What are the CADA penalty criteria for transparency breaches?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) requires Member States to establish penalties for cloud computing service providers that breach transparency obligations, such as failing to report material changes to their sovereignty assurance status. Article 24(2) mandates that authorities must consider a specific, non-exhaustive list of criteria when imposing these penalties, including the nature, gravity, scale, and duration of the infringement, any action taken to mitigate or remedy the damage, prior breaches, financial benefits gained or losses avoided, and the provider's annual turnover in the Union. These penalties must be "effective, proportionate and dissuasive."

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous Union cloud computing sovereignty framework. A cornerstone of this framework is the requirement for continuous transparency. Cloud providers seeking recognition at Union assurance levels (1 through 4) must not only achieve initial compliance but also maintain it by promptly reporting any material changes that could affect their status.

The penalty regime for failing to meet these transparency obligations is governed by Article 24 of the CADA proposal. This article empowers Member States to enforce compliance by laying down rules on penalties applicable to infringements of Chapter I of Title IV (the Cloud Computing Sovereignty Framework). Unlike some EU regulations that prescribe fixed maximum fines (e.g., percentages of global turnover), CADA adopts a principles-based approach, delegating the specific sanctioning powers to Member States while strictly defining the criteria those states must apply.

The Legal Basis: Article 24(1) and the "Effective, Proportionate, Dissuasive" Standard

Article 24(1) establishes the baseline obligation for Member States. It states that Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence. Crucially, it mandates that these penalties must be "effective, proportionate and dissuasive."

This triad of requirements is a standard EU legislative formulation designed to ensure that penalties are not merely symbolic.

• Effective: The penalty must actually deter the infringement and ensure compliance.
• Proportionate: The penalty must be commensurate with the severity of the breach and the size of the infringer.
• Dissuasive: The penalty must be significant enough to discourage the provider and others from repeating the violation.

Member States are also required to notify the Commission of these rules and any subsequent amendments, ensuring a degree of harmonization across the single market, even if the specific fine amounts vary by jurisdiction.

The Six Mandatory Criteria in Article 24(2)

When a competent authority investigates a transparency breach—such as a failure to notify the auditing organisation or national competent authority of material changes under Article 23—they are legally bound to evaluate the following factors as set out in Article 24(2). This list is non-exhaustive, meaning authorities can consider other relevant factors, but these six are mandatory considerations:

1. The nature, gravity, scale and duration of the infringement

   • Nature: This refers to the specific type of obligation breached. Was it a failure to report a change in subcontractors, a failure to disclose a change in the legal control structure, or a failure to update the central repository?
   • Gravity: This assesses the seriousness of the breach. A minor administrative delay in reporting a non-critical change is less grave than a deliberate concealment of a third-country entity gaining control over the provider, which directly undermines the sovereignty assurance level and public order.
   • Scale: This evaluates the reach of the infringement. Did the breach affect a single small public sector client, or did it impact thousands of users across multiple Member States? Did it affect a critical infrastructure sector?
   • Duration: This measures how long the infringement persisted. A one-day oversight is treated differently from a multi-year failure to report material changes. The longer the breach remains unreported, the higher the penalty is likely to be.

2. Any action taken by the infringing party to mitigate or remedy the damage caused by the infringement

   • Authorities will scrutinize the provider's response after the breach was discovered or occurred. Did the provider voluntarily disclose the error before being caught? Did they take immediate steps to correct the information in the central repository? Did they cooperate fully with the investigation? Proactive remediation is a key mitigating factor that can significantly reduce the severity of the penalty.

3. Any previous infringements by the infringing party

   • Recidivism is a critical aggravating factor. If a cloud provider has a history of failing to meet transparency obligations or other requirements under the sovereignty framework, the penalty will likely be more severe. This criterion ensures that repeat offenders face escalating consequences, reinforcing the "dissuasive" nature of the regime.

4. The financial benefits gained or losses avoided by the infringing party due to the infringement

   • This criterion targets the economic incentive for non-compliance. If the provider gained a competitive advantage (e.g., winning a public procurement contract) by failing to disclose a material change that would have disqualified them, the penalty may reflect those illicit gains. Conversely, if the provider avoided costs by not implementing necessary transparency measures or audits, those avoided losses are considered. The goal is to ensure that non-compliance is never financially profitable.

5. Any other aggravating or mitigating factor applicable to the circumstances of the case

   • This is a catch-all clause allowing authorities to consider unique circumstances specific to the case. For example, if the breach was caused by a systemic IT failure versus intentional negligence, or if the provider is a small and medium-sized enterprise (SME) facing genuine resource constraints, this may influence the penalty.

6. The infringing party's annual turnover in the preceding financial year in the Union

   • To ensure penalties are "dissuasive," they must be significant relative to the provider's financial strength. A fine that is negligible to a global hyperscaler but crippling to a small European provider would not meet the "proportionate" requirement. Therefore, the provider's EU turnover is a direct input into the calculation, ensuring that the financial impact is felt regardless of the company's size.

The Trigger: Article 23 Transparency Obligations

To understand what triggers these penalties, one must look at Article 23, which sets out the specific transparency obligations for cloud computing service providers.

Article 23(1) requires that as soon as a recognised cloud computing service provider becomes aware of any information or any material change in circumstances that may affect the audit report, the 'positive' audit opinion, or the recognition under Article 17, they must notify both the auditing organisation and the national competent authority of establishment "as soon as possible."

Article 23(2) and (3) outline the subsequent chain reaction: the auditing organisation assesses whether the audit report needs amendment or revocation, and the competent authority assesses whether the recognition needs amendment or revocation.

A failure to notify under Article 23(1) is a direct infringement of the Chapter covered by Article 24. Therefore, if a provider knowingly allows a change in its corporate structure that introduces third-country control, and fails to report this, they are subject to the penalty criteria in Article 24(2). The "duration" criterion is particularly relevant here, as the clock starts ticking from the moment the provider "becomes aware" of the change.

Compensation Rights for Recipients

Beyond administrative fines imposed by states, Article 24(3) introduces a civil liability dimension. It states that recipients of cloud computing services (e.g., public sector bodies) shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter.

This means that if a transparency breach leads to a service disruption, a security incident, or a loss of public order protection, the public sector body can sue the provider for damages, separate from any regulatory fine. This creates a dual layer of financial risk for non-compliant providers.

What this means for you

For in-house counsel, compliance officers, and general counsel at cloud computing service providers, the CADA proposal introduces a high-stakes compliance environment. The "effective, proportionate, and dissuasive" standard, combined with the specific criteria in Article 24(2), means that penalties will not be one-size-fits-all. They will be tailored to the severity of the breach, the provider's financial size, and their conduct.

Key Action Items:

1. Implement Robust Change Management Processes: You must have automated or highly monitored processes to detect "material changes" in your service architecture, subcontractor arrangements, or corporate control structure. Under Article 23, the clock starts ticking as soon as you "become aware" of a change. Delay in detection is not a defense against the "duration" criterion in Article 24(2).
2. Document Remediation Efforts Rigorously: If a breach occurs, your immediate response is critical. Document every step taken to mitigate damage, notify authorities, and correct the record. This directly addresses the "action taken to mitigate or remedy" criterion in Article 24(2)(b) and can serve as a powerful mitigating factor during enforcement.
3. Monitor Turnover and Financial Impact: Be prepared to disclose your annual turnover in the Union during any investigation. Understand that fines will be calibrated against this figure. Ensure your compliance budget accounts for potential liabilities that are proportional to your EU revenue, as the "dissuasive" nature of the penalty implies a significant financial impact for large players.
4. Review Subcontractor Contracts: Since transparency extends to subcontractors, ensure your contracts with third parties include clauses that mandate immediate reporting of any changes that could affect your sovereignty assurance level. You are responsible for reporting these changes under Article 23, and you cannot claim ignorance of a subcontractor's actions.
5. Prepare for Civil Liability: Beyond regulatory fines, assess your insurance coverage. Article 24(3) allows public sector clients to sue for damages. Ensure your terms of service and liability caps are reviewed in light of this new statutory right to compensation, which operates independently of administrative penalties.

Common misconceptions

Misconception 1: CADA sets fixed fine amounts or percentages. Reality: CADA does not set specific euro amounts or percentage-based caps like the GDPR (e.g., 4% of global turnover) or the AI Act (e.g., 7% of turnover). Instead, it sets criteria for Member States to use when designing their national penalty regimes. The actual fines will vary by Member State, though they must align with the "effective, proportionate, and dissuasive" principle and the specific factors in Article 24(2).

Misconception 2: Only technical breaches are penalised. Reality: The penalty criteria explicitly include "financial benefits gained" and "annual turnover." This means that even if the technical breach was minor, if it resulted in significant financial gain (e.g., retaining a contract you were no longer qualified for) or if the provider is a large entity with high turnover, the penalty can be severe. The economic impact of the breach is a central consideration.

Misconception 3: Penalties only apply to the cloud provider. Reality: While Article 24 targets cloud computing service providers for administrative penalties, Article 24(3) creates a distinct right for recipients to seek compensation. This shifts significant risk to the provider in the form of civil litigation, not just regulatory fines. A transparency breach can lead to both a state-imposed fine and a private lawsuit.

Misconception 4: "Material change" is vaguely defined, allowing for ambiguity. Reality: While CADA relies on the auditing organisation's assessment, the criteria for assurance levels in Annex II are specific. Changes in control, data location, personnel with access to sensitive data, or the introduction of third-country influence are clearly material. Providers cannot argue ambiguity to avoid reporting obligations under Article 23. The "nature" and "gravity" criteria in Article 24(2) will likely penalize attempts to exploit such ambiguity.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?
• CADA Marketplace Transparency: The Public Register Explained
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers
• CADA Marketplace Transparency: How Articles 22 & 23 Build Trust

This is general information about a draft EU regulation, not legal advice.