CADA Penalties

Summary Under the proposed Cloud and AI Development Act (CADA), Member States would establish penalty rules for cloud computing service providers that must be "effective, proportionate and dissuasive." When determining the specific penalty for infringements of the cloud sovereignty framework, authorities would consider a non-exhaustive list of criteria. Crucially, Article 24(2)(b) mandates consideration of "any action taken by the infringing party to mitigate or remedy the damage," while Article 24(2)(c) requires weighing "any previous infringements by the infringing party." The proposal also includes an open-ended catch-all clause in Article 24(2)(e) for "any other aggravating or mitigating factor applicable to the circumstances of the case," ensuring flexibility in enforcement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework. A critical pillar of this framework is the enforcement mechanism designed to ensure compliance with the Union assurance levels. Unlike regulations that prescribe fixed fines for specific breaches, CADA adopts a principles-based approach to penalties, delegating the specific rules to Member States while mandating a set of harmonised criteria for their application.

Article 24 of the proposal, titled "Penalties and compensation," serves as the primary legal basis for this enforcement regime. Paragraph 1 establishes the overarching obligation: Member States shall lay down the rules on penalties applicable to infringements of the sovereignty chapter (Title IV, Chapter I) by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

To ensure that penalties are not applied arbitrarily but are instead tailored to the specific gravity of the breach and the conduct of the provider, Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties. This list is designed to balance the need for deterrence with the principles of fairness and proportionality.

The Non-Exhaustive Criteria for Penalty Determination

The proposal explicitly identifies six specific criteria, plus a catch-all provision, that would influence the final penalty amount. These criteria allow national competent authorities to calibrate sanctions based on the provider's behaviour, the impact of the infringement, and their financial capacity.

Mitigating Factors: The Value of Remedial Action

A key innovation in the CADA proposal is the explicit recognition of remedial behaviour as a mitigating factor.

• Remedial Action (Article 24(2)(b)): The text mandates that authorities consider "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement." This criterion incentivises cloud providers to act swiftly and transparently upon discovering a compliance failure. If a provider identifies a breach of the sovereignty framework—for example, an unauthorised transfer of data outside the Union—and immediately takes steps to contain the risk, notify affected public sector bodies, and restore compliance, this proactive conduct would be weighed in their favour. The provision aims to shift the regulatory dynamic from pure punishment to corrective action, encouraging self-reporting and rapid remediation.

• Open-Ended Mitigation (Article 24(2)(e)): The proposal includes a flexible clause for "any other aggravating or mitigating factor applicable to the circumstances of the case." This allows authorities to consider unique contextual elements that may not fit neatly into the other categories. For instance, a provider might demonstrate that the infringement resulted from a genuine, isolated error despite a robust internal compliance programme, or that they provided exceptional cooperation during the investigation. This open-ended nature ensures that the penalty regime remains adaptable to complex real-world scenarios.

Aggravating Factors: The Cost of Recidivism and Gain

Conversely, the proposal identifies specific behaviours and circumstances that would justify higher penalties.

• Prior Infringements (Article 24(2)(c)): The text explicitly lists "any previous infringements by the infringing party" as a criterion. This is a clear signal that recidivism would be treated severely. A history of non-compliance suggests a systemic failure in the provider's governance or a willful disregard for the regulation. If a provider has previously been penalised for similar sovereignty breaches, the new penalty would likely be aggravated to reflect this pattern of behaviour.

• Nature, Gravity, Scale, and Duration (Article 24(2)(a)): While applicable to all infringements, these factors often drive the baseline severity. A breach that affects a large number of public sector bodies, involves highly sensitive data, or persists over a long period would naturally carry a higher weight than a minor, short-lived technical glitch.

• Financial Benefit (Article 24(2)(d)): Authorities must consider "the financial benefits gained or losses avoided by the infringing party due to the infringement." This criterion prevents providers from treating fines as a mere cost of doing business. If a provider saved significant costs by bypassing required security measures or gained an unfair market advantage through non-compliant practices, the penalty would be adjusted to strip away those illicit gains and impose an additional deterrent.

• Open-Ended Aggravation (Article 24(2)(e)): The same catch-all clause that allows for mitigation also permits the consideration of other negative circumstances. This could include intentional misconduct, obstruction of the investigation, or the concealment of the infringement.

Financial Capacity and Proportionality

Finally, Article 24(2)(f) requires authorities to consider the "infringing party's annual turnover in the preceding financial year in the Union." This ensures that penalties are dissuasive for large corporations while remaining proportionate for smaller entities. A fixed fine that might cripple a small provider could be trivial for a major hyperscaler; linking penalties to turnover (within the bounds of national law) helps level the playing field and ensures the "dissuasive" requirement of Article 24(1) is met across the market.

Right to Compensation

Beyond administrative penalties, Article 24(3) establishes a civil remedy. It states that recipients of cloud computing services shall have the right to seek compensation from cloud computing service providers for any damage or loss suffered due to an infringement. This creates a dual-layer accountability system: regulatory fines paid to the state and civil damages paid to affected customers.

What this means for you

For in-house counsel, compliance officers, and risk managers, the explicit listing of mitigating and aggravating factors in Article 24 fundamentally changes how organisations should approach compliance failures and regulatory investigations under the proposed CADA.

1. Document Remedial Actions Rigorously Because Article 24(2)(b) explicitly values action taken to mitigate damage, your incident response protocols must be robust and meticulously documented. If a compliance breach occurs, do not just fix the technical issue. You must document every step taken to contain the risk, notify stakeholders, and prevent recurrence. This documentation will be critical evidence when arguing for a reduced penalty. The burden of proof lies with the provider to demonstrate that the action was effective in mitigating the damage.

2. Monitor and Rectify Prior Infringements Article 24(2)(c) highlights that previous infringements will weigh against you. Ensure that past compliance issues are fully resolved and that lessons learned are integrated into your governance framework. A pattern of repeated, unaddressed minor breaches could be viewed as systemic negligence, significantly aggravating future penalties. Regular internal audits are essential to identify and rectify issues before they become "previous infringements" in the eyes of an authority.

3. Leverage the "Other Factors" Clause The open-ended nature of Article 24(2)(e) means you can argue for contextual mitigations. If your organisation has a mature compliance programme, invests heavily in security, or cooperates fully with authorities, ensure these facts are highlighted in any regulatory correspondence. Conversely, be aware that authorities can also use this clause to aggravate penalties for bad faith or obstruction.

4. Prepare for Financial Scrutiny With penalties linked to turnover (Article 24(2)(f)), ensure your financial reporting is accurate and transparent. Disputes over turnover figures could complicate penalty negotiations. Furthermore, understand that the "financial benefits gained" criterion (Article 24(2)(d)) means that any cost savings derived from non-compliance will be scrutinised and likely factored into the penalty calculation.

5. Assess Civil Liability Exposure Remember that administrative penalties are not the only risk. Article 24(3) exposes providers to civil claims for damages. Your risk assessment should include the potential cost of compensating public sector clients for service disruptions or data issues caused by non-compliance. The dual threat of regulatory fines and civil damages creates a significant financial exposure that must be managed proactively.

Common misconceptions

Misconception 1: Penalties are fixed fines. Unlike some regulations that set strict fixed fines for specific breaches, CADA Article 24 requires penalties to be proportionate and dissuasive, based on a range of criteria. This means there is significant discretion for national authorities, and the final amount will depend heavily on the specific facts of the case, including mitigating and aggravating factors.

Misconception 2: Only the severity of the breach matters. While the nature and gravity of the infringement are important, Article 24(2) makes it clear that behavioural factors (like remedial action and prior history) are equally critical. A severe breach that is immediately and effectively remedied may result in a lower penalty than a minor breach that is concealed or repeated.

Misconception 3: The list of factors is exhaustive. The text uses the phrase "non-exhaustive criteria" and includes "any other aggravating or mitigating factor." This means authorities are not limited to the listed items. They can consider any relevant circumstance, giving them broad flexibility but also requiring providers to be prepared to argue the broader context of their case.

Misconception 4: Only the state imposes penalties. Article 24(3) clarifies that service recipients (public sector bodies) also have the right to seek compensation. Compliance failures can trigger both regulatory fines and civil lawsuits, doubling the financial and reputational risk.

Related

• Who sets the penalty rules under CADA? Article 24 explained
• Which CADA obligations can lead to penalties?
• What should a startup cloud provider know about CADA penalties?
• What penalties apply under the Cloud and AI Development Act (CADA)?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties

This is general information about a draft EU regulation, not legal advice.