Summary Under the proposed Cloud and AI Development Act (CADA), compliance officers must prepare for direct, high-stakes oversight by national competent authorities. The proposal mandates that Member States designate these authorities within one year of entry into force, granting them exclusive competence over providers based on their "main establishment." These authorities wield broad investigative powers—including the right to inspect premises, seize data, and compel testimony—and can impose fines and periodic penalty payments. Crucially, while CADA requires penalties to be "effective, proportionate and dissuasive," it does not set fixed maximum fine amounts; instead, Member States must define specific rules based on criteria like turnover and infringement duration. Additionally, Article 24 grants service recipients a private right to seek compensation for damages, creating a dual exposure of regulatory fines and civil liability.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous enforcement architecture to safeguard the Union's cloud sovereignty framework. For compliance officers, the critical operational provisions are concentrated in Title IV, Chapter I, specifically Articles 24, 25, and 26. These articles define the regulatory bodies, delineate their extensive powers, and outline the consequences of non-compliance. Unlike the AI Act, which sets specific fine caps, CADA delegates the quantification of penalties to Member States, creating a fragmented but potent enforcement landscape.

The Regulatory Body: National Competent Authorities (Article 25)

Article 25 mandates that each Member State designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. This designation must be completed by the date of entry into force plus one year.

The Regulation establishes a "one-stop-shop" model for enforcement. Article 25(4) grants exclusive competence to the Member State where the cloud computing service provider has its "main establishment." This is defined as the location of the head office or registered office from which the principal financial functions and operational control are exercised. This single-point-of-contact model simplifies the regulatory interface for pan-European providers but places a heavy burden on the designated authority to manage enforcement across the Union.

Member States are required to ensure these authorities possess sufficient technical, financial, and human resources to supervise all providers within their competence impartially and transparently. They must also notify the Commission of the names, tasks, and powers of these authorities, which the Commission will maintain in a public register. Compliance officers must proactively track this register to identify their specific regulator, as it may not be the traditional data protection authority but could be a cybersecurity agency, a digital infrastructure regulator, or a newly created body.

Investigative and Enforcement Powers (Article 26)

Article 26 grants national competent authorities extensive powers to investigate suspected infringements and enforce compliance. These powers are bifurcated into investigative and enforcement categories, both of which are critical for operational readiness.

Investigative Powers: Under Article 26(1), authorities have the power to:

  • Require Information: Demand that any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft, or profession (including auditing organizations), provide information as soon as possible regarding a suspected infringement.
  • Inspect Premises: Carry out, or request a judicial authority to order, inspections of any premises used for trade or business purposes. This includes the right to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Request Explanations: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers: Under Article 26(2), if an infringement is confirmed or suspected, authorities can:

  • Order Cessation: Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation or with any investigative orders issued.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

Crucially, Article 26(3) stipulates that these measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. Furthermore, Article 26(4) mandates that the exercise of these powers be subject to adequate safeguards under national law, including the right to respect for private life, the rights of defense (including the right to be heard and access to the file), and the right to an effective judicial remedy.

Penalties and Compensation (Article 24)

Article 24 outlines the penalty regime for infringements of the sovereignty framework. A key distinction from other EU digital regulations is that CADA does not set fixed maximum fine amounts (e.g., a specific percentage of global turnover). Instead, Article 24(1) requires Member States to lay down the rules on penalties applicable to infringements by cloud computing service providers within their competence. These penalties must be "effective, proportionate and dissuasive."

When determining penalties, Article 24(2) requires Member States to consider a non-exhaustive list of criteria:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party.
  • Any other aggravating or mitigating factors.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Additionally, Article 24(3) establishes a significant private right of action: recipients of cloud computing services have the right to seek, in accordance with Union and national law, compensation from providers for any damage or loss suffered due to an infringement of the provider's obligations under this Chapter. This creates a dual layer of liability: regulatory fines imposed by the state and civil damages claimed by customers.

Transparency Obligations (Article 23)

While the prompt focuses on enforcement powers, Article 23 is the primary trigger for enforcement actions. Providers must promptly notify the auditing organization and the national competent authority of any material change in circumstances that may affect their audit report, opinion, or recognition. Failure to report such changes can lead to the amendment or revocation of recognition, which in turn triggers the investigative powers under Article 26.

What this means for you

For in-house counsel and compliance officers, the CADA enforcement framework requires a proactive, rather than reactive, approach. The following playbook outlines immediate actions and long-term strategies to manage exposure.

1. Map Your Regulatory Landscape

Identify your "main establishment" as defined in Article 25(4). This determination is critical as it dictates your exclusive competent authority. Monitor your jurisdiction's implementation timeline to ensure you are registered and compliant with local designation rules within one year of the Regulation's entry into force. Once designated, maintain a direct line of communication with this authority and track the public register maintained by the Commission.

2. Build an Inspection Response Playbook

Given the broad investigative powers in Article 26, your organization must have a clear, pre-approved protocol for handling authority requests.

  • Information Requests: Establish a legal hold and data retrieval process to provide information "as soon as possible" when requested. Ensure that your compliance data rooms are organized to quickly produce evidence of compliance with Union assurance levels (e.g., establishment proofs, infrastructure location logs, personnel citizenship records).
  • Premises Inspections: Train staff on their rights and obligations during inspections. While authorities can inspect premises and seize information, they must respect procedural safeguards. Ensure that only authorized personnel interact with investigators and that all requests for explanations are handled with legal counsel present to protect the rights of defense.
  • Cooperation with Auditors: Since Article 26(1) allows authorities to request information from auditing organizations, ensure your audit contracts include clear clauses regarding confidentiality, the scope of information sharing with regulators, and the provider's right to be notified of such requests.

3. Monitor and Report Material Changes

Implement a robust governance process to detect "material changes in circumstances" as required by Article 23. This could include changes in subcontractors, infrastructure locations, corporate control structures, or software supply chain dependencies. Any change that could affect your Union assurance level must be reported immediately to the auditing organization and the competent authority. Delayed reporting is a likely trigger for enforcement actions under Article 26 and could be viewed as an aggravating factor under Article 24(2).

4. Prepare for Penalty Exposure

Understand that penalties are not fixed but based on a multi-factor test including turnover and duration of infringement. Conduct internal audits to minimize the "gravity and scale" of any potential non-compliance. Document all remediation efforts, as these are explicit mitigating factors in penalty calculations under Article 24(2). Additionally, assess your liability exposure under Article 24(3) for customer compensation claims. Ensure your service level agreements (SLAs) and terms of service clearly define liability boundaries, though these cannot override the statutory right to compensation for damages caused by infringement.

5. Leverage Mutual Assistance Mechanisms

Be aware that under Articles 27 and 28, competent authorities cooperate across borders. If you operate in multiple Member States, an investigation in one country could trigger information requests or enforcement actions in another. Maintain a unified compliance posture across all EU operations to avoid discrepancies that could be flagged during cross-border cooperation.

Common misconceptions

Misconception 1: CADA sets fixed fine amounts. Unlike the GDPR or the AI Act, which specify maximum fines as a percentage of global turnover (e.g., 7% for the AI Act), CADA Article 24 delegates the setting of specific penalty amounts to Member States. While the criteria for calculating penalties are harmonized (e.g., considering annual turnover), the actual fine structure will vary by jurisdiction. Compliance officers cannot rely on a single EU-wide fine calculator.

Misconception 2: Only the provider is liable. While Article 24 focuses on penalties for cloud computing service providers, the enforcement powers in Article 26 extend to "any other persons acting for purposes related to their trade, business, craft or profession," including auditing organizations. Compliance officers must ensure that their third-party auditors are also aware of their obligations and potential exposure to investigative orders.

Misconception 3: Enforcement is purely administrative. Article 24(3) introduces a private right to compensation for recipients of cloud services. This means that non-compliance with sovereignty requirements could lead to civil litigation from customers, not just regulatory fines. Compliance programs must therefore consider customer risk and potential contract disputes as part of the enforcement landscape.

Misconception 4: The competent authority is the data protection authority. While data protection is relevant, Article 25 allows Member States to designate existing authorities or create new ones. It is not automatically the data protection authority. Compliance officers must verify the specific designation in their Member State, which could be a cybersecurity agency, a digital infrastructure regulator, or a new dedicated body.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.