Summary Under the proposed Cloud and AI Development Act (CADA), a competent authority receiving a mutual assistance request must comply with the request and inform the requesting authority of the action taken "as soon as possible and no later than two months after receipt of the request, unless duly justified" (Article 27(3)). This strict timeline is designed to ensure efficient cross-border supervision of cloud computing sovereignty. While the proposal does not define specific "duly justified" exceptions, it implies that delays must be exceptional and documented. Failure to adhere to these procedural obligations undermines the single market framework, though direct financial penalties under Article 24 primarily target cloud service providers rather than the authorities themselves.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty across the European Union. A critical component of this framework is the cooperation between national competent authorities to ensure consistent supervision and enforcement of the Union assurance levels. Article 27 of the proposal specifically governs "Mutual assistance" between these authorities, creating a binding procedural obligation to exchange information and support investigations.

The Legal Basis for Mutual Assistance

Article 27(1) establishes the foundational principle that "Competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply this Chapter in a consistent and efficient manner." This cooperation explicitly includes the "exchange of information."

When a competent authority needs specific information held by another authority to exercise its investigative powers under Article 26, it may make a formal request under Article 27(2). The requesting authority may ask the other competent authority to provide specific information in their possession relating to a specific cloud computing service provider. If necessary, the receiving authority may involve other relevant public authorities within its Member State to gather this information. This mechanism ensures that the "authority of establishment" (the authority in the Member State where the provider has its main establishment, per Article 25(4)) can effectively enforce the Regulation even when evidence or operational data is located in other Member States.

The Two-Month Deadline: Article 27(3)

The core of the procedural obligation is found in Article 27(3), which sets out a precise and binding timeline for the receiving authority. The text states:

"The competent authority receiving the request pursuant to paragraph 2 shall comply with such request and inform the competent authority of establishment about the action taken, as soon as possible and no later than two months after receipt of the request, unless duly justified."

This provision creates two distinct, cumulative obligations for the receiving authority:

  1. Substantive Compliance: The authority must actually comply with the request for information or assistance.
  2. Procedural Notification: The authority must inform the requesting authority (specifically identified here as the "competent authority of establishment") about the action taken.

The phrase "as soon as possible" indicates an expectation of promptness, establishing a duty of diligence that precedes the hard deadline. The phrase "no later than two months after receipt of the request" sets a definitive outer limit. The only exception to this timeline is if the delay is "duly justified."

Interpreting "Duly Justified"

The proposal does not explicitly define what constitutes a "duly justified" delay within Article 27(3). This leaves room for interpretation based on general principles of EU administrative law and the specific context of the investigation. In practice, "duly justified" would likely require the receiving authority to demonstrate that the delay was caused by exceptional circumstances beyond its control. Examples could include:

  • Complex Legal Hurdles: Situations where the request conflicts with national laws or requires a complex judicial authorisation that cannot be obtained within the standard timeframe.
  • Volume and Complexity: Requests involving massive datasets or highly technical information that requires significant time to aggregate and verify, provided the authority has acted diligently.
  • Force Majeure: Unforeseen events such as natural disasters or severe infrastructure failures.

Crucially, the burden of proof for a "duly justified" delay lies with the receiving authority. They must communicate this justification to the requesting authority, effectively pausing the two-month clock or providing a new, justified timeline. Mere administrative backlog or resource constraints would likely not suffice as a "duly justified" reason under the principle of "consistent and efficient" application required by Article 27(1).

The Role of the Authority of Establishment

Understanding the flow of information is essential. Article 25(4) establishes that the Member State where the cloud computing service provider has its "main establishment" (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter. This is the "authority of establishment."

When the authority of establishment needs to investigate a provider that operates across borders, it may need information located in another Member State. Article 27 facilitates this by allowing the authority of establishment to request information from the competent authority in the Member State where the information is located. The two-month deadline in Article 27(3) applies to the authority receiving this request. The text explicitly requires the receiving authority to "inform the competent authority of establishment about the action taken," confirming that the authority of establishment is the primary recipient of the response.

Penalties and Enforcement Context

While Article 27 itself does not list specific fines for missing the two-month deadline, the broader enforcement framework in Title IV, Chapter I (Sovereignty Framework) applies. Article 24 sets out the general penalty rules for infringements of this chapter.

Article 24(1) requires Member States to lay down rules on penalties applicable to infringements of this chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing penalties, including the nature, gravity, scale, and duration of the infringement.

It is important to note that Article 24 primarily targets cloud computing service providers, not the competent authorities themselves. However, Article 26 grants competent authorities the power to impose fines or request judicial authorities to do so for failure to comply with the Regulation, including investigative orders. While the Regulation does not explicitly prescribe a financial penalty for an authority missing a mutual assistance deadline, persistent failure to comply with mutual assistance obligations could lead to:

  • Infringement Proceedings: The European Commission could initiate infringement proceedings against the Member State for failing to correctly implement or apply the Regulation.
  • Internal Administrative Consequences: National laws may impose administrative sanctions on authorities that fail to meet EU-mandated deadlines.
  • Erosion of Trust: In a framework reliant on "consistent and efficient" cooperation, failure to meet deadlines undermines the integrity of the single market supervision, potentially leading to stricter scrutiny of that Member State's enforcement actions.

Interaction with Cross-Border Cooperation (Article 28)

Article 27 (Mutual Assistance) works in tandem with Article 28 (Cross-border cooperation). Article 28 deals with situations where a competent authority of destination suspects a provider no longer fulfills sovereignty requirements. In such cases, the authority of destination may request the authority of establishment to assess the matter. Article 28(4) sets a similar two-month deadline for the authority of establishment to communicate its assessment and any measures taken. This parallel structure reinforces the importance of the two-month timeframe as a standard for all cross-border supervisory actions under CADA.

What this means for you

For in-house counsel, compliance officers, and legal teams representing cloud computing service providers, understanding Article 27(3) is crucial for managing expectations during cross-border investigations.

  1. Anticipate a Maximum Two-Month Lag: If your provider is under investigation by the authority of establishment, and that authority needs to request information from a host authority in another Member State, you should anticipate a potential delay of up to two months for that specific leg of the investigation. This is a statutory maximum for the administrative process, not necessarily a sign of inefficiency, but a built-in buffer for cross-border coordination.
  2. Prepare for Comprehensive Requests: The "information" requested under Article 27(2) can be broad, relating to the exercise of investigative powers under Article 26. This includes the power to require providers to provide information, inspect premises, and record answers from staff. Ensure your data governance and document retention policies are robust, as authorities will expect quick access to this data once the mutual assistance process is triggered.
  3. Monitor "Duly Justified" Extensions: If an authority informs you that a request is delayed beyond two months, ask for the justification. While the proposal is silent on the specifics, consistent unjustified delays could indicate systemic issues with the supervisory framework in that Member State, which might be worth flagging to your legal team as a risk factor for regulatory arbitrage or inconsistent enforcement.
  4. Cross-Border Consistency: The goal of Article 27 is consistent application. As compliance officers, you should ensure that your provider's response to information requests is consistent across all Member States. The mutual assistance mechanism is designed to prevent regulatory arbitrage, where a provider might receive different levels of scrutiny in different jurisdictions.

Common misconceptions

Misconception 1: The two-month deadline starts when the provider is notified. No. Article 27(3) explicitly states the deadline is "no later than two months after receipt of the request" by the competent authority. The clock starts ticking for the authority, not the company. The provider's own response times are governed by the specific investigative powers in Article 26, which may have different timelines or immediate obligations.

Misconception 2: Only the authority of establishment can make requests. While the authority of establishment has exclusive competence for enforcement (Article 25(4)), Article 27(1) states that "competent authorities and the Commission shall cooperate closely." This implies that any competent authority may request assistance from another if it is necessary for the consistent application of the framework. However, in practice, most requests will likely originate from the authority of establishment or the Commission to ensure centralised enforcement.

Misconception 3: Missing the deadline results in automatic fines for the authority. CADA does not impose automatic financial penalties on authorities for missing deadlines. Penalties under Article 24 are directed at cloud computing service providers. However, authorities are public bodies bound by EU law. Persistent failure to comply with mutual assistance obligations could lead to infringement procedures by the European Commission against the Member State, but this is a state-level issue, not a direct fine on the individual official or authority.

Misconception 4: The request must be complied with in full within two months. Article 27(3) says the authority shall "comply with such request and inform... about the action taken." It does not explicitly state that the entirety of the information must be provided within two months, only that the authority must act and report on the action taken. However, the spirit of "as soon as possible" suggests that partial compliance or significant delays in providing the actual data should be avoided unless duly justified. If the information is complex, the authority should communicate progress and a justified timeline.

Related

This is general information about a draft EU regulation, not legal advice.