CADA Enforcement

Summary Under the proposed Cloud and AI Development Act (CADA), the burden of proof in enforcement cases rests squarely with the national competent authority of the Member State where the cloud computing service provider has its main establishment. The authority must investigate suspected infringements and gather sufficient evidence to establish a breach of the Union cloud computing sovereignty framework. However, providers are not passive subjects; Article 26 grants them specific procedural safeguards, including the right to be heard and access to the file, ensuring a fair administrative process before penalties are imposed. While CADA sets these minimum rights, the specific conduct of investigations and enforcement proceedings is governed by the national procedural rules of the relevant Member State.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous sovereignty framework for cloud computing services, particularly those procured by public sector bodies to safeguard the Union's public order. To ensure compliance with the Union assurance levels and other obligations, the proposal empowers national competent authorities to supervise and enforce these rules. A critical component of this enforcement mechanism is the allocation of the burden of proof and the procedural rights afforded to investigated entities.

Investigation Powers and the Burden of Proof

Under CADA, the primary burden of proving an infringement lies with the national competent authority. The proposal does not shift the burden of proof to the provider to demonstrate their innocence; rather, the authority must build a case based on evidence gathered through its investigative powers.

Article 26(1) explicitly grants these authorities the power to require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft, or profession, to provide information as soon as possible. This includes the power to:

• Carry out, or request a judicial authority to order, inspections of any premises used for purposes related to the trade, business, craft, or profession.
• Examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
• Ask any member of staff or representative of the provider to give explanations in respect of any information relating to a suspected infringement and, with their consent, to record their answers.

The authority must substantiate any finding of infringement with this gathered evidence. However, while the burden of proof remains with the authority, the provider has a statutory obligation to cooperate with the investigation. This cooperation includes providing access to relevant data and premises and answering oral or written questions. If a provider fails to cooperate, refuses access, or supplies incorrect or misleading information, this failure can constitute an infringement in itself, subject to penalties under Article 24. Thus, while the provider does not have to prove they are compliant from the outset, their failure to assist the authority in verifying compliance can lead to adverse consequences.

Rights of Defence and Access to the File

While the authority bears the burden of proof, CADA incorporates fundamental procedural safeguards to protect providers from arbitrary enforcement. Article 26(4) is pivotal in this regard, mandating that measures taken by national competent authorities in exercising their powers shall be subject to adequate safeguards under applicable national law in compliance with the general principles of Union law.

Specifically, Article 26(4) requires that these measures respect:

1. The right to respect for private life.
2. The rights of defence, including the right to be heard.
3. The right to have access to the file.
4. The right of all affected parties to an effective judicial remedy.

This means that before a competent authority imposes a final penalty or enforcement measure, the provider must be given a meaningful opportunity to review the evidence against them (access to the file) and present their own arguments and evidence (right to be heard). This ensures that the provider can challenge the authority's findings, correct factual errors, or provide context that might mitigate the severity of the infringement. These rights align CADA with established EU administrative law principles, ensuring that enforcement is transparent, fair, and proportionate.

Governance by National Procedural Rules

CADA sets the substantive rules for the sovereignty framework and establishes minimum standards for procedural rights, but it does not create a fully harmonised EU-wide enforcement procedure. Instead, Article 26(4) requires Member States to set out specific rules and procedures for the exercise of the investigative and enforcement powers listed in paragraphs 1 and 2.

Consequently, while the right to access the file and the right to be heard are guaranteed across the Union, the specific mechanics of how these rights are exercised will vary by jurisdiction. For example:

• Timing: The deadlines for submitting observations after receiving the file may differ between Member States.
• Scope of Access: The extent to which third-party data or confidential business information can be redacted before being shared with the provider may be governed by national laws on professional secrecy.
• Hearing Format: Whether the "right to be heard" is exercised in writing, orally, or through a formal hearing will depend on national administrative procedure codes.

In-house counsel must therefore be familiar with the specific administrative enforcement procedures in the Member State where the provider has its main establishment, as this is the exclusive competent authority for enforcement under Article 25(4).

Penalties and the Dual Risk Landscape

If the competent authority successfully proves an infringement, Article 24 outlines the consequences. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." When determining the level of penalties, authorities must consider non-exhaustive criteria including the nature, gravity, scale, and duration of the infringement, any action taken to mitigate damage, previous infringements, and the financial benefits gained by the infringing party.

Furthermore, Article 24(3) introduces a dual risk for providers: in addition to administrative fines, recipients of the cloud computing services have the right to seek compensation for any damage or loss suffered due to the provider's infringement. This creates a potential civil liability exposure alongside the regulatory penalty.

What this means for you

For in-house counsel, compliance officers, and legal teams, understanding the interplay between the burden of proof, procedural rights, and national rules under CADA is essential for managing regulatory risk.

• Prepare for Investigations: Ensure your organization has a clear, documented protocol for responding to information requests from national competent authorities. Under Article 26(1), authorities can demand information and access to premises. Delaying or refusing cooperation can exacerbate the situation and may itself constitute an infringement.
• Leverage Procedural Rights: If your company is under investigation, actively exercise the rights granted in Article 26(4). Request full access to the file to understand the specific evidence against you. Prepare a robust defense and ensure you are formally heard before any decision is finalized. Do not assume that the authority's initial findings are final.
• Monitor National Implementations: Since CADA relies on national procedural rules for enforcement, monitor how Member States implement Article 26(4). Differences in how "access to the file" or "right to be heard" are interpreted can significantly impact your defense strategy. Engage with local legal counsel in the Member State of your main establishment to navigate these specific procedural nuances.
• Document Compliance: Maintain thorough records of your conformity assessments, audit reports, and internal controls. While the burden of proof is on the authority, having clear, accessible documentation can help demonstrate compliance, refute allegations, and potentially mitigate penalties if an infringement is found.

Common misconceptions

"The provider must prove they are compliant." No. The burden of proof rests with the national competent authority. However, providers must cooperate and provide requested information. Failure to do so can lead to penalties for non-cooperation or for supplying incorrect information, which can indirectly shift the evidentiary landscape against the provider.

"CADA provides a uniform EU-wide enforcement procedure." No. CADA sets minimum standards for rights (Article 26(4)), but the specific procedural rules for investigations, hearings, and file access are determined by national law. Procedures will vary across Member States, requiring a tailored approach for each jurisdiction.

"Only the competent authority can impose penalties." No. While authorities impose administrative fines, service recipients (e.g., public sector bodies) can also seek civil compensation for damages caused by infringements under Article 24(3). This creates a dual layer of liability.

"The right to be heard is optional." No. Under Article 26(4), the right to be heard is a mandatory safeguard. Any enforcement measure taken without affording the provider this right would be subject to judicial review and potential annulment.

Related

• How does CADA protect the rights of defence during enforcement?
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• CADA Enforcement: How National Law Shapes Penalties and Procedures
• CADA Enforcement: How Article 26 Balances Powers with Fundamental Rights
• Who sets the penalty rules under CADA? Article 24 explained

This is general information about a draft EU regulation, not legal advice.