Summary Under the proposed Cloud and AI Development Act (CADA), Member States must establish penalties for infringements by cloud computing service providers that are "effective, proportionate and dissuasive" (Article 24(1)). As proposed, this standard requires penalties to be impactful enough to enforce compliance, scaled to the specific severity and context of the breach, and severe enough to deter future violations. National competent authorities apply this standard when exercising enforcement powers, such as imposing fines or periodic penalty payments, under Article 26(2) and (3). Unlike the AI Act, CADA does not prescribe fixed percentage-of-turnover fines in the regulation itself; instead, it sets a qualitative benchmark that Member States must transpose into national law, guided by specific criteria in Article 24(2) and operationalized by the enforcement discretion in Article 26(3).

Detail

The Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework comprising four assurance levels. To ensure compliance with these stringent criteria—ranging from establishment in the Union to the absence of third-country control—the proposal mandates robust enforcement mechanisms. Central to these mechanisms is the requirement for Member States to impose penalties that meet the traditional EU legal standard of being "effective, proportionate and dissuasive."

The Legal Standard: Article 24(1)

Article 24(1) of the CADA proposal states:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive."

This phrasing is a cornerstone of EU regulatory law. It does not prescribe a fixed fine amount (e.g., "€20 million" or "4% of turnover") but rather establishes a qualitative benchmark for national legislatures. Member States must translate this benchmark into their national laws, ensuring that the potential sanctions are not merely symbolic. The provision explicitly places the responsibility on Member States to "lay down the rules," meaning the specific ceiling and calculation methodology will vary by jurisdiction, provided they meet the EU standard.

Breaking Down the Three Limbs

To understand how authorities and courts will interpret this standard under CADA, it is essential to examine each component of the triad as it applies to the cloud sovereignty framework:

  1. Effective: The penalty must be capable of achieving the regulation's objective—in this case, ensuring cloud providers comply with Union assurance levels, transparency obligations, and audit requirements. If a penalty is too low to cover the administrative cost of enforcement or is easily ignored by large providers as a "cost of doing business," it fails the effectiveness test. The sanction must actually bring the infringement to an end or ensure future compliance. In the context of CADA, effectiveness also implies that the penalty mechanism must be enforceable against the specific provider, considering their operational reality.
  2. Proportionate: The penalty must be commensurate with the specific offense. It cannot be excessive relative to the gravity of the breach. Proportionality requires a careful balancing of the infringement against the provider's circumstances. This is where the criteria in Article 24(2) become critical. A minor administrative oversight, such as a delay in updating a public register entry, should not trigger the same financial penalty as a deliberate, large-scale violation of sovereignty criteria, such as transferring sensitive public-order data to a third country.
  3. Dissuasive: The penalty must be severe enough to discourage the offending provider (and others in the market) from committing similar violations in the future. If the potential fine is less than the economic benefit gained from non-compliance (e.g., the cost savings of using non-compliant infrastructure or the revenue generated from a prohibited service), the penalty is not dissuasive. The goal is to make non-compliance economically irrational.

How Authorities Apply the Standard: Article 26(3)

While Article 24 sets the legislative baseline for Member States, national competent authorities apply this standard in practice during enforcement actions. Article 26 grants these authorities investigative and enforcement powers, including the power to order the cessation of infringements, impose remedies, and levy fines.

Specifically, Article 26(3) dictates how these powers must be exercised, effectively operationalizing the Article 24 standard for individual cases:

"Measures taken by national competent authorities of establishment in exercising their powers listed in paragraphs 1 and 2 shall be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement to which those measures relate, and, where relevant, the economic, technical and operational capacity of the service provider concerned."

This provision is the bridge between the abstract legal standard and the concrete administrative decision. When an authority decides to impose a fine (under Article 26(2)(b)) or a periodic penalty payment (under Article 26(2)(c)), it must explicitly consider:

  • Nature and Gravity: Was the breach technical (e.g., a missing document) or fundamental (e.g., a lack of Union establishment)? Did it compromise data sovereignty or public order?
  • Recurrence and Duration: Was this a one-time error or a systemic failure over several years? A recurring infringement suggests a lack of internal controls, warranting a higher penalty to ensure dissuasion.
  • Capacity: Can the provider afford the fine? A penalty that bankrupts a small EU startup may be proportionate in amount but disproportionate in effect, whereas a negligible fine for a global hyperscaler would fail the dissuasive test. The authority must assess the "economic, technical and operational capacity" to ensure the penalty is felt but not destructive to the point of eliminating the provider from the market unnecessarily.

Criteria for Imposition: Article 24(2)

To guide Member States in crafting laws that meet the Article 24(1) standard, Article 24(2) provides a non-exhaustive list of criteria that must be taken into account when imposing penalties. These criteria ensure the "proportionate" limb is applied consistently across the EU:

  • Nature, gravity, scale, and duration: The scope and severity of the breach.
  • Mitigation efforts: Any action taken by the infringing party to remedy the damage. This encourages voluntary compliance and self-correction.
  • Previous infringements: Repeat offenders face higher penalties to enhance the dissuasive effect.
  • Financial benefits: The profit gained or losses avoided due to the infringement. This is crucial for the "dissuasive" element; penalties must outweigh illicit gains.
  • Aggravating or mitigating factors: Contextual elements specific to the case.
  • Annual turnover: The provider's financial size in the Union, ensuring the penalty is felt but not destructive.

What this means for you

For in-house counsel and compliance officers, the "effective, proportionate and dissuasive" standard means that CADA penalties are not arbitrary. They are designed to be significant enough to drive real behavioral change in the cloud market.

  1. Risk Assessment is Critical: Because penalties are scaled to the "gravity" and "scale" of the infringement, minor compliance gaps should be identified and remediated internally before they attract regulatory attention. Demonstrating "action taken to mitigate or remedy the damage" (Article 24(2)(b)) can significantly reduce the final penalty.
  2. Documentation of Compliance: Given that Article 26(3) considers the "economic, technical and operational capacity" of the provider, maintaining clear records of your compliance efforts, resource allocation, and technical safeguards will be vital. If a breach occurs, you must be able to show it was not due to negligence or disregard for the rules.
  3. Monitor National Transpositions: Since Member States must "lay down the rules on penalties" (Article 24(1)), the actual fine structures will vary by country. You must monitor how your provider's main establishment Member State implements these rules. The "competent authority of establishment" has exclusive competence for enforcement (Article 25(4)), so the national law of that specific Member State will determine the exact penalty ceiling and calculation methodology.
  4. Prepare for Periodic Penalties: Article 26(2)(c) allows for periodic penalty payments to ensure infringements are terminated. This means non-compliance can become increasingly expensive over time until rectified. Your incident response plans must include rapid remediation protocols to stop the clock on these escalating costs.

Common misconceptions

  • Misconception 1: "Effective, proportionate and dissuasive" means the maximum possible fine.
    • Reality: It means the appropriate fine. A maximum fine for a minor, unintentional error would violate the "proportionate" limb. Authorities must tailor the sanction to the specific breach.
  • Misconception 2: CADA sets fixed EU-wide fine amounts.
    • Reality: Unlike the AI Act, which specifies percentage-of-turnover ceilings in the text (e.g., Article 99), CADA Article 24 leaves the specific penalty rules to Member States. The EU standard is qualitative, not quantitative. However, the criteria in Article 24(2) ensure that financial size (turnover) is always considered.
  • Misconception 3: Only large hyperscalers are at risk.
    • Reality: While large providers face higher absolute fines due to turnover, the "effective and dissuasive" standard applies to all. For smaller providers, a penalty that is proportionate to their size can still be financially devastating. The standard ensures the penalty is felt by the violator, regardless of size.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.