Summary Yes, under the proposed Cloud and AI Development Act (CADA), any cross-border cooperation request sent by a competent authority of a destination Member State to the competent authority of establishment must be "duly reasoned" (Article 28(3)). This requirement is not merely formal; it is a substantive condition that triggers the establishment authority's duty to assess the matter. If a request lacks sufficient reasoning, the establishment authority may request additional information, which suspends the statutory two-month response deadline until the deficiency is cured. This mechanism ensures that cross-border enforcement is grounded in specific evidence rather than arbitrary suspicion.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. A critical component of this framework is the enforcement mechanism, which relies on cooperation between national competent authorities. Article 28 specifically governs "Cross-border cooperation," defining the procedural obligations when a cloud computing service provider's compliance with Union assurance levels is questioned in a Member State other than where the provider is established.

The Legal Obligation: "Duly Reasoned" Requests

The core procedural safeguard in Article 28 is the requirement for specificity. Article 28(1) empowers a competent authority of a destination Member State to request the competent authority of establishment to assess a suspected infringement if it has "reason to suspect" that a provider no longer fulfils the requirements of Annex II (the criteria for Union assurance levels 1–4).

However, the power to request is constrained by Article 28(3), which mandates that such requests "shall be duly reasoned and shall be duly taken into account by the competent authority of establishment."

This "duly reasoned" standard serves three distinct legal functions within the CADA architecture:

  1. Substantive Basis for Assessment: The competent authority of establishment cannot act on a vague suspicion. The request must articulate the specific facts or evidence leading to the suspicion of non-compliance with the criteria in Annex II (e.g., specific data localisation failures, personnel citizenship issues, or third-country control risks). This ensures the establishment authority can conduct a targeted and effective assessment.
  2. Procedural Trigger for Additional Information: Article 28(3) explicitly links the quality of the reasoning to the timeline of the investigation. It states: "Where the competent authority of establishment considers that the information provided is insufficient, it may either request additional information. The period set out in paragraph 4 shall be suspended until that additional information is provided."
    • This creates a "stop-clock" mechanism. If a destination authority sends a request that is not "duly reasoned" (i.e., it lacks the necessary detail to justify the suspicion), the establishment authority is legally entitled to pause the investigation clock.
    • The suspension continues until the requesting authority provides the missing reasoning or evidence. This prevents the establishment authority from being forced to make a decision based on incomplete or speculative data.
  3. Protection Against Arbitrary Enforcement: By requiring a reasoned basis, CADA protects cloud computing service providers from "fishing expeditions" or politically motivated inquiries from Member States where they do not have their main establishment. The destination authority must demonstrate a concrete link between its suspicion and the specific assurance level criteria.

The Commission's Parallel Role

The requirement for reasoned requests extends beyond Member State interactions. Article 28(2) grants the European Commission the power to request the competent authority of establishment to assess a matter and take necessary investigatory or enforcement measures.

Crucially, Article 28(3) applies equally to Commission requests: "Requests pursuant to paragraph 1 or 2 shall be duly reasoned..." This ensures that even EU-level interventions are grounded in specific evidence regarding sovereignty risks or public order concerns, maintaining consistency in the enforcement framework.

The Establishment Authority's Duty: "Duly Taken Into Account"

The phrase "duly taken into account" in Article 28(3) imposes a mandatory duty on the competent authority of establishment. It cannot ignore a duly reasoned request. However, it does not mean the establishment authority must automatically agree with the destination authority's conclusion.

The establishment authority retains the discretion to:

  • Conduct its own independent investigation.
  • Determine whether the suspicion is well-founded based on the evidence provided.
  • Decide on the specific investigatory or enforcement measures to be taken (or to take no action if the suspicion is unfounded).

Nevertheless, the authority must formally address the request and explain its reasoning in its response.

Timelines and the Response Obligation

Once a request is duly reasoned (and any supplementary information is provided), the clock starts ticking. Article 28(4) imposes a strict deadline on the competent authority of establishment:

"The competent authority of establishment shall, as soon as possible and in any event not later than two months after receipt of the request pursuant to paragraph 1 or 2, communicate to the competent authority that sent the request, and the Commission, its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged in relation to the matter to ensure compliance with this Regulation."

The response must include:

  1. The Assessment: A determination of whether the provider is in breach of the Union assurance levels.
  2. The Measures: An explanation of any actions taken or planned to ensure compliance.

If the establishment authority fails to respond within two months (excluding any suspension periods for additional information), it risks undermining the consistent application of CADA across the Union.

What this means for you

For cloud computing service providers, legal counsel, and compliance officers, the "duly reasoned" requirement in Article 28(3) is a critical procedural shield and a strategic tool.

1. Verify the Validity of Cross-Border Investigations

If your provider is notified of an investigation triggered by a cross-border request, your first step should be to verify the procedural integrity of that request. Ask your establishment authority (the regulator in your home Member State) whether the request from the destination authority was "duly reasoned."

  • If the request was vague: You may have grounds to argue that the establishment authority should have suspended the timeline under Article 28(3) until the request was clarified.
  • If the timeline was not suspended: This could indicate a procedural error that might be challenged later, potentially invalidating any enforcement measures taken based on that flawed process.

2. Prepare for Targeted Evidence Requests

Because the destination authority must provide specific reasons for its suspicion, the subsequent investigation will likely focus on those specific areas.

  • If the request cites concerns about data localisation (Annex II, point 2(c) or 3(c)), ensure your data flow diagrams and logs are ready.
  • If the request cites personnel citizenship (Annex II, point 3(d)), have your HR records and security clearance documentation prepared.
  • The "duly reasoned" nature of the request means the establishment authority will likely ask for evidence specifically addressing the points raised, rather than a broad, unfocused audit.

3. Monitor the "Stop-Clock" Mechanism

Be aware that the two-month deadline for the establishment authority's response is not absolute. It is subject to suspension if the authority requests additional information from the requester.

  • Strategic Implication: If you are facing a cross-border investigation, delays in the process may be due to the destination authority failing to provide a "duly reasoned" request. This can be a tactical lever to extend the timeline for your internal remediation efforts.

4. Leverage the Commission's Oversight

If the competent authority of establishment fails to "duly take into account" a reasoned request or fails to respond within the two-month window, the Commission has the power to intervene. While Article 28 does not explicitly detail a complaint mechanism for providers, the Commission's role in ensuring consistent application (Article 28(2)) means that systemic failures in cross-border cooperation can be escalated to the EU level.

Common misconceptions

Misconception 1: A destination authority can trigger an investigation based on a hunch. Correction: No. Article 28(1) requires the authority to have "reason to suspect" non-compliance, and Article 28(3) requires the request to be "duly reasoned." A hunch without factual basis does not meet the legal threshold.

Misconception 2: The establishment authority must follow the destination authority's lead. Correction: No. The requirement is that the request be "duly taken into account," not that the establishment authority must agree with it. The establishment authority conducts its own assessment and decides on the appropriate measures.

Misconception 3: The two-month deadline is a hard deadline regardless of the request's quality. Correction: No. Article 28(3) explicitly states that the period is suspended if the establishment authority requests additional information due to insufficient reasoning. The clock only runs when the request is complete and duly reasoned.

Misconception 4: Only Member States can initiate these cross-border checks. Correction: No. Article 28(2) explicitly allows the European Commission to initiate requests, which are subject to the same "duly reasoned" requirement under Article 28(3).

Related

This is general information about a draft EU regulation, not legal advice.