How should a cloud provider prepare for a CADA investigation?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking or holding Union assurance levels must be prepared for rigorous investigations by the national competent authority of their establishment. Article 26 grants these authorities extensive powers, including the right to demand information, inspect premises, seize data, and record staff explanations. To prepare, providers must designate a dedicated point of contact, maintain organized records of audit evidence (including SBOMs and subcontractor lists), and ensure internal protocols respect the rights of defense and judicial remedies. Crucially, while providers must cooperate, they retain rights to appeal decisions and seek compensation if authorities act improperly.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised sovereignty framework for cloud computing services. A critical pillar of this framework is the enforcement mechanism, which relies on the investigative and enforcement powers of national competent authorities. For cloud providers, understanding the scope of Article 26 is not merely a compliance exercise but a strategic necessity to protect their market access and recognized status.

The Investigative Powers Under Article 26

Article 26 is the primary legal instrument empowering national competent authorities to enforce CADA. It distinguishes between investigative powers (gathering evidence) and enforcement powers (imposing sanctions).

Article 26(1) outlines the investigative toolkit available to the competent authority of the provider's main establishment. These powers include:

• Information Requests: The authority can require the provider, and any other persons acting for purposes related to their trade (including auditing organisations), to provide information "as soon as possible."
• Premises Inspections: Authorities can carry out inspections of any premises used for the provider's trade. If necessary, they can request a judicial authority to order these inspections.
• Data Seizure: Authorities have the power to examine, seize, take, or obtain copies of information relating to a suspected infringement. This applies to information "in any form, irrespective of the storage medium," covering physical servers, cloud logs, and digital backups.
• Staff Explanations: Authorities may ask members of staff or representatives to give explanations regarding suspected infringements. With the staff member's consent, these answers can be recorded by any technical means.

Article 26(2) details the enforcement powers that may follow an investigation. If an infringement is confirmed, the authority can:

• Order the cessation of the infringement and impose proportionate remedies.
• Impose fines for failure to comply with the Regulation, including failure to comply with investigative orders.
• Impose periodic penalty payments to ensure an infringement is terminated or to enforce compliance with investigative orders.

Preparing for the Investigation: Practical Readiness

To effectively manage an investigation under Article 26, providers should implement robust preparatory measures well before any suspicion of infringement arises. The goal is to demonstrate "effective, dissuasive and proportionate" compliance while protecting the provider's rights.

1. Designate a Single Point of Contact While Article 26 does not explicitly mandate a single point of contact, operational efficiency and legal consistency demand one. Providers should designate a specific legal or compliance officer responsible for liaising with the competent authority. This ensures that requests for information are handled consistently, preventing the inadvertent provision of conflicting data. This contact person must be trained on the scope of the authority's powers under Article 26 and the provider's rights under Article 26(4).

2. Document Retention and Organization An investigation will likely focus on the provider's compliance with the criteria for their recognized Union assurance level (Levels 1–4). Providers must maintain organized, retrievable records of:

• Audit Reports and Opinions: For Levels 2–4, the audit report and the 'positive' audit opinion from the auditing organisation are central to recognition (Article 20). These documents, along with all evidence provided to the auditor, must be readily accessible.
• EU Statement of Conformity: For Level 1, the self-assessment and the EU statement of conformity must be available (Article 19).
• Subcontractor Transparency: CADA requires full transparency regarding subcontractors (Annex II). Providers must maintain up-to-date lists of subcontractors, their locations, and the legal, technical, and organisational measures in place to ensure they meet Union assurance criteria.
• Software Bill of Materials (SBOM): For higher assurance levels, a complete and up-to-date SBOM is mandatory (Annex II). This should be maintained in a format that can be quickly provided to auditors or authorities.
• Retention Periods: Be aware that revoked recognitions and related audit reports must remain available in the central repository for five years (Article 22(3)). Internal retention policies should align with this to ensure historical data is available if a past recognition is scrutinized.

3. Legal Review of Inspection Rights While Article 26 grants broad powers, it is not absolute. Article 26(4) explicitly states that measures taken by competent authorities must be "effective, dissuasive and proportionate." Furthermore, the exercise of these powers is subject to adequate safeguards under applicable national law. These safeguards include:

• The right to respect for private life.
• The rights of defense, including the right to be heard and to have access to the file.
• The right to an effective judicial remedy.

Providers should have legal counsel review their inspection protocols to ensure that any seizure of data or premises respects these rights. It is vital to understand that while the authority can request a judicial order for inspections, the provider retains the right to challenge the proportionality of the measure in court.

4. Cooperation with Auditing Organisations Investigations may involve auditing organisations, as they are often the source of the evidence used for recognition. Article 20(2) requires audited providers to cooperate with auditing organisations and provide them with access to all relevant data and premises. If an investigation reveals issues that led to a 'negative' audit opinion or the revocation of a recognition, the provider must be prepared to explain how they addressed these issues. Failure to cooperate with the auditor can be construed as a failure to cooperate with the authority.

Transparency and Notification Obligations

Preparation is not just about responding to investigations; it is also about proactive compliance to avoid triggering them. Article 23 imposes strict transparency obligations on recognized providers. They must notify the auditing organisation and the national competent authority of any "material change in circumstances" that may affect their audit report or recognition.

Failure to notify can itself be an infringement. Providers should have internal monitoring systems in place to detect such changes immediately. Examples include:

• A change in subcontractor status or location.
• A shift in data storage location.
• A change in corporate control or ownership structure.
• Any material change in the software supply chain.

Triggering the notification process immediately upon detecting such changes can mitigate the risk of an investigation for non-compliance.

Compensation and Appeal Rights

If an investigation leads to penalties or the revocation of recognition, providers have specific rights to compensation and appeal.

Compensation: Article 24(3) states that recipients of cloud computing services have the right to seek compensation from providers for damage suffered due to infringements. While this primarily protects customers, it also highlights the financial liability providers face. Conversely, if a provider suffers damage due to an authority's improper conduct (e.g., an unlawful seizure of data), they may have grounds for compensation under national law, guided by the safeguards in Article 26(4).

Appeal Rights: If a provider believes the competent authority has acted disproportionately, incorrectly, or in violation of the rights of defense, they can challenge the decision. Article 26(4) mandates that measures are subject to the right to an effective judicial remedy. The specific procedures for appeal are governed by the national law of the Member State where the authority is established. Providers should document all interactions with the authority during the investigation to support any potential appeal or claim for damages if the investigation was conducted improperly.

What this means for you

As a cloud service provider subject to CADA, you cannot treat compliance as a one-time certification. The regulatory environment is dynamic, and the threat of investigation is real.

• Audit Your Readiness: Conduct internal mock inspections to test your ability to produce audit evidence, SBOMs, and subcontractor records within the timeframes demanded by Article 26.
• Train Your Staff: Ensure that IT and legal teams understand what constitutes a 'suspected infringement' and how to respond to requests for information without waiving legal privileges. Staff must know they have the right to consent before their explanations are recorded.
• Update Your Policies: Review your data retention policies to ensure they align with the five-year retention period for revoked recognitions mentioned in Article 22(3). Ensure your contracts with subcontractors include clauses that allow you to provide necessary information to authorities if required.
• Engage Legal Counsel: Have a legal review of your inspection rights and defense mechanisms in place before an investigation begins. This is particularly important for cross-border providers, as the competent authority is the one in the Member State of your main establishment (Article 25(4)).

Common misconceptions

"Only major breaches trigger investigations." Incorrect. Article 26 allows investigations based on a 'suspected infringement.' This can include minor administrative failures, such as late notification of material changes under Article 23, or incomplete audit evidence.

"I can refuse to provide source code." Partially correct. While Article 26 allows the seizure of information, the extent to which you must provide source code depends on the specific assurance level criteria and the nature of the suspicion. However, for Levels 2–4, you must provide a Software Bill of Materials and evidence of source code audits for third-country components (Annex II). Refusing to provide this can be seen as non-cooperation.

"The Commission conducts all investigations." Incorrect. The primary investigative power lies with the national competent authority of your establishment (Article 25). The Commission plays a role in coordinating cross-border cooperation and resolving disputes between Member States (Article 28), but the initial investigation is national.

"Once recognized, I am safe." Incorrect. Recognition is ongoing. Article 23 requires you to report material changes, and Article 20(8) requires annual reviews of your audit report. Failure to maintain compliance can lead to the revocation of recognition at any time.

Related

• What triggers a CADA investigation into a cloud provider?
• What should a startup cloud provider know about CADA penalties?
• What records should a provider keep for CADA enforcement?
• Can a provider be penalised for obstructing a CADA investigation?
• Who pays compensation if a cloud provider breaches CADA?

This is general information about a draft EU regulation, not legal advice.