What counts as an infringement under CADA? Penalties & Powers

Summary Under the proposed Cloud and AI Development Act (CADA), an infringement occurs when a cloud computing service provider fails to comply with the specific sovereignty, transparency, and auditing obligations set out in Title IV, Chapter I of the regulation. These breaches include submitting incorrect evidence for Union assurance level recognition, failing to undergo mandatory independent audits for higher assurance levels, or neglecting to report material changes that affect a service's compliance status. As proposed, Article 24(1) requires Member States to establish effective, proportionate, and dissuasive penalties for such infringements, while Article 26 grants national competent authorities broad investigative powers to detect and remedy them.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous regulatory framework for cloud computing services, with a specific focus on sovereignty, operational autonomy, and trust. To ensure compliance, the proposal defines precise obligations for providers and outlines clear consequences for non-compliance. Understanding what constitutes an infringement is critical for any provider aiming to serve Union entities or public sector bodies.

The Legal Basis for Infringements

The primary legal basis for penalties is found in Article 24(1) of the CADA proposal. This provision mandates that Member States shall lay down rules on penalties applicable to "infringements of this Chapter" by cloud computing service providers. "This Chapter" refers specifically to Chapter I of Title IV, which establishes the Union cloud computing sovereignty framework.

Consequently, an infringement is not a general breach of EU law, but a specific violation of the sovereignty framework's requirements. These requirements are designed to ensure that cloud services offered to Union entities and public sector bodies meet defined levels of security, data localization, and operational autonomy.

Key Categories of Infringements

Infringements typically arise from failures in the following areas:

1. Failure to Meet Assurance Level Criteria: Providers must meet cumulative criteria to be recognized at specific Union assurance levels (1 through 4), as detailed in Annex II. An infringement occurs if a provider claims a certain assurance level but fails to meet the underlying criteria, such as data localization requirements, personnel citizenship checks, or cybersecurity certification standards. For example, failing to ensure that customer data remains exclusively within the Union (unless explicitly required otherwise by the public sector body) constitutes a substantive breach.

2. Defective Recognition Processes: Under Article 17, providers must submit applications for recognition to the national competent authority of their establishment. Submitting incorrect, incomplete, or misleading evidence during this process constitutes an infringement. For Union assurance levels 2, 3, and 4, this includes failing to provide a valid audit report and a 'positive' audit opinion from an accredited auditing organization. Article 17(11) explicitly allows competent authorities to revoke recognition if a provider "intentionally or negligently, supplied incorrect or misleading information."

3. Lack of Transparency and Reporting: Article 23 imposes strict transparency obligations on recognized providers. Providers must promptly notify their auditing organization and the national competent authority of any material change in circumstances that could affect their audit report or recognition status. Failure to report such changes, or providing false information during these notifications, is an infringement.

4. Non-Compliance with Audit Obligations: For assurance levels 2, 3, and 4, independent third-party audits are mandatory under Article 20. An infringement includes refusing cooperation with auditing organizations, hindering the audit process, or failing to undergo the required annual reviews of the audit report. Article 20(2) explicitly states that audited providers must "refrain from hampering, unduly influencing or undermining the performance of the audit."

5. Breach of Data Sovereignty and Control Rules: The criteria for assurance levels often require that customer data remain exclusively within the Union and that the provider is not subject to third-country control in a manner that compromises operational autonomy. Unauthorized transfer of data outside the Union, or failure to implement necessary technical and organizational measures to prevent third-country access to data, constitutes a substantive infringement.

Investigative Powers and Enforcement Mechanisms

When an infringement is suspected, the enforcement mechanism relies on the powers granted to national competent authorities. Article 25 requires Member States to designate one or more national competent authorities responsible for enforcing Chapter I. These authorities are granted specific investigative and enforcement powers under Article 26 to detect and address infringements.

Investigative Powers (Article 26(1)) To carry out their tasks, competent authorities of establishment have the power to:

• Require cloud computing service providers, auditing organizations, and other relevant persons to provide information related to a suspected infringement as soon as possible.
• Carry out inspections of premises used by providers or related persons to examine, seize, or obtain copies of information relating to a suspected infringement, regardless of the storage medium.
• Ask staff or representatives of providers to give explanations regarding suspected infringements and, with consent, record their answers.

Enforcement Powers (Article 26(2)) If an infringement is confirmed or to ensure compliance, authorities may:

• Order the cessation of infringements and impose proportionate remedies to bring the infringement to an end.
• Impose fines for failure to comply with the regulation, including for non-compliance with investigative orders.
• Impose periodic penalty payments to ensure an infringement is terminated or to enforce compliance with investigative orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)).

Penalties and Compensation Rules

While CADA mandates that Member States establish penalties, it does not set a fixed EU-wide fine amount for sovereignty framework infringements. Instead, Article 24(2) provides a non-exhaustive list of criteria for Member States to consider when imposing penalties, including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Previous infringements by the same party.
• Financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) establishes a civil liability component. Recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under Chapter I. This creates a dual risk for providers: regulatory fines from authorities and civil claims from customers.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the CADA proposal introduces a rigorous compliance regime that extends beyond traditional cybersecurity standards.

1. Audit Readiness: If you offer services to public sector bodies, you must be prepared for independent third-party audits for assurance levels 2, 3, and 4. Ensure your internal controls, data flow diagrams, and subcontractor agreements are audit-ready at all times.
2. Robust Reporting Mechanisms: Implement immediate internal processes to detect and report "material changes" in your service architecture, ownership, or data processing practices. Delays in reporting to your auditor or competent authority can constitute an infringement under Article 23.
3. Subcontractor Oversight: The sovereignty criteria extend to subcontractors. You must ensure that all subcontractors involved in service delivery meet the same localization and control requirements. Failure to enforce these contracts can lead to your own infringement.
4. Penalty Preparedness: Review your insurance and liability frameworks. Since Article 24(3) allows customers to seek compensation for losses caused by your infringements, ensure your terms of service and insurance policies adequately cover potential civil liability arising from sovereignty breaches.
5. Engagement with Authorities: Maintain open channels with your national competent authority. Under Article 26, authorities have significant investigative powers, including premises inspections. Cooperation can mitigate the severity of penalties, as Article 24(2) considers remedial actions and cooperation in penalty calculations.

Common misconceptions

"Only cybersecurity breaches count as infringements." CADA's sovereignty framework is distinct from pure cybersecurity. Infringements often relate to data localization, personnel citizenship, ownership structures, and operational autonomy, not just technical security flaws. A service can be cyber-secure but still infringe CADA if it allows unauthorized third-country access to data or violates localization rules.

"Self-assessment is sufficient for all levels." Only Union assurance level 1 allows for conformity self-assessment (Article 19). Levels 2, 3, and 4 require independent third-party audits. Attempting to self-certify for higher levels is a fundamental misunderstanding of the framework and will lead to recognition rejection or infringement findings.

"Penalties are fixed at the EU level." Unlike the GDPR or the AI Act, CADA does not set specific fine amounts in the proposal. Member States have discretion to determine penalty rules, guided by the criteria in Article 24(2). This means penalty landscapes will vary across the EU until national implementations are finalized.

"Private sector users are not affected." While the mandatory procurement rules apply to public sector bodies, the sovereignty framework and infringement definitions apply to providers offering services to any entity if they seek recognition under the framework. Additionally, private sector entities in critical sectors (listed in Annex I of NIS2) may conduct similar impact assessments (Article 31), creating market pressure for compliance.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers
• Who is liable for a CADA infringement within a provider group?
• Which CADA obligations can lead to penalties?
• What should a startup cloud provider know about CADA penalties?
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers

This is general information about a draft EU regulation, not legal advice.