Summary Under the proposed Cloud and AI Development Act (CADA), the national competent authority (NCA) would be the body designated to enforce the cloud sovereignty and Union assurance-level framework (Article 25) — distinct from the data protection authority (DPA) that enforces the GDPR. DPAs focus on personal-data rights; a CADA NCA would exercise investigative and enforcement powers under Article 26 to verify sovereignty criteria such as infrastructure location, subcontractor transparency and third-country control. A provider can be GDPR-compliant yet fail a CADA assessment, and may answer to both. CADA is a proposal (COM(2026) 502 final), not yet in force.
Detail
The CADA proposal would create a specialised enforcement architecture that runs parallel to, but is distinct from, existing data-protection supervision. For in-house counsel managing both cloud sovereignty and data privacy, the divergence between the CADA NCA and the DPA matters for governance, reporting lines and incident response.
Designation and competence: Article 25
Article 25, as proposed, would require Member States to designate one or more national competent authorities responsible for enforcing the sovereignty Chapter, by one year after the Regulation's entry into force; Member States may designate an existing authority (Article 25(1)). Member States would notify the Commission, which maintains a public register (Article 25(2)).
Article 25(4) sets out competence by establishment:
"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."
This single point of enforcement resembles the GDPR's one-stop-shop in structure, but operates under CADA's own procedural rules and substantive scope.
Enforcement powers: Article 26 vs DPA powers
The powers under Article 26 are geared to verifying technical and operational sovereignty (data localisation, subcontractor transparency, third-country control, and — at higher levels — personnel criteria) rather than data-subject rights.
Investigative powers (Article 26(1)), where needed to carry out tasks under Article 17:
- Require any provider, persons acting in a trade or business capacity, or auditing organisations who may be aware of information on a suspected infringement to provide it.
- Carry out, or ask a judicial authority or other public authorities to order, inspections of business premises to examine, seize or copy information in any storage medium.
- Ask staff or representatives to give explanations, and — with their consent — record the answers.
Enforcement powers (Article 26(2)):
- Order cessation of infringements and impose proportionate remedies (or ask a judicial authority to do so).
- Impose fines, or request a judicial authority to do so, for non-compliance, including with investigative orders.
- Impose periodic penalty payments in accordance with Article 24.
Article 26(3) requires measures to be effective, dissuasive and proportionate, and Article 26(4) requires safeguards including the rights of defence and effective judicial remedy.
Comparison with data protection authorities
| Feature | CADA national competent authority (NCA) | Data protection authority (DPA) |
|---|---|---|
| Legal basis | CADA (proposed Regulation) | GDPR (Regulation (EU) 2016/679) |
| Primary focus | Cloud sovereignty: operational autonomy, data localisation, third-country control. | Personal-data protection and data-subject rights. |
| Key trigger | Suspected non-compliance with the Annex II Union assurance-level criteria. | Infringement of GDPR principles and obligations. |
| Typical evidence | Infrastructure location, software supply chain (SBOMs), subcontractor and personnel records. | Records of processing, DPIAs, security measures for personal data. |
| Jurisdiction | Exclusive competence in the Member State of main establishment (Art 25(4)). | Lead supervisory authority by main establishment for cross-border processing. |
Coexistence, not replacement. Recital 63 of the proposal states that the criteria under the Union assurance levels should not affect obligations of cross-border cooperation provided by Union law, and notes that where cloud services process personal data the GDPR requires agreeing organisational and technical measures. An NCA would not replace a DPA: a provider could face an NCA assessment for failing the sovereignty criteria and, separately, a DPA for failing to protect personal data — two distinct breaches under two regimes.
Penalties and compensation
Under Article 24, Member States would lay down penalties that are effective, proportionate and dissuasive, taking into account criteria such as the nature, gravity, scale and duration of the infringement and the party's annual turnover in the Union (Article 24(2)). Article 24(3) gives recipients of cloud services the right to seek compensation, under Union and national law, for damage or loss suffered due to a provider's infringement — a private remedy alongside the administrative penalties an NCA may impose.
What this means for you
For in-house counsel and compliance officers, the NCA/DPA split shapes governance and incident response.
1. Map your authorities. Identify your EU main establishment: this determines which NCA would have exclusive competence over CADA enforcement (Article 25(4)). Separately identify your GDPR lead supervisory authority. Some Member States may designate the same body for both, but the mandates remain legally distinct — expect potentially separate guidance and reporting lines.
2. Be audit-ready on sovereignty criteria. Unlike much GDPR compliance, CADA assessment is heavily technical and structural. For Article 26(1) inspections, keep ready: precise infrastructure, backup and disaster-recovery locations; software supply-chain transparency (SBOMs) and subcontractor records; and, for higher assurance levels, evidence of personnel criteria such as Union citizenship and, where applicable, security screening.
3. Align incident response. A single event can trigger GDPR notification to the DPA and CADA transparency obligations under Article 23, which requires a recognised provider to notify the auditing organisation and the NCA of establishment, as soon as possible, of any material change that may affect its audit report, positive opinion or recognition. Failure can lead the auditor to revise or revoke the opinion and the NCA to amend or revoke recognition.
4. Tighten subcontractor contracts. The Annex II criteria reach subcontractors involved in providing the service. Ensure contracts support NCA inspections and bind subcontractors to the relevant localisation and sovereignty requirements.
Common misconceptions
Misconception 1: The NCA is just the DPA renamed. Correction: Even where a Member State designates the same body for both roles, the powers and substantive requirements differ. A CADA NCA focuses on operational autonomy and sovereignty; a DPA on individual privacy. A provider can be GDPR-compliant yet fail the Annex II criteria — for instance on third-country control.
Misconception 2: CADA only governs public-sector contracts. Correction: The procurement rules in Article 30 target public bodies, but the recognition framework and NCA powers apply to any provider seeking recognition at a Union assurance level. Private entities in NIS2 Annex I sectors may also carry out assessments under Article 31, drawing them toward the same standards.
Misconception 3: GDPR adequacy suffices for CADA. Correction: Recital 61 indicates that, for Union assurance level 3, the Commission may allow a third-country-controlled service to be audited where specific safeguards exist, and should assess whether a GDPR Article 45 adequacy decision applies and how far it extends. Adequacy is one factor, not a substitute: CADA addresses risks of unauthorised access and service disruption beyond data-transfer mechanisms.
Official sources
Related
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- Is data stored in the EU automatically sovereign under CADA?
- CADA harmonised EU sovereignty criteria vs divergent national cloud rules: why harmonisation?
- GDPR data localisation vs CADA sovereignty levels: are they the same?
- CADA's EU sovereignty framework vs China's cloud data localisation: what differs?
This is general information about a draft EU regulation, not legal advice.