CADA enforcement deadlines

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities face strict statutory deadlines when cooperating on enforcement. For mutual assistance requests (Article 27), the receiving authority must act and report back "as soon as possible and no later than two months after receipt," unless a delay is "duly justified" (Article 27(3)). For cross-border cooperation regarding suspected infringements (Article 28), the authority of establishment must communicate its assessment and any measures taken "as soon as possible and in any event not later than two months" (Article 28(4)). Crucially, this two-month clock is suspended if the requesting authority fails to provide sufficient information, allowing the receiving authority to pause the deadline until the missing details are supplied (Article 28(3)). These timelines are designed to ensure rapid resolution of sovereignty risks while protecting authorities from acting on incomplete data.

Detail

The Cloud and AI Development Act (CADA) establishes a harmonised Union cloud computing sovereignty framework. To prevent fragmentation and ensure that risks to public order are addressed uniformly, the proposal mandates robust cooperation between the national competent authorities designated by Member States. This cooperation is operationalised through two distinct legal mechanisms: mutual assistance (Article 27) and cross-border cooperation (Article 28). While both mechanisms aim to facilitate enforcement, they serve different procedural functions and are governed by specific, binding timelines.

Mutual Assistance: The Two-Month Information Exchange (Article 27)

Article 27 establishes the framework for mutual assistance, which is primarily focused on the exchange of information and the execution of investigative measures. This mechanism is triggered when a competent authority (the requesting authority) needs specific information held in another Member State to exercise its investigative powers under Article 26. For example, if an authority in Germany suspects a provider of non-compliance but needs data stored or held by a provider's subsidiary in France, it may request assistance from the French competent authority.

The statutory deadline for this process is explicitly defined in Article 27(3). The provision mandates that the competent authority receiving the request "shall comply with such request and inform the competent authority of establishment about the action taken, as soon as possible and no later than two months after receipt of the request, unless duly justified."

This two-month period is a hard deadline intended to prevent regulatory bottlenecks that could undermine the Union's strategic autonomy. However, the phrase "unless duly justified" introduces a necessary flexibility. If a request involves complex data retrieval, sensitive national security considerations, or requires coordination with other national bodies, the receiving authority may extend the timeline. In such cases, the authority must provide a substantive justification for the delay, ensuring that the extension is not arbitrary. The burden of proof lies with the receiving authority to demonstrate that the delay is necessary and proportionate.

Cross-Border Cooperation: Assessing Suspected Infringements (Article 28)

Article 28 governs cross-border cooperation, a mechanism designed for scenarios where a competent authority in a Member State (the destination) suspects that a cloud computing service provider no longer meets the Union assurance level requirements. Unlike mutual assistance, which is often about gathering data, cross-border cooperation is about triggering a formal assessment and potential enforcement action by the authority of establishment (the authority where the provider is legally established).

The timeline for this process is strictly defined in Article 28(4). The competent authority of establishment is required to communicate its assessment of the suspected infringement, along with an explanation of any investigatory or enforcement measures taken or envisaged, "as soon as possible and in any event not later than two months after receipt of the request."

This deadline applies regardless of whether the request originates from another Member State's authority or directly from the European Commission (as per Article 28(2)). The response must be substantive; a mere acknowledgment of receipt is insufficient. The authority must provide a clear assessment of the situation and detail any actions it intends to take to ensure compliance. This ensures that systemic risks within the Union are addressed promptly and that the integrity of the sovereignty framework is maintained across borders.

The Suspension Mechanism: When Information is Insufficient

A critical nuance in the CADA enforcement framework is the mechanism for suspending these deadlines when the initial request is flawed. This is most explicitly articulated in the context of cross-border cooperation under Article 28(3).

If the competent authority of establishment determines that the information provided in the request is insufficient to conduct a proper assessment, it may request additional information. The regulation explicitly states that the two-month deadline set out in Article 28(4) "shall be suspended until that additional information is provided."

This suspension mechanism serves two vital purposes:

1. Protection of Due Process: It prevents authorities from being forced to make enforcement decisions based on incomplete or ambiguous data, which could lead to erroneous actions against providers.
2. Incentivising Quality Requests: It places the onus on the requesting authority to provide a "duly reasoned" request from the outset. If the initial request is vague or lacks necessary facts, the clock stops. The requesting authority must clarify the scope and facts of the suspected infringement before the two-month countdown resumes.

While Article 27 (mutual assistance) does not use the specific word "suspended" in the same textual manner as Article 28, the requirement to comply "as soon as possible" implies a similar logic. In practice, if a mutual assistance request is ambiguous, the receiving authority would likely seek clarification, and the effective timeline for compliance would be paused until the necessary details are provided. However, the explicit suspension clause in Article 28(3) provides a clearer legal basis for pausing the clock in cross-border infringement cases.

The Role of the Commission

The Commission plays a supervisory role in both mechanisms. Under Article 28(2), the Commission may itself request the competent authority of establishment to assess a matter and take necessary measures. In such cases, the same two-month deadline applies. Furthermore, if the competent authorities cannot reach an agreement or if a referral is made to the Commission (as outlined in Article 28(3) regarding disagreements), the Commission has the power to assess the matter and adopt a binding decision, ensuring that enforcement does not stall due to inter-authority disputes.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, these deadlines dictate the rhythm of regulatory risk management and the pace of potential enforcement actions.

1. Preparedness for Rapid Response: If your cloud service is recognised under a Union assurance level, your local competent authority (the authority of establishment) may receive cross-border requests from other Member States. The two-month deadline means they will likely pressure you for documentation and evidence quickly to meet their statutory obligations. Ensure your compliance files, audit reports, and technical documentation are organised, accessible, and ready for immediate review.
2. Monitoring Request Quality: If your authority is investigating a suspect provider in another jurisdiction, ensure your requests are "duly reasoned" and complete. If they are not, the clock stops under Article 28(3), but the overall resolution time increases. Clear, detailed requests prevent unnecessary suspensions and demonstrate good faith, which can be crucial if the matter escalates to the Commission.
3. Tracking Enforcement Actions: The requirement for authorities to communicate "measures taken or envisaged" within two months provides a transparency window. If you are aware of a suspicion in another Member State, you can monitor whether your local authority has responded within the deadline. Silence beyond two months (without a "duly justified" explanation or a valid suspension) may indicate a procedural failure or an ongoing dispute that could be referred to the Commission.
4. Understanding Suspension Risks: Be aware that the two-month clock is not always running. If a request is deemed insufficient, the suspension mechanism protects the authority of establishment from rushing a decision. However, this also means that unresolved issues can linger if the requesting authority fails to provide the necessary details promptly. Providers should be prepared to assist their local authority in clarifying requests to avoid prolonged uncertainty.

Common misconceptions

Misconception 1: The two-month deadline is absolute and unchangeable. Many assume the two-month limit is rigid. However, both Article 27(3) and Article 28(3)-(4) allow for extensions or suspensions. Article 27(3) permits delays if "duly justified," and Article 28(3) explicitly suspends the deadline when additional information is requested. The clock does not run during these periods, meaning the total time to resolution can exceed two months if the process is paused.

Misconception 2: Mutual assistance and cross-border cooperation are identical. While both involve two-month timelines, they serve different purposes. Mutual assistance (Article 27) is about gathering information and investigative support. Cross-border cooperation (Article 28) is about triggering an assessment and potential enforcement action by the authority of establishment regarding a suspected infringement. Confusing these can lead to filing the wrong type of request, causing procedural delays.

Misconception 3: Providers are directly bound by these deadlines. These deadlines bind national competent authorities and the Commission, not the cloud providers directly. However, providers are indirectly affected because authorities will seek their cooperation to meet these timelines. A provider's slow response to an authority's inquiry can cause the authority to miss its two-month deadline, potentially leading to escalated tensions between Member States or referrals to the Commission.

Misconception 4: The Commission cannot intervene in cross-border disputes. Article 28(2) allows the Commission to request the competent authority of establishment to assess a matter and take necessary measures. This means the Commission can bypass a specific Member State's hesitation by directly triggering the two-month assessment clock. Furthermore, if authorities disagree, the matter can be referred to the Commission for a binding decision, ensuring that enforcement does not stall.

Related

• CADA Mutual Assistance vs Cross-Border Cooperation: Key Differences
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• CADA Cross-Border Cooperation: How Article 28 Works
• CADA Cross-Border Requests: What the Establishment Authority Must Report
• CADA Mutual Assistance: How Authorities Cooperate Across Borders

This is general information about a draft EU regulation, not legal advice.