Is there a CADA enforcement board or network of authorities?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no single, centralized EU-level enforcement board or supranational authority with direct supervisory powers over cloud providers. Instead, the proposal establishes a decentralised enforcement model where each Member State designates one or more national competent authorities responsible for enforcing the cloud sovereignty framework. These authorities operate through robust mutual assistance and cross-border cooperation mechanisms defined in Article 27, ensuring EU-wide consistency without a new EU agency. The European Commission does not act as a direct enforcer but maintains a public register of these authorities and resolves disputes between them.

Detail

The enforcement architecture of the proposed CADA is explicitly designed to operate through existing national administrative structures rather than creating a new EU agency or a centralised "CADA Board." This approach aligns with the proposal's reliance on Member State administrative capacities while ensuring EU-wide consistency through harmonised rules and mandatory cooperation protocols.

Decentralised Enforcement Model: No Single EU Enforcer

CADA does not create a new "CADA Board" or an EU-wide enforcement body with direct investigative powers. Instead, Article 25 mandates that Member States designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework (Title IV of the regulation). By the date specified as one year after the regulation's entry into force, Member States must notify the Commission of the names, tasks, and powers of these authorities. The Commission is then required to maintain a public register of these designated authorities, providing a clear point of contact for market participants and other regulators across the Union.

Crucially, the proposal assigns exclusive competence for enforcement to the Member State where the cloud computing service provider has its main establishment. As defined in Article 25(4), this is the location of the head office or registered office from which the principal financial functions and operational control are exercised. This "main establishment" principle prevents multiple Member States from simultaneously enforcing conflicting rules against the same provider, reducing regulatory fragmentation and legal uncertainty. It ensures that a provider faces a single primary regulator for sovereignty compliance, even if it serves customers across the entire EU.

Powers of National Competent Authorities

The national competent authorities are granted significant investigative and enforcement powers under Article 26. Investigative powers include the ability to require providers to provide information, carry out inspections of premises, and record statements from staff. Enforcement powers allow authorities to order the cessation of infringements, impose fines, and levy periodic penalty payments to ensure compliance. These measures must be effective, dissuasive and proportionate, taking into account the nature, gravity, recurrence and duration of the infringement.

Cooperation and Mutual Assistance: The Role of Article 27

To prevent the decentralised model from leading to regulatory gaps or "enforcement havens," CADA establishes robust cooperation mechanisms. Article 27 outlines the principles of mutual assistance between Member States' competent authorities and the Commission. This includes the exchange of information and the ability for one authority to request specific information from another if it is located in a different Member State.

Under Article 27(2), a competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud computing service provider to exercise its investigative powers. The receiving authority is legally obliged to comply with such requests and inform the requesting authority of the actions taken, no later than two months after receipt of the request, unless duly justified. This mechanism ensures that authorities can access evidence located in other jurisdictions without needing to establish their own physical presence there.

Furthermore, Article 28 sets out principles for cross-border cooperation in enforcement actions. If a competent authority in a destination Member State suspects that a provider no longer fulfils the requirements of the sovereignty framework, it can request the competent authority of the provider's establishment to assess the matter and take necessary investigatory or enforcement measures. The Commission can also initiate such requests. This ensures that a provider cannot evade oversight simply by operating across borders or by having its main establishment in a Member State with lax enforcement.

Role of the Commission: Coordinator, Not Enforcer

While the Commission does not act as a direct enforcer against providers, it plays a critical coordinating and supervisory role. Beyond maintaining the public register of authorities under Article 25(2), the Commission can intervene in cases of disagreement between national authorities. For instance, if a reasoned objection to a recognition decision is submitted by one Member State and cannot be resolved between the evaluating authority and the objecting authority, the matter can be referred to the Commission. Under Article 17(10), the Commission may adopt a binding decision determining whether the evaluating national competent authority may adopt the recognition decision.

Additionally, the Commission monitors the overall application of the regulation and will report to the European Parliament and Council five years after entry into force. It also has the power to request information from national competent authorities to carry out its tasks, ensuring that the decentralised system functions cohesively.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, understanding this decentralised model is critical for managing regulatory risk and resource allocation.

1. Identify Your Lead Authority: Determine the Member State where your main establishment is located. This national competent authority will have exclusive competence for enforcing CADA's sovereignty framework against your organization. You must ensure your compliance programs are aligned with the specific procedural rules and enforcement priorities of that jurisdiction, while adhering to the uniform EU-wide criteria.
2. Prepare for Cross-Border Scrutiny: Even if your lead authority is in one Member State, authorities in other Member States where you provide services to public sector bodies can request information and trigger investigations under Article 27 and Article 28. Ensure your internal governance supports rapid information retrieval and cooperation with multiple national regulators. Be prepared to respond to information requests from authorities in other Member States within the two-month statutory window.
3. Monitor the Commission Register: Keep abreast of the Commission's public register of competent authorities. This register will be your primary source for identifying the correct points of contact for regulatory inquiries, notifications, and cooperation requests. It ensures transparency and allows providers to verify the legitimacy of any authority claiming enforcement powers.
4. Resource Allocation: Since there is no single EU enforcement board, you must budget for compliance activities that account for the "main establishment" rule. However, the need to cooperate with authorities in other Member States under mutual assistance provisions means your legal and compliance teams must be prepared for cross-border interactions, even if the primary enforcement relationship remains with one national authority.

Common misconceptions

• "There is a new EU Cloud Enforcement Agency." Incorrect. CADA relies on existing national structures. There is no new supranational agency with direct supervisory powers over cloud providers.
• "Any Member State can enforce CADA against any provider." Incorrect. Enforcement competence is exclusive to the Member State of the provider's main establishment. Other Member States can only request assistance or trigger investigations through the cooperation mechanisms in Article 27 and Article 28.
• "The Commission directly investigates cloud providers." Incorrect. The Commission does not have direct investigative powers over providers under CADA. Its role is coordinative: maintaining the register of authorities, resolving disputes between national authorities, and monitoring overall implementation.
• "Mutual assistance is optional." Incorrect. Under Article 27, competent authorities are legally obliged to comply with information requests from other Member States within two months, unless duly justified. This is a mandatory mechanism to ensure the effectiveness of the decentralised model.

Related

• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• What is the role of judicial authorities in CADA enforcement?
• What enforcement powers do CADA authorities have?
• CADA vs NIS2: How enforcement authorities interact and overlap
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers

This is general information about a draft EU regulation, not legal advice.