What are the penalties for breaching CADA?

TL;DR

As proposed, the Cloud and AI Development Act (CADA) does not set EU-wide fine amounts for breaches of its cloud computing sovereignty chapter. Instead, Article 24 requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive," taking into account factors such as the gravity of the infringement and the provider's Union turnover. On top of administrative penalties, recipients of cloud services would have a right to seek compensation for damage caused by a provider's infringement. Enforcement would fall to national competent authorities, which would hold investigative and enforcement powers, including fines and periodic penalty payments (Articles 25–26).

Detail

CADA's sovereignty framework (Title IV, Chapter I) would be backed by an enforcement regime. The penalty and liability rules sit in Article 24, while the authorities and their powers are in Articles 25 and 26.

Administrative penalties (Article 24)

CADA does not prescribe specific fine amounts in the text. Article 24(1) instead requires Member States to lay down the rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers within their competence, to ensure those rules are implemented, and to notify the Commission of them and any amendments. The penalties "shall be effective, proportionate and dissuasive."

When setting penalties, Article 24(2) lists non-exhaustive criteria for Member States to take into account:

• the nature, gravity, scale and duration of the infringement;
• any action taken by the infringing party to mitigate or remedy the damage caused;
• any previous infringements by the infringing party;
• the financial benefits gained or losses avoided due to the infringement, insofar as they can be reliably established;
• any other aggravating or mitigating factor applicable to the case; and
• the infringing party's annual turnover in the preceding financial year in the Union.

This would let national legislators calibrate fines to a provider's economic capacity and the severity of the breach.

Compensation for recipients

Beyond administrative penalties, Article 24(3) provides a civil-liability route: recipients of cloud computing services would have the right to seek, in accordance with Union and national law, compensation from providers for any damage or loss suffered due to a provider's infringement of its obligations under the sovereignty chapter.

Enforcement authorities and powers

Penalties would be enforced by national competent authorities. Article 25 requires Member States to designate one or more such authorities by entry into force plus one year, acting impartially, transparently and timely, with sufficient technical, financial and human resources. The Member State of the provider's main establishment would have exclusive competence to enforce the chapter (Article 25(4)).

Article 26 grants these authorities investigative and enforcement powers, exercisable where needed to carry out their tasks under Article 17:

Investigative powers include the power to require providers and other relevant persons (including auditing organisations) to provide information as soon as possible; to carry out or order inspections of premises to examine, seize or copy information relating to a suspected infringement; and to ask staff or representatives to give explanations.

Enforcement powers include the power to order the cessation of infringements and impose proportionate remedies; to impose fines for failure to comply with the Regulation or with investigative orders; and to impose periodic penalty payments, in accordance with Article 24, to ensure an infringement is terminated or an investigative order followed.

These powers are subject to safeguards, including the right to respect for private life, the rights of defence, and the right to an effective judicial remedy (Article 26(4)).

Cross-border cooperation

Because providers operate across borders, Articles 27 and 28 establish mutual assistance and cross-border cooperation. A competent authority of destination that suspects a provider no longer meets the Annex II requirements may ask the authority of establishment to assess the matter and take the necessary investigatory and enforcement measures.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the proposed penalty regime extends beyond administrative fines.

1. Prepare for national variation. Because Article 24 delegates the specific amounts to Member States, plan for the most stringent regimes; monitor transposition in each Member State where you operate.
2. Document mitigation. "Action taken to mitigate or remedy damage" is a statutory mitigating factor (Article 24(2)). Build robust remediation into incident response.
3. Assess civil-liability exposure. The Article 24(3) right to compensation means sovereignty breaches (e.g. on data location or audit cooperation) could lead to civil claims from public-sector clients; review SLAs and insurance.
4. Cooperate with authorities. Given the broad Article 26 powers, establish protocols for responding to information requests and inspections to avoid additional penalties for non-cooperation.

Common misconceptions

Misconception 1: CADA sets fixed EU-wide fines. As proposed, no. Unlike the AI Act — whose Article 99 sets maxima of up to €35 million or 7% of total worldwide annual turnover for breaching its Article 5 prohibitions — CADA does not specify monetary penalties in the text, relying instead on the "effective, proportionate and dissuasive" standard and national implementation.

Misconception 2: Only the European Commission enforces CADA penalties. Enforcement would be largely decentralised. National competent authorities hold the investigative and enforcement powers, including fines and periodic penalty payments (Article 26). The Commission's role centres on coordination, guidance and maintaining the central repository of recognised services.

Misconception 3: Penalties only apply where a public contract is in place. While the sovereignty framework is driven by public-sector use, Article 24 penalties apply to infringements of the chapter by cloud computing service providers — including failures around recognition, transparency and audit cooperation — regardless of whether a specific public contract is currently active.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
• Why does CADA focus so heavily on the public sector?
• Why can't existing EU laws already solve cloud sovereignty? (CADA)

This is general information about a draft EU regulation, not legal advice.