What damages can a cloud customer recover under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud customers (recipients) have a direct statutory right to seek compensation from providers for "any damage or loss suffered" resulting from an infringement of the cloud sovereignty framework obligations (Article 24(3)). However, CADA does not harmonize the definition of damages or the rules of liability across the EU. Instead, the right is exercised "in accordance with Union and national law," meaning the specific scope of recoverable losses—such as whether indirect, consequential, or reputational damages are included—depends entirely on the applicable national legal system. To succeed, a claimant must demonstrate a causal link between the provider's specific breach of CADA obligations and the harm suffered.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive "Union cloud computing sovereignty framework" designed to mitigate risks associated with third-country control and ensure operational autonomy. This framework relies on four distinct Union assurance levels, ranging from Level 1 (self-assessment) to Level 4 (highest assurance with strict personnel and infrastructure requirements). To ensure these standards are not merely aspirational, the proposal includes a robust enforcement mechanism in Title IV, Chapter I, specifically Article 24, which addresses both administrative penalties and civil compensation.

The Statutory Right to Compensation

Article 24(3) is the cornerstone of the private enforcement regime. It states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a distinct cause of action for "recipients" of cloud services. While CADA places significant emphasis on public procurement and the protection of public order, the term "recipients" is not limited to public sector bodies. It encompasses any entity, including private sector businesses, that contracts with a cloud provider and suffers harm due to that provider's failure to comply with the sovereignty obligations.

The scope of obligations triggering this right covers the entirety of the sovereignty chapter (Title IV, Chapter I). This includes:

• Assurance Level Criteria: Failure to meet the cumulative criteria set out in Annex II for Levels 1 through 4 (e.g., data localization, personnel citizenship, or absence of third-country control).
• Recognition Procedures: Infringements related to the application for recognition (Article 17), including the submission of incorrect or misleading information.
• Conformity and Audits: Breaches of the conformity self-assessment requirements for Level 1 (Article 19) or the independent audit obligations for Levels 2–4 (Article 20).
• Transparency: Failure to notify competent authorities of material changes that could affect the provider's assurance status (Article 23).

The Critical Role of National Law

A crucial nuance in Article 24(3) is the phrase "in accordance with Union and national law." This phrasing indicates that while CADA establishes the existence of the right to compensation, it does not harmonize the substantive rules of tort or contract law regarding damages.

Consequently, the definition of "any damage or loss" is not uniform across the EU. The scope of recoverable damages is shaped by the national legal system governing the claim. In some Member States, compensation may be strictly limited to direct financial losses and actual damage (damnum emergens). In others, the legal framework may permit recovery for indirect losses, loss of profit (lucrum cessans), or even non-material damage such as reputational harm, provided these are foreseeable and proven.

Furthermore, national law dictates the procedural aspects of the claim, including:

• Burden of Proof: The standard of evidence required to establish the infringement and the resulting loss.
• Causation Standards: The legal test for linking the provider's breach to the customer's harm (e.g., "but-for" causation vs. adequate causation).
• Limitation Periods: The time limits within which a claim must be brought.
• Mitigation Duties: The obligation of the claimant to take reasonable steps to minimize their loss.

Therefore, a cloud customer in one Member State may recover a broader range of damages than a customer in another for the identical CADA infringement, depending on the local civil code.

Establishing Causation and Infringement

To successfully claim compensation under Article 24(3), a recipient must prove two fundamental elements:

1. Infringement of Obligations: The claimant must demonstrate that the cloud provider breached a specific obligation under the sovereignty chapter. This could be a failure to maintain the required Union assurance level, a violation of data localization rules, or the provision of false information during the recognition process. Evidence of such infringement might include a revocation of recognition by a national competent authority, an audit report with a "negative" opinion, or a final administrative penalty decision.

2. Causal Link: The claimant must prove that the damage or loss was "due to" the infringement. This requires establishing a direct causal chain. For example, if a provider falsely claimed to be free from third-country control (a Level 3/4 requirement) but was subsequently found to be under the control of a non-EU entity, and this control led to a foreign government accessing the customer's data, the customer must prove that the data access and the resulting financial loss were a direct consequence of the provider's misrepresentation and breach of the sovereignty criteria.

If the loss was caused by an independent event (e.g., a customer-side security failure or a force majeure event unrelated to the provider's sovereignty status), the causal link would be broken, and no compensation would be recoverable under CADA.

Interaction with Administrative Penalties

It is important to distinguish between the civil right to compensation and the administrative penalty regime. Article 24(1) and (2) require Member States to impose "effective, proportionate and dissuasive" penalties on providers for infringements. These penalties are administrative fines paid to the state, not to the customer.

Article 24(3) operates independently of these fines. A provider can be subject to a significant administrative fine for breaching CADA obligations while simultaneously being liable for civil compensation to affected customers. The criteria for determining the amount of administrative penalties (listed in Article 24(2)), such as the "financial benefits gained or losses avoided by the infringing party," are relevant for regulators but do not automatically determine the quantum of civil damages. However, a final administrative decision finding an infringement can serve as powerful evidence in civil proceedings to establish the first element of the claim (the infringement itself), potentially shifting the burden of proof regarding the breach to the provider.

What this means for you

For in-house counsel, compliance officers, and procurement teams, Article 24(3) transforms CADA compliance from a regulatory formality into a material financial risk. The potential for civil liability means that sovereignty breaches can directly impact a provider's balance sheet and, by extension, the stability of the supply chain.

1. Contractual Risk Allocation While Article 24(3) provides a statutory right to compensation, it is prudent to reinforce this in your Cloud Service Agreements (CSAs). Contracts should explicitly:

• Define Damages: Clarify whether "damages" includes indirect, consequential, or loss of profit, potentially overriding restrictive default rules in national law if permissible.
• Indemnification: Include specific indemnity clauses for losses arising from a provider's failure to maintain their recognized Union assurance level.
• Notification Triggers: Mandate immediate notification of any material changes that could affect the provider's assurance status, aligning with Article 23 transparency obligations. Failure to notify could be a separate breach triggering liability.

2. Evidence Preservation and Causation Because the claimant bears the burden of proving causation, maintaining rigorous records is essential. Organizations should:

• Document data flows, usage patterns, and service dependencies.
• Retain records of any incidents, service disruptions, or data breaches.
• If a provider's recognition is revoked or amended, immediately assess the impact on your operations.
• In the event of a breach, be prepared to demonstrate through forensic analysis that the specific loss (e.g., a data leak or regulatory fine imposed on the customer) was a direct result of the provider's failure to meet CADA sovereignty criteria (e.g., lack of technical separation from a third-country parent).

3. Monitoring and Due Diligence Utilize the central repository established under Article 22 to regularly verify the status of your providers. If a provider's recognition is withdrawn, this serves as prima facie evidence of a potential infringement. If you continue to rely on their services after such a withdrawal and suffer loss, the causal link to the infringement is strengthened.

4. Jurisdictional Strategy Given that the scope of damages is shaped by national law, the choice of governing law in your contracts is strategic. If your organization operates in a jurisdiction with favorable rules for recovering indirect losses or reputational damages, ensure your contracts are governed by that law to maximize potential recoveries under the CADA framework.

Common misconceptions

Misconception 1: CADA sets a uniform EU-wide standard for damages. Correction: CADA does not harmonize tort law. The phrase "in accordance with Union and national law" explicitly defers to Member State rules. The types of damages recoverable (e.g., indirect vs. direct) and the calculation methods will vary significantly across the EU.

Misconception 2: Compensation is automatic if a provider is fined. Correction: An administrative fine imposed by a national competent authority does not automatically trigger compensation payments. The customer must actively "seek" compensation, typically through civil litigation or arbitration. While the fine confirms the infringement, the customer must still prove causation and quantify the loss under national law.

Misconception 3: Only public sector bodies can claim damages. Correction: Article 24(3) refers to "recipients of the cloud computing services." This includes private sector entities. Any customer who suffers damage or loss due to a provider's infringement of the sovereignty obligations has the right to seek compensation, regardless of whether they are a public or private body.

Misconception 4: Administrative fines reduce the amount of civil compensation. Correction: Administrative penalties are paid to the state treasury, while compensation is paid to the victim. These are separate legal consequences. A provider cannot argue that paying a fine offsets their liability to compensate a customer for damages suffered.

Related

• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• How can a cloud customer report a CADA breach?
• Which CADA obligations can lead to penalties?
• What remedies can CADA authorities impose on providers?
• What evidence can CADA authorities collect during an investigation?

This is general information about a draft EU regulation, not legal advice.