Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities (NCAs) would cooperate through two distinct mechanisms. Mutual assistance (Article 27, as proposed) is for information sharing: an NCA may ask another NCA to provide specific information in its possession about a provider, and the receiving authority must act within two months. Cross-border cooperation (Article 28, as proposed) is for enforcement: where a "destination" NCA suspects a provider no longer meets the Annex II criteria, it asks the "establishment" NCA to assess the matter and take investigatory and enforcement measures, again within two months. Both would underpin consistent EU-wide supervision of recognised cloud services. CADA is a proposal (COM(2026) 502 final), not yet in force.
Detail
The CADA proposal would build a single market for recognised cloud computing services at defined Union assurance levels, enforced — as proposed — by the NCA of the provider's main establishment, which would hold exclusive competence for enforcing the sovereignty Chapter (Article 25(4)). To stop providers slipping between jurisdictions and to keep supervision consistent, Articles 27 and 28 would set up two cooperation channels: routine information exchange (mutual assistance) and substantive enforcement coordination (cross-border cooperation).
Mutual assistance: information sharing (Article 27)
Article 27, as proposed, would require competent authorities and the Commission to cooperate closely and provide each other mutual assistance to apply the Chapter consistently and efficiently; this assistance "shall include the exchange of information" (Article 27(1)).
- Trigger and scope: A competent authority may request another to provide specific information in its possession relating to a specific cloud computing service provider, so the requesting authority can exercise its investigative powers under Article 26 regarding information located in the requested authority's Member State (Article 27(2)).
- Obligation to comply: The receiving authority "shall comply with such request" and inform the competent authority of establishment of the action taken, as soon as possible and no later than two months after receipt, unless duly justified (Article 27(3)).
- Involving others: Where appropriate, the receiving authority may involve other competent or public authorities of its Member State to fulfil the request (Article 27(2)).
This channel is essentially investigative and administrative — gathering facts and evidence to support supervision. It does not, in itself, impose sanctions.
Cross-border cooperation: enforcement (Article 28)
Article 28, as proposed, would address the cross-border reality of cloud services, where an NCA in a Member State where the service is used (the "destination") may be first to detect a problem but lacks enforcement competence over the provider.
- Trigger: Where a destination NCA has reason to suspect that a provider no longer fulfils the requirements under Annex II, it may request the establishment NCA to assess the matter and take the necessary investigatory and enforcement measures to ensure compliance (Article 28(1)).
- Commission role: The Commission may also request the establishment NCA (the authority referred to in Article 25) to assess the matter and take such measures (Article 28(2)).
- Procedure: Requests must be duly reasoned and duly taken into account. If the establishment NCA considers the information insufficient, it may request additional information, and the two-month deadline is suspended until that information is provided (Article 28(3)).
- Deadline and reporting: The establishment NCA must, as soon as possible and in any event not later than two months after receipt of the request, communicate to the requesting authority and the Commission its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged (Article 28(4)).
In effect, this would keep substantive enforcement with the authority that has primary jurisdiction (establishment), while letting destination authorities act as an early-warning system.
Key distinctions
| Feature | Mutual assistance (Art 27) | Cross-border cooperation (Art 28) |
|---|---|---|
| Primary purpose | Information sharing and investigative support. | Enforcement and compliance assessment. |
| Trigger | Need for specific information to exercise Art 26 powers. | Suspicion that a provider no longer meets Annex II criteria. |
| Initiator | Any competent authority (or the Commission). | Destination NCA or the Commission. |
| Target authority | Another competent authority holding the information. | Competent authority of establishment. |
| Outcome | Provision of information. | Assessment plus investigatory and enforcement measures. |
| Deadline | Act within two months (unless duly justified). | Respond within two months (suspended if more info sought). |
What this means for you
For in-house counsel and compliance officers at recognised (or candidate) cloud providers:
- Expect coordinated scrutiny. As proposed, NCAs would not act in silos. A concern raised in any Member State where you operate can be routed to your establishment NCA, which holds exclusive enforcement competence (Article 25(4)).
- Your establishment NCA is the pivot. Under Article 28, the establishment NCA carries out the assessment and any enforcement. Maintaining a constructive relationship with it is the single most useful preparation.
- Plan for two-month cycles. Both Articles 27 and 28 bind authorities to roughly two-month timelines. In practice that compresses the window in which you may be asked for documentation, explanations or a remediation plan.
- Keep evidence ready. Mutual assistance turns on "specific information in possession." Keep records on infrastructure location, subcontractors and personnel (the Annex II criteria) readily retrievable so you can respond before the clock against the authority is paused by a request for more information.
- Consistency across borders matters. Because a destination NCA can trigger Article 28 on suspicion that you no longer meet Annex II, a compliance gap in one market can prompt an assessment that bites EU-wide via the establishment NCA.
Common misconceptions
- "Any NCA can fine me directly under mutual assistance." No. Article 27 is limited to information sharing and investigative support. Enforcement powers (cessation orders, fines, periodic penalties) sit with the establishment NCA under Article 26, coordinated where relevant through Article 28.
- "The destination NCA can sanction my service." No. As proposed, the destination NCA must request the establishment NCA to act; the establishment NCA decides on and takes the measures, though it must duly take the reasoned request into account (Article 28(1) and (3)).
- "The two-month deadline is something I have to meet." The two-month deadlines bind the NCAs, not the provider. But because the clock pauses while an authority awaits additional information, prompt responses from you keep the process moving rather than stalling it.
Related
- CADA: who designates an acceleration zone vs a strategic project?
- CADA voluntary recognition vs mandatory procurement levels
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA Union assurance recognition vs ISO 27001: are they comparable?
- CADA Union assurance level 3 vs level 4: what is the highest tier?
This is general information about a draft EU regulation, not legal advice.