Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final — a proposal, not yet in force), national competent authorities would have three enforcement powers under Article 26(2): to order the cessation of infringements and impose proportionate remedies (point (a)); to impose fines (point (b)); and to impose periodic penalty payments (point (c)). As proposed, each can be exercised directly or by requesting a judicial authority in the same Member State to do so, and is available "where needed to carry out their tasks under Article 17" (recognition of Union assurance levels). These powers sit alongside the investigative powers in Article 26(1), the penalties framework in Article 24, and the proportionality and defence-rights safeguards in Article 26(3)–(4).

Detail

CADA's Chapter I of Title IV ("Autonomy") establishes a Union cloud computing sovereignty framework graded into four assurance levels. Enforcement of that Chapter falls to national competent authorities, with Article 25(4) giving exclusive competence to the authority of the Member State where a provider has its main establishment — the head office or registered office from which principal financial functions and operational control are exercised. This single-point-of-control approach aims to prevent fragmented enforcement while applying the sovereignty rules consistently across the Union.

The operative enforcement powers are in Article 26(2). Like the investigative powers in Article 26(1), they are exercisable "where needed to carry out their tasks under Article 17" — the recognition procedure under which the authority of establishment assesses providers' evidence and recognises (or refuses, or under Article 17(11) revokes) a service at a given assurance level.

The three enforcement powers (Article 26(2))

  • Order cessation and remedies (Article 26(2)(a)). The authority may order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring it effectively to an end — or request a judicial authority in its Member State to do so. This lets an authority stop a non-compliant service from continuing to claim or trade on a Union assurance level it does not meet.
  • Impose fines (Article 26(2)(b)). The authority may impose fines, or request a judicial authority to do so, for failure to comply with the Regulation — including failure to comply with any investigative order issued under Article 26(1). Non-cooperation with an investigation is therefore itself sanctionable.
  • Impose periodic penalty payments (Article 26(2)(c)). The authority may impose periodic penalty payments, or request a judicial authority to do so, in accordance with Article 24, to ensure that an infringement is terminated in compliance with a cessation order under point (a), or to address failure to comply with an investigative order under Article 26(1). This creates a continuing financial pressure to remediate promptly.

The investigative powers behind enforcement (Article 26(1))

Enforcement typically follows investigation. Article 26(1) gives authorities the power to require information from providers and others who may hold it, including auditing organisations (point (a)); to carry out or have ordered inspections of premises, examining, seizing or copying information "in any form, irrespective of the storage medium" (point (b)); and to obtain explanations from staff, recorded with consent (point (c)). Failure to comply with orders issued under these investigative powers is exactly what the fines and periodic penalty payments in Article 26(2)(b)–(c) can address.

Proportionality and safeguards (Article 26(3)–(4))

Every measure under Article 26 must be effective, dissuasive and proportionate, having regard in particular to the nature, gravity, recurrence and duration of the (suspected) infringement and, where relevant, the economic, technical and operational capacity of the provider (Article 26(3)). Member States must set specific rules and procedures and ensure adequate safeguards under national law, in compliance with the general principles of Union law — including the right to respect for private life, the rights of defence (to be heard and to access the file) and the right to an effective judicial remedy (Article 26(4)).

Penalties and compensation behind enforcement (Article 24)

Article 26 supplies the live enforcement toolkit; Article 24 supplies the penalties framework it draws on. Member States must lay down penalties for infringements of Chapter I by cloud computing service providers that are effective, proportionate and dissuasive (Article 24(1)). In setting them, Member States take account of non-exhaustive criteria in Article 24(2):

  • the nature, gravity, scale and duration of the infringement;
  • any action taken to mitigate or remedy the damage caused;
  • any previous infringements;
  • financial benefits gained or losses avoided due to the infringement, where reliably established;
  • any other aggravating or mitigating factor; and
  • the infringing party's annual turnover in the preceding financial year in the Union.

The proposal as drafted does not fix a maximum fine or a turnover-percentage cap; it leaves the level of penalties to Member States within the effective-proportionate-dissuasive standard. Separately, Article 24(3) gives recipients of cloud computing services the right to seek compensation, in accordance with Union and national law, for damage or loss caused by a provider's infringement of its Chapter I obligations — a private-enforcement avenue alongside the public powers.

The "direct or via a judicial authority" structure

A recurring feature of all three Article 26(2) powers is that each can be exercised in two ways: by the competent authority itself, or by the authority requesting a judicial authority in its Member State to do so. The proposal does not prescribe which route applies; that is left to the rules and procedures Member States must adopt under Article 26(4). The practical effect is that the availability of each enforcement power is harmonised across the Union, while the procedure for using it — whether an authority acts administratively or must go through a court — will vary by Member State. Providers operating in several Member States should therefore expect a common menu of possible measures but different procedural paths to them.

This design also reinforces the safeguards. Routing a measure through a judicial authority is one way Member States can satisfy the Article 26(4) requirement that the exercise of powers respect defence rights and remain subject to an effective judicial remedy. Even where an authority acts directly, the affected provider retains the right to challenge the measure before a court.

Mutual assistance and cross-border cooperation (Articles 27–28)

Because cloud services cross borders, enforcement is supported by cooperation. Under Article 27, competent authorities and the Commission cooperate closely and exchange information, including on request to exercise Article 26 powers. Under Article 28, a competent authority of destination — or the Commission — may ask the authority of establishment to assess suspected non-compliance with the Annex II requirements and take the necessary investigatory and enforcement measures, with a response due as soon as possible and within two months.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the Article 26(2) powers turn assurance-level compliance into a strict legal obligation with real teeth.

  1. Keep audit-ready documentation. Because authorities can investigate and then enforce, maintain current evidence that you meet your claimed assurance level (1–4) — data localisation, personnel and supply-chain measures, relevant certifications.
  2. Know your jurisdiction. The authority over your main establishment holds exclusive enforcement competence under Chapter I (Article 25(4)); engage it proactively.
  3. Plan for periodic penalties. Periodic penalty payments accrue while non-compliance continues, so slow remediation gets expensive. Build a fast incident-response path for regulatory findings.
  4. Cooperate with investigations. Failure to comply with an investigative order is itself sanctionable under Article 26(2)(b)–(c). Make sure your teams respond accurately and on time.
  5. Review contractual liability. Recipients can seek compensation for damage under Article 24(3). Check your SLAs and liability clauses for exposure, ensuring they do not purport to override recipients' statutory rights.

Common misconceptions

  • Misconception: Fines are the only sanction. Reality: Article 26(2) also lets authorities order cessation and impose remedies (point (a)) and impose periodic penalty payments (point (c)); and recipients can separately seek compensation under Article 24(3).
  • Misconception: Enforcement is spread across every Member State where a service is offered. Reality: Article 25(4) gives exclusive competence to the Member State of the provider's main establishment, with cross-border concerns routed through cooperation (Articles 27–28).
  • Misconception: There is a fixed maximum fine in CADA. Reality: The proposal does not set a numeric ceiling or turnover-percentage cap; Article 24(1) requires penalties to be effective, proportionate and dissuasive, with Article 24(2) criteria guiding the level. The amounts are for Member States to set.
  • Misconception: SMEs are exempt from enforcement. Reality: SMEs benefit from simplified treatment in recognition (for example, an SME's EU statement of conformity for level 1 is recognised automatically across Member States under Article 17(3)), but they remain subject to the enforcement powers and penalties for infringements of the sovereignty framework.

Related

This is general information about a draft EU regulation, not legal advice.