Summary Under the proposed Cloud and AI Development Act (CADA), public-sector buyers are active guardians of the Union's cloud sovereignty, not just passive consumers. If a cloud provider breaches its obligations, public bodies have a direct statutory right to seek compensation for damages under Article 24(3). Furthermore, buyers can trigger cross-border investigations by flagging suspected non-compliance to their national competent authority, which can then request action from the provider's home authority under Article 28. These mechanisms ensure that the "Union assurance levels" procured are genuinely maintained, protecting public order and data integrity.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous enforcement regime designed to ensure that cloud computing service providers meet the strict "Union assurance levels" required for public-sector procurement. For public-sector buyers, enforcement is not an abstract legal concept but a practical toolkit for managing risk, ensuring service continuity, and holding providers accountable. The framework relies on a combination of financial penalties, cross-border cooperation between national authorities, and direct civil rights for the recipients of the services.

The Right to Compensation for Public Bodies

One of the most significant provisions for public-sector buyers is the explicit right to seek compensation for damages caused by a provider's non-compliance. Under Article 24(3) of the CADA proposal, "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision is crucial because it shifts the burden of risk in a way that traditional procurement contracts often do not. In standard public procurement, proving negligence or breach of contract can be complex, costly, and dependent on specific contractual clauses. CADA simplifies this by linking compensation directly to infringements of the Regulation's specific obligations. These obligations include failing to maintain the required assurance level, violating data sovereignty criteria (such as unauthorized data transfers outside the Union), or failing to provide required audit evidence.

If a provider's failure to meet these regulatory standards results in a data breach, service disruption, or other harm to the public authority, the public body can pursue financial redress. This creates a strong financial incentive for providers to maintain rigorous compliance, directly benefiting the public bodies that rely on their services. The right is not limited to direct financial loss; it covers "any damage or loss," which could include reputational harm or the costs of remediation, provided these are proven under applicable national law.

Flagging Suspected Breaches and Cross-Border Cooperation

Public-sector buyers play a vital role in the enforcement ecosystem by identifying and reporting potential issues. While the primary regulatory oversight lies with the "national competent authorities" designated by each Member State, the enforcement mechanism is designed to be collaborative and cross-border. This is essential because cloud providers often operate across multiple jurisdictions, and a breach in one Member State may involve a provider established in another.

If a public authority (acting as the "competent authority of destination" or representing the interests of the destination) suspects that a cloud computing service provider no longer fulfills the requirements of the assurance level they claimed, they do not have to conduct a full independent investigation alone. Instead, under Article 28, the competent authority of the destination Member State can request the "competent authority of establishment" (the authority in the Member State where the provider has its main establishment) to assess the matter.

The process for flagging suspected breaches operates as follows:

  1. Identification: The public sector buyer or their national authority identifies a suspected infringement. This could be evidence of data being stored outside the Union when it should remain within, a failure to provide required audit evidence, or a material change in the provider's control structure that undermines the assurance level.
  2. Request: The authority of the destination Member State sends a "duly reasoned" request to the authority of the establishment. This request must specify the suspected infringement and the reasons for the suspicion.
  3. Assessment and Action: The authority of the establishment must assess the matter and take necessary investigatory and enforcement measures to ensure compliance. They are required to communicate their assessment and any measures taken back to the requesting authority and the European Commission within two months of receipt of the request.

This mechanism ensures that enforcement is not siloed within one country. If a provider is established in Germany but serving a ministry in France, the French authority can trigger an investigation in Germany. This prevents providers from exploiting regulatory gaps or slower enforcement in one jurisdiction while operating across the Union. The "duly reasoned" requirement ensures that requests are not frivolous, while the two-month deadline ensures timely action.

Relevance to Assurance-Level Recognition

Enforcement is inextricably linked to the recognition of Union assurance levels. Public-sector buyers are mandated to procure services that meet specific assurance levels: Level 1 for general use, and Levels 2–4 for activities identified as contributing to the preservation of public order. These recognitions are not permanent badges of honor; they are conditional statuses that can be revoked.

If an enforcement action under Article 28 reveals that a provider has infringed upon the criteria set out in Annex II of the CADA, the national competent authority of establishment can revoke the recognition of that service. For a public-sector buyer, this has immediate and severe consequences:

  • Immediate Risk: If a provider's recognition is revoked, the service no longer complies with the procurement requirements. Continuing to use the service would constitute a breach of the buyer's own obligations under Article 30.
  • Mandatory Migration: Under Article 29(6), if a risk assessment or enforcement action requires migration to another cloud computing service, the Member State or Union entity "shall migrate within a reasonable transition period that shall not exceed 12 months." This period must take into account technical feasibility, continuity of service, and data portability requirements.
  • Central Repository Transparency: The Commission maintains a central repository of recognized services under Article 22. Any revocation of a recognition "shall be published in the central repository and shall remain available there for five years." This provides a transparent, EU-wide record of non-compliant services, allowing buyers to verify the status of their providers in real-time and avoid future procurement from revoked entities.

Penalties and Deterrence

Beyond compensation for buyers, providers face significant penalties for non-compliance. Article 24(1) requires Member States to lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

Article 24(2) lists non-exhaustive criteria for imposing these penalties, including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party.
  • The infringing party's annual turnover in the preceding financial year in the Union.

While the specific fine amounts are determined by national implementation, the framework ensures that non-compliance carries a heavy financial price, further protecting public-sector interests. The inclusion of "annual turnover" as a criterion suggests that penalties could be substantial for large hyperscalers, aligning with the severity of sovereignty breaches.

What this means for you

As a public-sector procurement officer, IT director, or legal counsel, CADA's enforcement provisions require you to move beyond static contract signing to active, continuous compliance monitoring. Here is how you should prepare:

  1. Integrate Enforcement Clauses into Contracts: Ensure your cloud contracts explicitly reference CADA obligations. Include clauses that allow for immediate termination or mitigation steps if a provider's assurance-level recognition is revoked or if they are found to be in breach under Article 28. Reference the right to compensation under Article 24(3) as a contractual right in addition to the statutory one.
  2. Establish Internal Reporting Protocols: Create a clear internal process for your technical and legal teams to flag suspected breaches. If your security team detects data exfiltration, unauthorized access, or operational changes that may violate sovereignty criteria, they should know how to escalate this to your national competent authority to trigger the Article 28 process. Do not wait for the provider to self-report.
  3. Plan for Migration: Since enforcement can lead to the revocation of a provider's status, you must have a migration plan ready. The law allows up to 12 months for migration, but in a crisis, you may need to move faster. Ensure your data is portable and that you are not locked into a single vendor without an exit strategy.
  4. Monitor the Central Repository: Regularly check the Commission's central repository of recognized cloud computing services. Do not rely solely on your provider's assurances; verify their current status in the official EU database. A revocation published there is a definitive signal to stop procurement or initiate migration.
  5. Document Damages: If a breach occurs, meticulously document all damages and losses. This documentation will be essential if you decide to exercise your right to compensation under Article 24(3). Keep records of service disruptions, data loss, and the costs incurred to remediate the situation.

Common misconceptions

  • "Enforcement is only for the government to handle." While national authorities conduct the formal investigations, public-sector buyers are the "eyes and ears" on the ground. You are the ones who detect the operational failures. Without your reporting, the Article 28 cross-border mechanism cannot be triggered effectively.
  • "Compensation is automatic." Article 24(3) grants the right to seek compensation, but it does not guarantee automatic payment. You will likely need to pursue this through civil or administrative channels in accordance with national law. However, the existence of this right strengthens your negotiating position and provides a clear legal basis for claims that did not exist under previous frameworks.
  • "Once a service is recognized, it stays recognized." Recognition is conditional and ongoing. Providers must undergo annual reviews and report material changes. If they fail to meet the criteria, their recognition can be revoked at any time, forcing you to switch providers. The central repository is the single source of truth for this status.
  • "I can only complain to my local authority." If your provider is established in another Member State, your local authority can still act. Under Article 28, they can request the authority of the provider's establishment to investigate. You do not need to navigate foreign legal systems yourself.

Related

This is general information about a draft EU regulation, not legal advice.