What happens if a provider ignores a CADA investigative order?

Summary If a cloud computing service provider ignores an investigative order issued by a national competent authority under the proposed Cloud and AI Development Act (CADA), the authority can escalate from investigation to enforcement. Under Article 26, authorities possess the power to impose fines for failure to comply and periodic penalty payments to compel immediate action. These measures apply not only to the underlying infringement but specifically to the refusal to cooperate with the investigation itself. Providers also face civil liability for damages under Article 24.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous enforcement framework to ensure cloud service providers comply with the Union cloud computing sovereignty framework. Central to this framework is the authority of national competent authorities to investigate suspected infringements. If a provider fails to cooperate, ignores requests for information, or refuses access to premises, the regulation provides a clear, escalating path from investigative requests to punitive financial measures.

1. The Scope of Investigative Powers (Article 26(1))

Before penalties can be applied, it is essential to understand the scope of the orders a provider might receive. Under Article 26(1), national competent authorities of establishment possess three specific investigative powers when necessary to carry out their tasks regarding the recognition of cloud computing services:

• Requiring Information: The authority can require any cloud computing service provider, as well as "any other persons acting for purposes related to their trade, business, craft or profession," to provide information as soon as possible. This explicitly includes auditing organisations. The scope covers anyone reasonably expected to be aware of information relating to a suspected infringement.
• Inspections: The authority can carry out inspections, or request a judicial authority to order inspections, of any premises used for trade or business purposes. This power allows them to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
• Explanations: The authority can ask any member of staff or representative of the provider to give explanations regarding information relating to a suspected infringement. With consent, these answers can be recorded by technical means.

An "investigative order" in this context is a formal directive issued under these powers. Ignoring such an order constitutes a failure to comply with the Regulation, triggering the enforcement mechanisms described below.

2. Enforcement Powers: Fines and Periodic Penalties (Article 26(2))

If a provider ignores an investigative order or otherwise fails to comply with the Regulation, the competent authority moves to enforcement under Article 26(2). The proposal distinguishes between punitive fines for past non-compliance and coercive payments to force future compliance.

Fines for Failure to Comply

Under Article 26(2)(b), the competent authority has the power to impose fines, or to request a judicial authority in their Member State to do so, for failure to comply with the Regulation. Crucially, the text explicitly states this includes failure to comply with "any of the investigative orders issued pursuant to paragraph 1."

This means a provider can be fined simply for refusing to provide documents, denying access to premises, or failing to answer questions, regardless of whether the underlying service was found to be non-compliant with sovereignty criteria. The fine serves as a punitive sanction for the obstruction of the investigation.

Periodic Penalty Payments

Under Article 26(2)(c), the competent authority can impose a periodic penalty payment, or request a judicial authority to do so, in accordance with Article 24. This measure serves a distinct, coercive purpose. It is designed to:

1. Ensure that an infringement is terminated in compliance with an order issued pursuant to Article 26(2)(a) (which orders the cessation of infringements); or
2. Ensure compliance with any of the investigative orders issued pursuant to Article 26(1).

A periodic penalty payment is a recurring financial charge levied until the provider complies with the order. Unlike a one-time fine, this penalty accrues over time (e.g., daily or weekly) as long as the provider continues to ignore the order. It is a tool designed to break a stalemate where a provider refuses to provide information or allow inspections, making the cost of non-compliance unsustainable.

3. The Escalation Path and Judicial Safeguards

The regulation outlines a structured escalation path that balances enforcement power with procedural rights.

Step 1: Investigation and Order The authority issues an order under Article 26(1) (e.g., requesting data or an inspection).

Step 2: Non-Compliance If the provider ignores the order, the authority can issue a decision under Article 26(2) imposing a fine (26(2)(b)) and/or a periodic penalty payment (26(2)(c)).

Step 3: Proportionality Assessment Before imposing these measures, the authority must ensure they are effective, dissuasive, and proportionate. Article 26(3) mandates that measures must have regard to:

• The nature, gravity, recurrence, and duration of the infringement or suspected infringement.
• The economic, technical, and operational capacity of the service provider concerned.

Step 4: Judicial Oversight and Safeguards Article 26(4) requires Member States to set out specific rules and procedures for exercising these powers. Any exercise of these powers is subject to adequate safeguards under applicable national law, including:

• The right to respect for private life.
• The rights of defence, including the right to be heard and the right of access to the file.
• The right of all affected parties to an effective judicial remedy.

If a provider believes an order is disproportionate or unlawful, they must engage with these judicial safeguards rather than simply ignoring the order, as non-compliance itself triggers the penalties.

4. Civil Liability for Damages

Beyond administrative penalties, Article 24(3) establishes that recipients of the cloud computing services have the right to seek compensation from cloud computing service providers for any damage or loss suffered due to an infringement of their obligations under Chapter IV.

While this applies broadly to infringements of the sovereignty framework, a provider's refusal to cooperate with investigations may exacerbate the infringement or delay remediation. If a provider's non-compliance with an investigative order leads to further data breaches, service disruptions, or regulatory delays that harm a customer, the customer may have grounds to seek civil compensation for those specific damages.

What this means for you

For cloud service providers and data centre operators subject to CADA, ignoring an investigative order is a high-risk strategy that carries immediate and escalating financial consequences.

• Immediate Cooperation is Critical: When a national competent authority issues an order under Article 26(1) requiring information or access to premises, you must comply "as soon as possible." Failure to do so triggers the enforcement mechanisms in Article 26(2) immediately.
• Two Distinct Financial Risks: You face a dual financial threat for ignoring orders:
  • A one-time fine for the act of failure to comply (Article 26(2)(b)).
  • A periodic penalty payment that continues to accrue until you comply with the order (Article 26(2)(c)). This can lead to rapidly escalating costs if the non-compliance persists, potentially exceeding the value of the underlying contract.
• Scope Extends to Auditors: Do not assume only the provider is at risk. Article 26(1)(a) explicitly extends the power to require information to "any other persons... including auditing organisations." Auditors can also be subject to investigative orders and subsequent penalties if they fail to cooperate.
• Legal Safeguards are Your Defense: While compliance is mandatory, you have rights. Ensure that the authority follows the procedural safeguards required by Article 26(4), including respecting your right to be heard and your right to an effective judicial remedy. If you believe an order is disproportionate, you may need to engage with judicial authorities to challenge it, rather than ignoring it.
• Audit Readiness: Since investigative powers extend to auditing organisations and require access to data and premises, maintaining organized, accessible audit trails and documentation is essential to demonstrate compliance quickly and avoid the appearance of obstruction.

Common misconceptions

"I can refuse to provide information if it contains trade secrets." While confidentiality is protected, the regulation requires providers to provide necessary information. Auditing organisations and authorities are bound by confidentiality obligations. However, a blanket refusal to provide information on the grounds of trade secrets without engaging with the legal safeguards or providing redacted versions where possible may be construed as non-compliance with an investigative order, triggering fines.

"Only the provider can be fined, not the auditors." Article 26(1)(a) explicitly states that the power to require information extends to "any other persons acting for purposes related to their trade, business, craft or profession... including auditing organisations." Auditors can also be subject to investigative orders and penalties if they fail to cooperate.

"Periodic penalties are only for continuing the original infringement." Article 26(2)(c) explicitly states that periodic penalty payments can be imposed for "failure to comply with any of the investigative orders issued pursuant to paragraph 1." This means the penalty is for the obstruction of the investigation itself, not just the underlying sovereignty breach. You can be penalized for refusing to show your books, even if your books are ultimately found to be in order.

"The authority can impose these penalties immediately without a hearing." No. Article 26(4) mandates that the exercise of these powers is subject to the rights of defence, including the right to be heard and the right of access to the file. Any penalty must be imposed in accordance with national law that respects these fundamental rights.

Related

• What is the difference between an investigative order and an enforcement order under CADA?
• What happens if a provider stops meeting Annex II requirements under CADA?
• Can CADA authorities order a provider to stop an infringement?
• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?

This is general information about a draft EU regulation, not legal advice.