What does CADA enforcement mean for cloud providers?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers face direct enforcement by National Competent Authorities (NCAs) in their Member State of main establishment. As proposed, CADA would empower these authorities to investigate infringements, inspect premises, and impose "effective, proportionate and dissuasive" penalties for non-compliance with the Union cloud computing sovereignty framework. Crucially, the proposal establishes a system of mutual assistance and cross-border cooperation, meaning that regulatory scrutiny in one Member State can trigger coordinated enforcement actions across the EU. Providers must also be aware that recipients of their services have a statutory right to seek compensation for damages caused by infringements.

Detail

The enforcement architecture of the proposed CADA is designed to ensure that cloud computing service providers comply with the Union's sovereignty framework, particularly regarding the recognition of Union assurance levels. The core enforcement provisions are located in Title IV, Chapter I of the proposal, specifically Sections 4 and 5 (Articles 24–28), which establish the penalty regime, the powers of NCAs, and the mechanisms for cross-border cooperation.

National Competent Authorities: Exclusive Competence (Article 25)

As proposed, each Member State must designate one or more national competent authorities (NCAs) responsible for enforcing Chapter I of the Regulation. This designation must occur within one year of the Regulation's entry into force.

A critical feature of the CADA enforcement model is the principle of exclusive competence. Article 25(4) stipulates that the Member State where the cloud computing service provider has its main establishment holds exclusive competence for enforcing the Regulation. The proposal defines the "main establishment" as the location where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This centralization is designed to prevent a provider from being subjected to conflicting enforcement actions from multiple Member States for the same service. However, it places a significant burden on the NCA of the main establishment to monitor the provider's entire EU-wide operations regarding sovereignty compliance.

Investigative and Enforcement Powers (Article 26)

The NCAs of the Member State of establishment are granted significant powers to ensure compliance with the sovereignty framework. These powers are divided into investigative and enforcement categories:

Investigative Powers: Under Article 26(1), NCAs can:

• Require any cloud computing service provider, subcontractors, or auditing organizations to provide information relevant to a suspected infringement.
• Conduct inspections of any premises used for trade or business purposes. This includes the power to examine, seize, take, or obtain copies of information in any form, irrespective of the storage medium.
• Ask staff or representatives to give explanations regarding suspected infringements and, with their consent, record their answers.

Enforcement Powers: Under Article 26(2), NCAs can:

• Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end.
• Impose fines for failure to comply with the Regulation or with investigative orders.
• Impose periodic penalty payments to ensure that an infringement is terminated or to penalize failure to comply with investigative orders.

These measures must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Penalties and Compensation (Article 24)

Article 24 sets out the framework for penalties and compensation. Member States are required to lay down rules on penalties applicable to infringements by cloud service providers within their competence. The proposal does not set fixed maximum fine amounts (unlike the AI Act); instead, it mandates that penalties be "effective, proportionate and dissuasive."

When determining the level of penalties, authorities must consider a non-exhaustive list of criteria, including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

Private Right to Compensation: A significant exposure for providers is found in Article 24(3), which establishes that recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of the provider's obligations under Chapter I. This creates a private law remedy alongside public enforcement, potentially exposing providers to civil liability claims from public sector bodies or other clients if their service fails to meet the recognized assurance level.

Cross-Border Cooperation and Mutual Assistance (Articles 27 and 28)

Because cloud services are inherently cross-border, CADA establishes robust mechanisms for cooperation between NCAs to ensure consistent application of the sovereignty framework.

Mutual Assistance (Article 27): NCAs must cooperate closely and provide each other with mutual assistance, including the exchange of information. An NCA may request specific information from another Member State's authority to exercise its investigative powers. The requested authority must comply and inform the requesting authority of the action taken, generally within two months.

Cross-Border Cooperation (Article 28): This mechanism addresses situations where a provider's service is used in a Member State different from its establishment. If an NCA in a Member State where a service is used (the "destination") suspects that a provider no longer fulfills the requirements of Annex II (Union assurance levels), it may request the NCA of establishment to assess the matter and take necessary investigatory or enforcement measures.

The NCA of establishment must communicate its assessment and any measures taken to the requesting authority and the Commission within two months. The Commission also retains the power to request the NCA of establishment to take action if it suspects non-compliance. This ensures that a provider cannot evade scrutiny by operating in a Member State other than its main establishment.

Compliance Obligations Triggering Enforcement

The enforcement powers described above are triggered by non-compliance with the core obligations of Chapter I. Providers seeking recognition for Union assurance levels must adhere to strict procedural obligations:

• Level 1: Requires a conformity self-assessment and the issuance of an EU statement of conformity (Article 19).
• Levels 2, 3, and 4: Require independent third-party audits (Article 20) and the submission of applications for recognition to the NCA of establishment (Article 17).
• Transparency: Providers must promptly notify the auditing organization and the NCA of any material changes that could affect their assurance level (Article 23).

Failure to maintain accurate information, cooperate with audits, or meet the criteria in Annex II can trigger the full spectrum of NCA powers, from information requests to fines and the revocation of recognition.

What this means for you

For cloud service providers and data centre operators, the proposed CADA enforcement regime introduces a new layer of regulatory scrutiny focused on sovereignty and operational autonomy.

1. Centralized Regulatory Contact: You will primarily deal with the NCA in your Member State of main establishment. This simplifies the point of contact but concentrates significant power in that single authority. Ensure your governance structure clearly identifies your "main establishment" and that your local NCA is fully aware of your global operations.
2. Prepare for Inspections: Your internal governance must be capable of supporting rapid information requests and on-site inspections. Documentation regarding subcontractors, data localization, and audit evidence (as detailed in Annex III) must be readily accessible. The NCA has the power to seize information in any form, so digital and physical records must be secure and organized.
3. Financial Exposure: Be aware that penalties are tied to your annual turnover in the Union. While the proposal does not set a cap, the requirement for penalties to be "dissuasive" suggests that significant fines are possible for large providers. Additionally, contract with public sector clients must account for the risk of compensation claims if your service fails to meet the assured levels due to non-compliance.
4. Cross-Border Vigilance: Even if you are compliant in your home Member State, a complaint or suspicion from a user in another Member State can trigger a cross-border cooperation request under Article 28. Your NCA of establishment will then investigate, but the initial trigger can come from anywhere in the EU. Maintain consistent compliance standards across all EU operations to avoid such triggers.
5. Audit Cooperation: For providers targeting Levels 2-4, cooperation with auditing organizations is not just a contractual obligation but a regulatory one. Hindering an audit can be considered an infringement subject to NCA enforcement. Ensure your auditors have full access to data and premises as required by Article 20.

Common misconceptions

• "Only the provider's home country matters." While the NCA of establishment has exclusive enforcement competence, other Member States can trigger investigations through cross-border cooperation mechanisms (Article 28). A non-compliant service in France can lead to an investigation by the NCA in Ireland if the provider is established there.
• "CADA penalties are fixed amounts." The proposal does not set fixed fine amounts. Instead, it requires penalties to be "effective, proportionate and dissuasive" and lists criteria such as turnover and gravity of infringement (Article 24). The actual fine will depend on the specific circumstances and national implementation.
• "Only public sector clients are affected." While the assurance levels are primarily for public procurement, the enforcement powers apply to the provider's general compliance with the sovereignty framework. Furthermore, the private sector (specifically entities under NIS2) can conduct impact assessments (Article 31), and the market signal from public procurement will likely drive private sector demand for assured services, indirectly increasing enforcement scrutiny on providers who claim sovereignty credentials.
• "Audits are optional for Level 1." Level 1 requires a conformity self-assessment (Article 19), but this is still a regulated obligation. The provider assumes responsibility for compliance, and false statements in the EU statement of conformity can lead to enforcement actions by the NCA.
• "CADA is just about fines." The enforcement regime includes the right of recipients to seek compensation for damages (Article 24(3)). This creates a significant civil liability risk that goes beyond administrative penalties.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA Enforcement Readiness: The Compliance Checklist for Providers
• What does proportionate enforcement mean under CADA?
• What does CADA enforcement mean for public-sector cloud buyers?
• How does CADA enforcement reach hyperscale cloud providers?
• Does CADA enforcement apply to providers established outside the EU but serving it?

This is general information about a draft EU regulation, not legal advice.