are alerted immediately, rather than waiting for the next scheduled annual audit.

The Reassessment Cascade and Revocation

The reporting trigger in Article 23 initiates a mandatory reassessment cascade designed to maintain the integrity of the central repository of recognised services:

1. Auditor Assessment: Upon receiving notification, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). If the auditor determines the provider no longer complies, it must amend or revoke the opinion and notify the NCA.
2. NCA Assessment: The NCA then assesses whether its recognition of the service needs to be amended or revoked (Article 23(3)).
3. Union-Wide Notification: If the NCA amends or revokes the recognition, it must immediately notify the competent authorities of other Member States and the Commission. This ensures that the service is removed from the central repository and that public sector bodies across the Union are aware of the loss of status.

Additionally, Article 17(11) provides a specific ground for revocation: the evaluating NCA may revoke recognition if it finds that the provider "intentionally or negligently supplied incorrect or misleading information." This links the integrity of the initial application to the ongoing honesty of the provider's reporting, creating a continuous liability for misrepresentation.

Penalties and Compensation (Article 24)

To ensure these transparency and compliance obligations are taken seriously, CADA introduces a robust penalty regime in Article 24. Member States are required to lay down rules on penalties applicable to infringements of Title IV (Autonomy) by cloud computing service providers. The proposal mandates that these penalties be "effective, proportionate and dissuasive."

When determining the severity of penalties, Member States must consider the non-exhaustive criteria listed in Article 24(2), which include:

• The nature, gravity, scale and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

Crucially, Article 24(3) establishes a civil liability component: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter." This creates a direct financial risk for providers who fail to maintain their recognised status or misrepresent their compliance, as public sector bodies (the primary customers) could sue for damages resulting from a loss of sovereignty or service disruption.

What this means for you

For cloud service providers seeking or holding a Union assurance level, the post-recognition phase requires embedding sovereignty compliance into your continuous operational governance. The "set and forget" approach is legally impossible under CADA.

1. Establish Internal Monitoring Triggers: You must have internal processes to detect "material changes" before they become public or regulatory issues. This includes monitoring changes in subcontractor locations, shifts in ultimate beneficial ownership, modifications to data residency protocols, or changes in the nationality of personnel handling critical infrastructure.
2. Maintain Audit Readiness: Your relationship with your auditing organisation must be continuous, not just annual. Ensure your audit contracts explicitly allow for immediate reassessment upon notification of material changes, as required by Article 23(2).
3. Prepare for NCA Scrutiny: As the entity with main establishment in the EU, you will be the primary target for NCA enforcement. Ensure your legal and compliance teams are prepared to respond to information requests and inspections under Article 26, which grants NCAs the power to enter premises and seize data.
4. Review Contractual Liabilities: Be aware that your customers (particularly public sector bodies) may have recourse for compensation under Article 24(3) if a loss of recognition causes them operational or legal harm. Your contracts should reflect the risks associated with potential revocation.
5. Implement a "Stop-Work" Protocol: If a material change occurs that might breach your assurance level criteria, you must be prepared to suspend the service or migrate data immediately while the NCA and auditor assess the situation, to avoid further infringement.

Common misconceptions

"Once I pass the audit, I am sovereign for the life of the contract."

• Reality: Recognition is contingent on ongoing compliance. A single unreported material change can lead to immediate revocation by the NCA or the auditor. The status is dynamic, not static.

"Only the auditor cares about changes."

• Reality: You have a direct legal obligation to notify the NCA under Article 23(1). Failure to notify the NCA directly is itself an infringement subject to penalties under Article 24, regardless of whether the auditor was informed.

"Penalties are only for fake audits or fraud."

• Reality: Penalties apply to any infringement of the autonomy chapter, including failures to report material changes, supply misleading information, or fail to maintain the technical criteria of your assurance level. The criteria for penalties in Article 24(2) explicitly consider the "financial benefits gained" from non-compliance.

"The NCA in the customer's country can fine me."

• Reality: As per Recital 53, enforcement powers are centralised. Only the NCA of the provider's main establishment has exclusive competence for enforcement. Other Member States must refer suspected infringements to the NCA of establishment under Article 28.

Related

• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Can a cloud service lose its CADA sovereignty recognition?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• Why is sovereignty a competitiveness issue, not just a security one? | CADA

This is general information about a draft EU regulation, not legal advice.