CADA Penalties for Failing to Disclose Changes

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers holding a Union assurance level must immediately notify national competent authorities and auditing organisations of any "material change in circumstances" that could affect their recognition. Failure to disclose these changes constitutes a direct infringement of the Regulation's transparency obligations under Article 23. Article 24 mandates that Member States establish penalties that are "effective, proportionate and dissuasive." Unlike the AI Act, CADA does not set fixed fine percentages; instead, it requires authorities to weigh specific criteria—including the provider's annual turnover, financial benefits gained from the breach, and the duration of the infringement—when determining sanctions. Additionally, recipients of the service retain a statutory right to seek compensation for damages resulting from such infringements.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic sovereignty framework where compliance is not a one-time event but a continuous obligation. The integrity of the Union assurance levels (Levels 1 through 4) relies heavily on the accuracy of the information held by national competent authorities and auditing organisations. To maintain this integrity, the proposal imposes strict transparency duties on providers, with a robust penalty regime designed to enforce them.

The Transparency Obligation: Article 23

Article 23 of the CADA proposal is the linchpin of ongoing compliance. It imposes a proactive duty on recognised cloud computing service providers to monitor their own operations and report deviations immediately. The obligation is triggered when a provider becomes aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

The regulation mandates a dual-notification pathway. Upon becoming aware of such a change, the provider must notify "as soon as possible":

1. The auditing organisation that issued the original audit report and opinion.
2. The national competent authority of establishment that granted the recognition.

This is not a passive administrative formality. The notification triggers a cascading reassessment process. Upon receipt, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked. If the organisation determines the change compromises compliance, it must amend or revoke the report and notify the national competent authority. Subsequently, the national competent authority must assess whether the provider's recognition as offering a specific Union assurance level needs to be amended or revoked.

Crucially, failure to provide this notification, or providing it with undue delay, constitutes an infringement of the transparency obligations set out in Title IV, Chapter I of the Regulation. The draft text is explicit: the duty to notify is absolute once the provider is aware of the material change. There is no "grace period" defined in the text for internal deliberation; the phrase "as soon as possible" creates an immediate legal imperative.

The Penalty Framework: Article 24

While Article 23 defines the breach, Article 24 defines the consequences. It is important to note that CADA, as a proposal, does not prescribe fixed monetary amounts or percentage-based fines (such as the 7% of global turnover found in the AI Act). Instead, it establishes a framework for Member States to implement their own penalty regimes, subject to strict EU-wide principles.

Member State Obligations

Article 24(1) requires Member States to lay down the rules on penalties applicable to infringements of Title IV by cloud computing service providers within their competence. These rules must be implemented to ensure that penalties are:

• Effective: Capable of achieving the desired result of stopping the infringement and ensuring compliance.
• Proportionate: Commensurate with the nature, gravity, and scale of the infringement.
• Dissuasive: Sufficiently strong to deter both the specific offender and the wider market from committing similar infringements.

Member States are further required to notify the Commission of these rules and any subsequent amendments "as soon as possible," ensuring a degree of transparency in how penalties are applied across the single market.

The Six Criteria for Imposing Penalties

To prevent arbitrary enforcement and ensure consistency across the Union, Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties. These criteria ensure that the punishment is tailored to the specific context of the violation:

1. Nature, gravity, scale, and duration: The penalty must reflect the seriousness of the failure to disclose, the extent of the impact on the sovereignty framework, and the length of time the provider failed to report the change. A prolonged failure to notify a critical change in ownership would likely attract a higher penalty than a short delay in reporting a minor administrative shift.
2. Mitigation actions: If the infringing party took active steps to mitigate or remedy the damage caused by the infringement, this may serve as a mitigating factor. For example, if a provider voluntarily discloses a change immediately after an internal audit, even if slightly delayed, this proactive remediation could reduce the penalty.
3. Previous infringements: A history of prior non-compliance is a significant aggravating factor. Repeat offenders would face stricter penalties to ensure the "dissuasive" nature of the sanction.
4. Financial benefits gained or losses avoided: This is a critical criterion for commercial entities. If the provider gained a financial advantage (e.g., retaining a lucrative public sector contract they were no longer qualified to hold) or avoided a loss by failing to disclose the change, this benefit is a key factor in calculating the fine. The penalty aims to strip away any illicit gain.
5. Aggravating or mitigating factors: Any other circumstances specific to the case, such as whether the failure was intentional concealment versus negligent oversight, must be considered.
6. Annual turnover: The provider's annual turnover in the Union during the preceding financial year serves as a benchmark. This ensures that the penalty is economically significant regardless of the provider's size, preventing fines from being merely a "cost of doing business" for large hyperscalers.

Right to Compensation

Beyond administrative fines, Article 24(3) establishes a distinct civil liability mechanism. Recipients of the cloud computing services—typically public sector bodies, Union entities, or private entities in regulated sectors—have the right to seek compensation from the cloud computing service provider for "any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This means that a failure to disclose a material change (e.g., a shift in data location or a change in third-country control) that leads to a security breach, service disruption, or loss of data sovereignty could result in significant civil claims in addition to regulatory fines. The right to compensation is independent of the administrative penalty imposed by the Member State.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing providers, the CADA proposal transforms transparency from a best practice into a strict legal obligation with tangible financial and reputational risks. The absence of fixed fine amounts does not reduce the risk; it increases the need for nuanced risk management.

1. Establish Real-Time Monitoring Triggers You must move beyond annual audit cycles. Your compliance framework must include continuous monitoring mechanisms to detect "material changes" in real-time. This includes changes in:

• Ownership structure: Shifts in control by third-country entities.
• Subcontractor arrangements: New vendors or changes in existing vendor locations.
• Data location practices: Any movement of data or infrastructure outside the Union.
• Cybersecurity incidents: Breaches that might affect the validity of the audit opinion. If any of these factors change, your legal team must be alerted immediately to assess whether they trigger a notification under Article 23.

2. Define "As Soon As Possible" Internally The regulation does not define a specific number of days (e.g., 24 hours or 72 hours) for the notification. To avoid penalties for the "duration" criterion in Article 24(2)(a), you should define an internal Service Level Agreement (SLA) for reporting material changes. Delaying notification to manage reputational risk or conduct internal investigations could inadvertently increase the "duration" of the infringement, leading to higher fines. A conservative approach is to report immediately upon internal confirmation of a material change.

3. Prepare for Civil Liability Claims Article 24(3) exposes your organisation to civil liability. Ensure that your contracts with public sector clients clearly delineate responsibilities, but recognise that statutory obligations under CADA cannot be contracted away. If a failure to disclose leads to a loss of assurance level and subsequent service failure, your clients have a direct right to seek compensation. Your insurance policies and risk reserves must account for this potential exposure.

4. Monitor Member State Implementations Because CADA leaves the specific penalty amounts and procedural rules to Member States, the financial risk will vary significantly by jurisdiction. A "dissuasive" fine in one Member State may be significantly higher than in another, especially when calibrated against annual turnover. You must track the national laws transposing Article 24 in each Member State where you are established or operate.

5. Document Mitigation Efforts Given that Article 24(2)(b) explicitly considers "any action taken by the infringing party to mitigate or remedy the damage," your internal incident response plans must include immediate steps to rectify the situation once a breach is identified. Documenting these efforts is crucial for demonstrating good faith and potentially reducing penalties.

Common misconceptions

Misconception 1: "Only cybersecurity breaches need to be reported." Material changes under Article 23 are broader than just security incidents. They include any change affecting the audit report or recognition. This could include changes in corporate control, the introduction of new subcontractors, shifts in data processing locations, or changes in the software supply chain. If a change affects your ability to meet the criteria for your Union assurance level, it must be reported.

Misconception 2: "CADA imposes fixed percentage fines like the GDPR or AI Act." Unlike the GDPR (up to 4% of global turnover) or the AI Act (up to 7% for prohibited practices under Article 99), CADA Article 24 does not set a fixed percentage. It mandates that penalties be "effective, proportionate and dissuasive" based on the specific criteria listed in Article 24(2). This creates a case-by-case compliance strategy rather than a simple "maximum fine" calculation.

Misconception 3: "If we are an SME, we are exempt from these transparency obligations." While SMEs have certain facilitations in the recognition process (e.g., automatic recognition of self-assessments for Level 1 under Article 17(3)), they are not exempt from the transparency obligations of Article 23 once recognised. If an SME's circumstances change materially, the duty to notify remains. The penalty criteria in Article 24(2)(f) consider turnover, which may result in lower absolute fines for SMEs, but the obligation to report is universal.

Misconception 4: "The Commission sets the penalties." No. The Commission monitors the implementation and ensures Member States notify their rules, but Member States set the specific penalty rules. However, the Commission can intervene if national penalties are deemed insufficiently effective or dissuasive, potentially leading to infringement proceedings against the Member State for failing to transpose the Directive correctly.

Misconception 5: "Reporting a change automatically means losing our assurance level." Reporting a change does not automatically result in revocation. Article 23 triggers an assessment. The auditing organisation and the competent authority will evaluate whether the change actually compromises compliance. If the provider can demonstrate that the change does not affect the criteria (or can be remedied), the recognition may be maintained or amended rather than revoked. The key is the timeliness of the report.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why must NCAs notify other Member States of recognition changes under CADA?
• Who sets the penalties for CADA transparency infringements?
• Who must cloud providers notify of changes under CADA?
• When must a cloud provider report changes under CADA?
• CADA Marketplace Transparency: The Public Register Explained

This is general information about a draft EU regulation, not legal advice.