How long does a cross-border CADA request take?

Summary Under the proposed Cloud and AI Development Act (CADA), a competent authority of establishment must respond to a cross-border cooperation request as soon as possible and in any event not later than two months after receipt. This deadline, set out in Article 28(4), requires the authority to communicate its assessment of the suspected infringement and explain any investigatory or enforcement measures taken or envisaged. Crucially, the two-month clock is suspended if the authority requests additional information under Article 28(3), pausing the deadline until that information is received. This framework ensures consistent enforcement of the Union cloud sovereignty framework while preventing indefinite delays.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework for cloud computing sovereignty, relying heavily on cross-border cooperation between national competent authorities to ensure consistent supervision across the single market. Because the authority of establishment holds exclusive competence for enforcing the sovereignty framework chapter (as defined in Article 25(4)), the Regulation creates a specific procedural mechanism for other Member States to trigger enforcement actions when they suspect a provider is non-compliant.

The Trigger: Suspected Non-Compliance

The cross-border cooperation mechanism is activated when a competent authority of destination (the Member State where the cloud service is used or where the infringement is suspected to affect public order) has reason to suspect that a cloud computing service provider no longer fulfils the requirements set out in Annex II of the Regulation. These requirements cover the four Union assurance levels, including criteria for data localisation, personnel citizenship, and the absence of third-country control.

Instead of launching unilateral enforcement actions that could fragment the single market or conflict with the exclusive competence of the establishment authority, the authority of destination must formally request the competent authority of establishment to assess the matter. The request must be duly reasoned, providing the necessary context for the suspected infringement.

The Statutory Deadline: Two Months Maximum

Article 28(4) establishes a definitive timeline for this process to ensure timely resolution of cross-border disputes. Once the competent authority of establishment receives a duly reasoned request, it is legally bound to:

1. Assess the suspected infringement.
2. Determine and implement necessary investigatory or enforcement measures to ensure compliance with the Regulation.
3. Communicate this assessment and the measures taken or envisaged to both the requesting authority (the authority of destination) and the European Commission.

The Regulation mandates that this communication be made "as soon as possible and in any event not later than two months after receipt of the request." This dual phrasing serves two purposes: it encourages authorities to act with urgency ("as soon as possible") while providing a hard statutory cap ("not later than two months") to prevent administrative inertia.

Suspension of the Clock: Article 28(3)

The drafters recognised that complex sovereignty assessments—particularly those involving deep technical audits of software supply chains or third-country control structures—may require more information than is initially provided in a cross-border request. To address this, Article 28(3) introduces a suspension mechanism.

If the competent authority of establishment considers the information provided in the initial request insufficient to conduct a proper assessment, it may request additional information from the requesting authority. The Regulation explicitly states that the two-month period is suspended from the date the authority of establishment issues the request for additional information until the date that information is received.

This suspension ensures that the authority of establishment is not penalised for delays caused by incomplete initial requests. However, it also places a burden on the requesting authority to provide comprehensive evidence upfront. If the initial request is vague or lacks necessary details, the clock stops, potentially prolonging the investigation. Once the additional information is received, the two-month countdown resumes from where it left off.

Content of the Mandatory Response

The response required under Article 28(4) is substantive, not merely procedural. The authority of establishment cannot simply acknowledge receipt; it must provide a detailed communication that includes:

• An assessment of the suspected infringement: The authority must state whether it agrees that the provider no longer fulfils the requirements of Annex II, or if the suspicion is unfounded.
• An explanation of measures taken or envisaged: The authority must detail any investigatory steps already taken (e.g., requesting information from the provider under Article 26) or enforcement measures planned (e.g., ordering the cessation of infringements or imposing fines).

This transparency allows the authority of destination to monitor the progress of the case and ensures the Commission remains informed of cross-border enforcement activities. If the authority of establishment fails to act, or if its measures are deemed insufficient, Article 28(2) empowers the Commission to intervene directly, requesting the authority to assess the matter and take necessary measures.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, understanding this timeline is critical for managing regulatory risk and preparing internal response protocols.

1. Anticipate the "Duly Reasoned" Request

The process begins with a formal request from a foreign authority. While the provider may not be immediately notified, the clock starts ticking the moment the authority of establishment receives this request. If the request is "duly reasoned" but lacks specific technical details, the authority may pause the clock under Article 28(3) to ask for more. Providers should be prepared to respond swiftly to any subsequent information requests from the authority of establishment, as delays in providing data can extend the suspension period and prolong the investigation.

2. Monitor the Two-Month Window

Once a cross-border request is lodged, the authority of establishment has a strict two-month window (excluding any suspension periods) to communicate its assessment. If you are the subject of such a request, you should anticipate that the authority of establishment will initiate its own investigative powers under Article 26 within this timeframe. These powers include:

• Requiring information from your staff, subcontractors, or auditing organisations.
• Conducting inspections of your premises to examine data or seize copies of information.
• Ordering the cessation of infringements or imposing fines.

3. Coordinate with Authorities in All Relevant Member States

Because the authority of establishment must communicate with both the requesting authority and the Commission, your legal team must maintain clear lines of communication with all relevant national competent authorities. Misunderstandings about the status of an investigation can lead to inconsistent enforcement actions. If the authority of destination believes the response is inadequate, they may escalate the matter to the Commission under Article 28(2), potentially triggering a higher-level intervention.

4. Document Your Compliance Posture

The assessment under Article 28 will determine whether you fulfil the Union assurance levels. Maintaining up-to-date documentation of your compliance with Annex II criteria is essential. This includes evidence of data localisation, personnel citizenship (where required), and software supply chain transparency. If an authority suspects non-compliance, your ability to demonstrate compliance quickly can influence the outcome of the assessment and the measures envisaged, potentially avoiding enforcement actions.

Common misconceptions

Misconception 1: The two-month clock starts when the provider is notified. The clock starts when the competent authority of establishment receives the request from the authority of destination (Article 28(4)). The provider may not be formally notified until the authority of establishment initiates its own investigative measures, which could happen weeks after the initial request.

Misconception 2: Authorities can take as long as they need if the case is complex. While the clock can be suspended for additional information under Article 28(3), there is no open-ended extension. Once the additional information is provided, the two-month period resumes. Authorities cannot indefinitely delay their assessment without violating the Regulation's procedural requirements.

Misconception 3: The authority of destination can enforce penalties directly. No. Under Article 25(4), the authority of establishment has exclusive competence for enforcing the sovereignty framework chapter. The authority of destination can only request an assessment and enforcement measures. It cannot impose fines or order the cessation of services directly unless the authority of establishment fails to act and the Commission intervenes.

Misconception 4: The response is just a "we are looking into it" email. The response must be substantive. Article 28(4) requires the authority to communicate its assessment of the infringement and an explanation of any measures taken or envisaged. A generic acknowledgment without these details would not satisfy the Regulation.

Related

• Can a CADA authority ask for more information on a cross-border request?
• CADA Cross-Border Requests: What the Establishment Authority Must Report
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• CADA Cross-Border Cooperation: How Article 28 Works
• CADA Cross-Border Disputes: What Happens When Authorities Disagree?

This is general information about a draft EU regulation, not legal advice.