CADA Article 26 Powers

Summary Under the proposed Cloud and AI Development Act (CADA), the investigative and enforcement powers granted to national competent authorities in Article 26 are not general regulatory tools; they are strictly scoped to support the specific administrative tasks defined in Article 17. Article 17 establishes the mechanism for recognising cloud computing service providers as offering a specific "Union assurance level" (1–4). Consequently, Article 26(1) investigative powers (such as requesting information and inspecting premises) and Article 26(2) enforcement powers (such as ordering cessation of infringements and imposing fines) may only be exercised "where needed to carry out their tasks under Article 17." This means authorities can only use these coercive measures to assess, grant, maintain, or revoke sovereignty recognition, not to enforce general cybersecurity or data protection rules unless those issues directly impact the sovereignty criteria.

Detail

To understand the scope of CADA's enforcement regime, one must first delineate the specific administrative "tasks" that trigger these powers. The legislative text creates a closed loop: the powers in Article 26 exist solely to facilitate the recognition process outlined in Article 17.

The Core Task: Recognition of Union Assurance Levels

Article 17, titled "Recognition of cloud computing service providers," is the procedural engine of the Union cloud computing sovereignty framework. Its primary task is the formal evaluation and recognition of a provider's compliance with the criteria set out in Annex II for one of four assurance levels.

The tasks performed by the "evaluating national competent authority" (the authority in the Member State where the provider has its main establishment) include:

1. Receiving and Validating Applications: Under Article 17(1), providers must submit an application for recognition.

   • For Union assurance level 1, the provider submits an EU statement of conformity (as per Article 19). Notably, for SMEs, this statement is directly and automatically recognised without prior evaluation by the authority (Article 17(3)).
   • For Union assurance levels 2, 3, and 4, the provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation, along with all evidence gathered during the audit (Article 17(4)).

2. Assessing Evidence: Under Article 17(5), the evaluating authority has a strict 60-day timeline to assess the submitted evidence.

   • If evidence is sufficient, the authority prepares a draft recognition decision and notifies other Member States for a 60-day review period (Article 17(5)(a)).
   • If evidence is insufficient, the authority may request further information, suspending the 60-day clock for up to 30 days (Article 17(5)(b)).
   • If the authority intends to reject the application, it must first give the provider 30 days to provide written comments on the conclusions (Article 17(5)(c)).

3. Managing Cross-Border Objections: The recognition process is Union-wide. During the review period, other Member States' authorities may submit reasoned objections if they believe the draft decision does not comply with the assurance level criteria (Article 17(6)). The evaluating authority must then assess these objections, potentially maintaining or revoking its draft decision (Article 17(9)). If disagreement persists, the matter may be referred to the Commission for a binding decision (Article 17(10)).

4. Revocation of Recognition: The task of supervision is continuous. Article 17(11) empowers the evaluating authority to revoke recognition if it finds that the provider intentionally or negligently supplied incorrect or misleading information.

The Legal Link: Article 26 Powers Tied to Article 17 Tasks

The critical constraint on CADA's enforcement regime is found in the opening clauses of Article 26. The text explicitly limits the scope of authority powers to the tasks defined in Article 17.

Article 26(1) grants investigative powers "Where needed to carry out their tasks under Article 17." These powers include:

• Requiring any cloud computing service provider, auditing organisation, or other relevant persons to provide information "as soon as possible."
• Carrying out, or requesting a judicial authority to order, inspections of any premises used for trade or business.
• Examining, seizing, or obtaining copies of information in any form.
• Asking staff or representatives to give explanations and recording their answers (with consent).

Similarly, Article 26(2) grants enforcement powers "Where needed to carry out their tasks under Article 17." These include:

• Ordering the cessation of infringements and imposing proportionate remedies.
• Imposing fines for failure to comply with the Regulation or with investigative orders.
• Imposing periodic penalty payments to ensure compliance with orders.

This textual linkage confirms that CADA authorities cannot use Article 26 powers to investigate general cybersecurity breaches, data protection violations, or market competition issues unless those issues directly impinge on the provider's ability to meet the Union assurance level criteria (e.g., data localisation, personnel citizenship, or third-country control) required for recognition under Article 17.

The Scope of "Tasks" and Limitations

The "tasks" under Article 17 are administrative and supervisory in nature. They are not a blanket mandate for general oversight of the cloud sector.

• No General Cybersecurity Mandate: While Annex II requires providers to meet state-of-the-art cybersecurity standards (e.g., Annex II 1.1(e) for Level 1, 2.1(e) for Level 2), Article 26 powers are only triggered to verify compliance with these specific sovereignty-linked criteria, not to enforce the broader NIS2 Directive or the Cybersecurity Act independently.
• No General Data Protection Mandate: While Annex II requires data to remain within the Union (e.g., Annex II 1.1(c)), Article 26 powers are limited to verifying this localisation for sovereignty purposes. They do not replace the investigative powers of Data Protection Authorities under the GDPR.
• Focus on Recognition Integrity: The primary purpose of these powers is to ensure the integrity of the central repository of recognised services (Article 22) and the accuracy of the recognition decisions. If a provider supplies misleading information to secure or maintain recognition, Article 26 powers are the tool to uncover that deception and enforce the revocation under Article 17(11).

What this means for you

For legal counsel, compliance officers, and cloud service providers, the strict linkage between Article 17 and Article 26 defines the boundaries of regulatory risk.

1. The "Sovereignty-Only" Investigation Scope If a national competent authority invokes Article 26 powers, it must be able to demonstrate that the investigation is necessary to carry out a task under Article 17. If an authority attempts to use these powers to investigate a general GDPR breach or a non-sovereignty-related cybersecurity incident, the provider may challenge the legal basis of the investigation. However, if the breach involves the criteria in Annex II (e.g., data leaving the Union or non-EU personnel accessing systems), the authority has full Article 26 powers.

2. High Stakes for Recognition Applications Because Article 26(1) allows authorities to inspect premises and seize information to verify Article 17 applications, the evidence submitted for recognition must be airtight.

• For Level 1: The self-assessment must be robust, as authorities can still investigate if they suspect the SME or provider supplied incorrect information.
• For Levels 2–4: The audit report and evidence must be comprehensive. Authorities can use Article 26 powers to verify the independence of the auditor or the authenticity of the evidence provided.

3. Continuous Compliance and Revocation Risk The task of maintaining recognition is ongoing. Article 17(11) allows for revocation if incorrect information was supplied. Article 26 powers are the mechanism to uncover such information. Providers must have internal protocols to immediately report material changes (as required by Article 23) to avoid the risk of an Article 26 investigation leading to revocation and subsequent penalties under Article 24.

4. Cross-Border Scrutiny The Article 17 process involves a 60-day review by other Member States. If another authority raises a reasoned objection (Article 17(6)), the evaluating authority may need to use Article 26 powers to gather additional evidence to resolve the objection. Providers should be prepared for multi-jurisdictional scrutiny where the "task" of recognition is contested.

Common misconceptions

Misconception 1: Article 26 gives CADA authorities general police powers over the cloud sector. Correction: No. Article 26(1) and (2) explicitly state these powers are available "Where needed to carry out their tasks under Article 17." They are strictly limited to the recognition, maintenance, and revocation of Union assurance levels. They do not grant authority to enforce general cybersecurity, data protection, or competition laws outside the specific context of sovereignty assurance.

Misconception 2: Once a provider is recognised, they are immune from investigation. Correction: Recognition is not a shield. Article 17(11) allows for revocation if incorrect information is found. Article 26 powers are the primary tool to investigate potential fraud or negligence in the recognition process. Furthermore, Article 23 requires providers to report material changes, triggering a re-evaluation that could lead to an Article 26 investigation if discrepancies are found.

Misconception 3: The Commission has direct enforcement powers under Article 26. Correction: The Commission does not hold Article 26 powers. Article 26 grants powers to "national competent authorities." The Commission's role is limited to resolving disputes between Member States under Article 17(10) and maintaining the central repository. Enforcement is a national competence, exercised by the authority of the provider's establishment.

Misconception 4: Article 26 powers apply to all subcontractors equally. Correction: While Article 26(1) allows authorities to require information from "any other persons acting for purposes related to their trade," including subcontractors, this is only to the extent necessary to verify the provider's compliance with Article 17 tasks. The primary target remains the recognised provider, but the scope extends to the supply chain only as needed to verify the sovereignty criteria (e.g., data localisation or personnel citizenship of the subcontractor).

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Enforcement: How Article 26 Balances Powers with Fundamental Rights
• Who sets the penalty rules under CADA? Article 24 explained
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What powers do CADA national competent authorities have?
• What is the right to compensation under CADA (Article 24)?

This is general information about a draft EU regulation, not legal advice.