Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities possess robust powers to investigate suspected infringements of the Union cloud computing sovereignty framework. As proposed in Article 26, the process begins with three core investigative tools: requests for information, on-site inspections (potentially requiring judicial orders), and interviews with staff. If an infringement is confirmed, authorities can issue cessation orders, impose fines, or levy periodic penalty payments to enforce compliance. Throughout this process, providers are protected by strict procedural safeguards under Article 26(4), including the right to be heard, access to the file, and the right to an effective judicial remedy. Measures must remain effective, dissuasive, and proportionate to the provider's capacity.
Detail
The proposed Cloud and AI Development Act (CADA) establishes a rigorous enforcement regime to ensure cloud computing service providers adhere to the Union assurance levels and sovereignty criteria. For providers seeking or maintaining recognition under the framework, understanding the mechanics of an investigation is critical. The procedure is governed primarily by Article 26 of the proposal, which delineates the investigative and enforcement powers of the national competent authority of establishment.
The investigation process is not merely a theoretical exercise; it is a structured escalation from information gathering to coercive enforcement, balanced by fundamental rights protections.
Step 1: Investigative Powers and Information Gathering
The investigation phase is triggered when a competent authority has reason to suspect an infringement of the Regulation. This could stem from a whistleblower report, a discrepancy in a self-assessment, a negative audit opinion, or a complaint from a public sector body. Under Article 26(1), the competent authority of establishment is equipped with three distinct investigative tools to uncover the facts.
1. Requests for Information The first line of inquiry is the power to demand information. Article 26(1)(a) grants the authority the power to require "any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession" to provide information. This scope is broad, extending beyond the provider itself to include auditing organisations, subcontractors, or any entity that may reasonably be expected to possess information relating to a suspected infringement.
The obligation is time-sensitive: the recipient must provide the information "as soon as possible." This step allows authorities to gather documentary evidence, such as contracts, software bills of materials (SBOMs), data flow diagrams, and personnel records, without immediate physical intervention. It is often the initial phase where authorities assess whether a formal inspection is necessary.
2. On-Site Inspections If documentary evidence is insufficient, or if authorities suspect concealment or active obstruction, they can escalate to physical inspections. Article 26(1)(b) grants the authority the power to carry out, or to request a judicial authority in their Member State to order, inspections of "any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use."
During these inspections, authorities have the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium." This provision is critical for sovereignty investigations, as it allows authorities to verify physical infrastructure locations, inspect server logs, examine hardware assets, and review physical access controls. The phrase "irrespective of the storage medium" ensures that digital records on local servers, cloud backups, or portable devices are all within scope.
3. Interviews and Explanations To clarify ambiguities found in documents or to uncover operational practices not evident in written records, authorities can interview personnel. Article 26(1)(c) empowers the authority to ask "any member of staff or representative of those providers... to give explanations in respect of any information relating to a suspected infringement."
Crucially, this power includes the ability to record answers, but only "with their consent." The authority can record these explanations "by any technical means." This allows investigators to create a verifiable record of oral testimony, which can be vital for establishing intent or understanding the operational reality of a service that may differ from its documented description.
Step 2: Enforcement Actions
If the investigation concludes that an infringement has occurred, the competent authority moves to the enforcement phase under Article 26(2). The authority has three primary levers to ensure compliance and penalize non-compliance.
1. Cessation Orders and Remedies The primary objective of enforcement is to stop the violation and restore compliance. Under Article 26(2)(a), the competent authority has the power to "order the cessation of infringements." Where appropriate, they can also "impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end."
If the authority lacks the direct power to enforce such an order, it can "request a judicial authority in their Member State to do so." In the context of CADA, a cessation order could require a provider to immediately stop offering a service that falsely claims a specific Union assurance level, or to rectify technical deficiencies in their infrastructure that violate the criteria in Annex II.
2. Fines To deter non-compliance and punish past violations, Article 26(2)(b) empowers the competent authority to "impose fines, or to request a judicial authority in their Member State to do so." These fines apply not only for failure to comply with the Regulation itself but also for "failure to comply with any of the investigative orders issued pursuant to paragraph 1."
For example, if a provider refuses to provide requested information, obstructs an on-site inspection, or fails to answer interview questions, they face financial penalties. The specific criteria for calculating these fines are detailed in Article 24, which requires Member States to consider the nature, gravity, scale, and duration of the infringement, as well as the provider's annual turnover in the Union.
3. Periodic Penalty Payments For persistent non-compliance, Article 26(2)(c) allows the authority to "impose a periodic penalty payment." This is a recurring financial charge designed to ensure that an infringement is terminated in compliance with a cessation order, or to compel compliance with investigative orders.
Unlike a one-off fine, a periodic penalty payment accumulates over time. This creates continuous financial pressure on the provider to rectify the situation immediately. Like fines, this can be imposed directly by the authority or by requesting a judicial authority to do so.
Step 3: Proportionality and Procedural Safeguards
The CADA proposal recognizes the significant impact these powers can have on businesses and includes robust safeguards to protect providers' rights and ensure fair treatment.
Proportionality Under Article 26(3), measures taken by national competent authorities must be "effective, dissuasive and proportionate." Authorities are explicitly required to have regard to the "nature, gravity, recurrence and duration of the infringement or suspected infringement."
Crucially, they must also consider "the economic, technical and operational capacity of the service provider concerned." This ensures that enforcement actions are not disproportionately burdensome for smaller providers compared to large hyperscalers. A measure that is proportionate for a global cloud giant might be crippling for a small EU-based provider; the authority must calibrate its response accordingly.
Legal Safeguards Article 26(4) mandates that Member States set out specific rules and procedures for the exercise of these powers. These measures must be subject to "adequate safeguards under applicable national law in compliance with the general principles of Union law."
The text explicitly lists four key safeguards:
- Respect for private life: Investigations must not infringe on the fundamental right to privacy.
- Rights of defence: This includes the "right to be heard," allowing providers to present their case before a final decision is made.
- Right to have access to the file: Providers must be able to review the evidence collected against them.
- Right to an effective judicial remedy: All affected parties have the right to appeal decisions to a court.
This means that before a final penalty is imposed, a provider typically has the opportunity to present their case, challenge the evidence, and appeal to a court if necessary. The process is designed to be adversarial and fair, not purely administrative and punitive.
What this means for you
For cloud service providers and data centre operators, the CADA investigation process represents a significant shift in regulatory oversight. Unlike previous frameworks that focused primarily on cybersecurity or data protection, CADA's sovereignty framework requires deep technical and operational transparency regarding ownership, personnel, and infrastructure.
Preparation for Inspections Providers should ensure their internal documentation is robust and accessible. Since authorities can seize information from "any storage medium" under Article 26(1)(b), having clear, organized records of infrastructure locations, personnel citizenship status, software supply chain details (as required by Annex II criteria), and data flow diagrams is essential. Implementing strong internal compliance programs can reduce the risk of inadvertent infringements and ensure that evidence is readily available if an inspection occurs.
Cooperation is Key Given the power to request information "as soon as possible," providers should establish clear internal protocols for responding to regulatory inquiries. Delays or incomplete responses can themselves trigger fines under Article 26(2)(b) for failure to comply with investigative orders. Designating a single point of contact for regulatory affairs can help manage these interactions efficiently and ensure that all requests are answered comprehensively and promptly.
Financial Planning The potential for fines and periodic penalty payments means non-compliance is not just a legal issue but a financial one. Providers should factor potential compliance costs and penalty risks into their operational budgets. Understanding the proportionality principle in Article 26(3) can also help providers negotiate or mitigate penalties by demonstrating their operational constraints or efforts to remediate issues.
Legal Review Because Article 26(4) guarantees the right to an effective judicial remedy, providers should have legal counsel familiar with both EU regulatory law and national administrative law ready to assist in the event of an investigation. The right to access the file and be heard is critical for defending against allegations. Providers should not wait for a final decision to engage legal support; early intervention can shape the investigation's trajectory.
Common misconceptions
Misconception 1: Only large hyperscalers are investigated. While large providers are high-profile targets, the CADA applies to all cloud computing service providers seeking recognition under the Union assurance levels. SMEs are not exempt from investigative powers. However, the proportionality principle in Article 26(3) requires authorities to consider their smaller economic capacity when determining the severity of measures.
Misconception 2: Investigations are purely digital. Many providers assume compliance checks will be remote. However, Article 26(1)(b) explicitly allows for on-site inspections of premises. Physical access to offices, data centres, and server rooms is a real possibility, meaning physical security and access controls must align with regulatory expectations. Authorities can seize physical documents and inspect hardware directly.
Misconception 3: Fines are the only penalty. Providers often focus on the financial impact of fines, but Article 26(2)(a) allows for cessation orders. Being forced to stop offering a service or specific features can be more damaging to business continuity than a fine. Additionally, periodic penalty payments under Article 26(2)(c) can accumulate rapidly if issues are not resolved quickly, creating a compounding financial burden.
Misconception 4: There is no right to defend yourself. The safeguards in Article 26(4) ensure that providers have the right to be heard, access the evidence against them, and seek judicial review. The process is not purely punitive; it is designed to be fair and proportionate, provided providers engage constructively with the authority. Ignoring the right to be heard can weaken a provider's defense in subsequent judicial proceedings.
Related
- What happens to seized information after a CADA investigation?
- What evidence can CADA authorities collect during an investigation?
- What triggers a CADA investigation into a cloud provider?
- CADA Cross-Border Disputes: What Happens When Authorities Disagree?
- What happens if a provider stops meeting Annex II requirements under CADA?
This is general information about a draft EU regulation, not legal advice.