What are national competent authorities under CADA?

Summary CADA is a proposal (COM(2026) 502 final) and is not yet in force. As proposed, national competent authorities would be the public bodies that each Member State designates to enforce the cloud computing sovereignty framework (Title IV, Chapter I). Under Article 25(1), every Member State would have to designate one or more such authorities — and could designate an existing authority — within one year of CADA's entry into force, then notify them to the Commission for a public register. Under Article 25(4), the authority in the Member State of the provider's main establishment would have exclusive competence to enforce the chapter against that provider, and Article 26 would give it substantial investigative and enforcement powers.

Detail

CADA's enforcement provisions sit in Title IV ("Autonomy"), Chapter I ("Cloud computing sovereignty framework"). National competent authorities would be the front line of that chapter: they would recognise providers that meet a Union assurance level (Article 17), supervise ongoing compliance, and enforce the rules.

Designation and scope (Article 25(1)-(2))

As proposed, Article 25(1) would require Member States to designate "one or more national competent authorities responsible for enforcing this Chapter" — that is, Title IV, Chapter I — by the date of entry into force plus one year. Importantly, Member States "may designate an existing authority or existing authorities", rather than build a new regulator from scratch; in practice many are likely to assign the role to an existing cybersecurity, data-protection or market-surveillance body.

Under Article 25(2), Member States would notify the Commission of the names of the authorities and of their tasks and powers, and the Commission "shall maintain a public register of those authorities."

Exclusive competence by establishment (Article 25(4))

The defining feature of the enforcement model is establishment-based exclusivity. As proposed, Article 25(4) would provide that the Member State "in which the cloud computing service provider has its main establishment ... shall have exclusive competence for enforcing this Chapter." The proposal defines main establishment in the same provision as the place where the provider "has its head office or registered office from which the principal financial functions and operational control are exercised."

This one-stop-shop design is meant to prevent fragmentation and conflicting decisions across the Union: a provider active in several Member States would deal primarily with its home authority, while cross-border concerns are handled through cooperation rather than parallel enforcement. That same authority of establishment would also act as the "evaluating national competent authority" when a provider applies for recognition of an assurance level (Article 17(2)).

Investigative and enforcement powers (Article 26)

Article 26 would arm these authorities with two sets of powers, exercisable "where needed to carry out their tasks under Article 17."

Investigative powers (Article 26(1)):

• require any provider, or any other person acting for purposes related to their trade, business, craft or profession — expressly including auditing organisations — who may reasonably be expected to know of information on a suspected infringement, to provide it as soon as possible (point (a));
• carry out, or ask a judicial authority to order, inspections of premises used for such purposes — or request other public authorities to do so — to examine, seize, take or copy information relating to a suspected infringement in any form, on any storage medium (point (b)); and
• ask any staff member or representative to give explanations on information relating to a suspected infringement and, with consent, record the answers (point (c)).

Enforcement powers (Article 26(2)):

• order the cessation of infringements and, where appropriate, impose proportionate remedies, or request a judicial authority to do so (point (a));
• impose fines, or request a judicial authority to do so, for non-compliance, including with investigative orders (point (b)); and
• impose periodic penalty payments, or request a judicial authority to do so, in accordance with Article 24 (point (c)).

Under Article 26(3), measures would have to be "effective, dissuasive and proportionate", with regard to the nature, gravity, recurrence and duration of the infringement and, where relevant, the economic, technical and operational capacity of the provider.

Safeguards (Article 26(4))

Article 26(4) would require Member States to set procedures for exercising these powers subject to adequate safeguards under national law and the general principles of Union law — in particular the right to respect for private life, the rights of defence (including the right to be heard and to access the file), and the right to an effective judicial remedy.

Cooperation and mutual assistance (Articles 27-28)

Because cloud services are cross-border, CADA would add cooperation mechanisms. Article 27 ("Mutual assistance") would require competent authorities and the Commission to cooperate closely and exchange information; an authority could ask another, in whose Member State relevant information is located, to provide specific information, and the receiving authority would have to comply and report back, as soon as possible and no later than two months after receipt, unless duly justified.

Article 28 ("Cross-border cooperation") would address enforcement triggered from outside the establishment State: where a competent authority of destination suspects a provider no longer meets the Annex II requirements, it could ask the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures (the Commission could make the same request under Article 28(2)). The authority of establishment would have to respond, in any event no later than two months after receipt of the request.

Resources and impartiality (Article 25(3))

Article 25(3) would require Member States to ensure their authorities act impartially, transparently and in a timely manner, and to give them "all necessary resources ... including sufficient technical, financial and human resources" to supervise the providers within their competence — a notable demand given the technical depth of auditing sovereignty criteria.

What this means for you

For in-house counsel and compliance leads at cloud providers, the designation of national competent authorities would reshape your regulatory relationships.

1. Identify your authority of establishment. Your primary regulator would be the authority in the Member State of your main establishment (Article 25(4)). Once CADA enters into force, watch the Commission's public register to confirm which body holds that role, and make sure your internal compliance maps treat it as the single point of contact for sovereignty enforcement.
2. Prepare for scrutiny. The Article 26 powers include information requests, premises inspections and data seizure. Be ready to produce assurance-level compliance evidence quickly, to substantiate your "main establishment" through documented financial-function and operational-control lines, and to support auditing organisations, on whom authorities would rely heavily for Levels 2-4.
3. Account for penalties and remedies. Article 24 would have Member States set "effective, proportionate and dissuasive" penalties, weighing the gravity and duration of the infringement, prior infringements, financial benefit, and Union turnover (Article 24(2)). Authorities could also order cessation and periodic penalty payments. Reflect this in your risk frameworks.
4. Engage during the run-up. Member States would have a year to designate and notify. Use that window to engage national regulators on reporting, audits and expected evidence, so your processes align with local enforcement priorities.

Common misconceptions

"CADA creates a brand-new regulator in every country." As proposed, Article 25(1) lets Member States "designate an existing authority." Many are expected to use existing cybersecurity, data-protection or market-surveillance bodies.

"Any Member State where a provider operates can investigate it." Article 25(4) gives the Member State of the provider's main establishment exclusive competence to enforce the chapter. Other authorities can request assistance (Article 27) or raise destination-side concerns (Article 28), but primary enforcement rests with the authority of establishment.

"Competent authorities only push paper." They would hold real investigative and enforcement powers — on-site inspections, data seizure, cessation orders, fines and periodic penalty payments (Article 26) — subject to the safeguards in Article 26(4).

Related

• What powers do CADA national competent authorities have?
• CADA Competent Authorities: Required Resources & Obligations
• CADA Public Register of Competent Authorities: What Providers Need to Know
• Does the Commission cooperate with CADA national authorities?
• When must Member States designate a CADA competent authority?

This is general information about a draft EU regulation, not legal advice.