Summary Under the proposed Cloud and AI Development Act (CADA), compliance with Annex II criteria is a continuous obligation, not a one-time certification. If a cloud computing service provider ceases to meet the requirements for their recognised Union assurance level (Levels 2, 3, or 4), the competent authority of the destination Member State (where the service is used) may trigger a cross-border enforcement mechanism. Under Article 28(1), this authority can formally request the competent authority of establishment (where the provider is headquartered) to assess the suspected non-compliance and take necessary investigatory and enforcement measures. If the provider fails to rectify the breach, the establishment authority may revoke the service's recognition, effectively barring it from public sector procurement requiring that assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Level 1 relies on self-assessment, Levels 2, 3, and 4 require independent third-party audits against the cumulative criteria detailed in Annex II. These criteria are stringent, covering the location of infrastructure and personnel, data residency within the Union, cybersecurity certifications (at least "substantial" for Levels 2 and 3, "high" for Level 4), and the absence of third-country control.

Because cloud services are inherently cross-border, a provider established in one Member State often serves public sector bodies in others. This creates a jurisdictional challenge: the authority in the provider's home state (the "competent authority of establishment") holds exclusive competence for enforcement under Article 25(4), yet the authority in the state where the service is actually deployed (the "competent authority of destination") is often the first to detect operational failures or sovereignty breaches.

CADA resolves this through Article 28: Cross-border cooperation. This provision ensures that the integrity of the Union assurance framework is maintained across borders by empowering destination authorities to initiate enforcement actions against non-compliant providers, even if those providers are established elsewhere.

The Trigger: Suspicion of Non-Compliance

The enforcement process is triggered when the competent authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirements under Annex II. Such suspicion may arise from various sources, including:

  • Reports from the public sector body using the service regarding service disruption or data access issues.
  • Evidence of a cybersecurity incident suggesting a failure in the provider's technical safeguards.
  • Public information indicating a change in the provider's corporate structure, such as an acquisition by a third-country entity, which would violate the "control" criteria in Annex II.
  • Findings from local monitoring activities or audits conducted by the destination authority.

The Request for Assessment (Article 28(1))

Once suspicion arises, Article 28(1) empowers the competent authority of destination to formally request the competent authority of establishment to act. The text of the proposal states:

"Where a competent authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirement under Annex II to this Regulation, it may request the competent authority of establishment to assess the matter and to take the necessary investigatory and enforcement measures to ensure compliance."

This request is not a mere suggestion; it is a procedural mandate. The destination authority must provide a "duly reasoned" request, outlining the specific grounds for their suspicion. The request effectively transfers the investigative burden to the establishment authority, which holds the legal power to enforce the Regulation.

The Obligation of the Competent Authority of Establishment

Upon receipt of a duly reasoned request, the competent authority of establishment is legally obligated to act. Article 28(3) and Article 28(4) establish a strict timeline and reporting requirement:

  1. Assessment: The establishment authority must assess the matter and take necessary investigatory and enforcement measures.
  2. Communication: The authority must communicate its assessment and an explanation of any measures taken or envisaged to the requesting authority and the European Commission.
  3. Deadline: This communication must occur "as soon as possible and in any event not later than two months after receipt of the request."

If the establishment authority determines that the information provided in the request is insufficient to proceed, it may request additional information. In such cases, the two-month deadline is suspended until the additional information is provided. This ensures that investigations are thorough but not indefinitely delayed.

Enforcement Measures and Revocation

If the assessment confirms that the provider no longer meets the Annex II criteria, the competent authority of establishment must take enforcement measures. These powers are detailed in Article 26 and include:

  • Ordering the cessation of infringements.
  • Imposing fines or periodic penalty payments.
  • Revoking the recognition of the cloud computing service as offering the specific Union assurance level.

Revocation is the most severe consequence. Under Article 17(11), a competent authority may revoke recognition if a provider "intentionally or negligently, supplied incorrect or misleading information." Furthermore, if a service no longer meets the criteria, it loses its status in the central repository established under Article 22. Once revoked, the service can no longer be procured by contracting authorities for activities requiring that specific assurance level, as mandated by Article 30.

The Commission's Oversight Role

To prevent regulatory arbitrage or inaction by national authorities, Article 28(2) empowers the European Commission to intervene. The Commission may request the competent authority of establishment to assess the matter and take necessary measures. This ensures that the Union's sovereignty framework is applied consistently and that no Member State can shield a non-compliant provider from enforcement.

What this means for you

For cloud service providers aiming to serve the EU public sector, Article 28 underscores that compliance with Annex II is a dynamic, continuous obligation. Your "passport" to the EU public market is valid only as long as you meet the criteria, and any Member State where you operate can effectively act as a watchdog.

Key takeaways for providers:

  1. Continuous Monitoring is Mandatory: You must implement internal systems to detect any drift from Annex II requirements in real-time. This includes monitoring changes in corporate control, infrastructure location, personnel citizenship (for Levels 3 and 4), and cybersecurity posture.
  2. Prepare for Cross-Border Scrutiny: Be ready to respond to requests from multiple national competent authorities. If a destination authority suspects non-compliance, your home authority will likely involve you in the investigation. Delays in providing evidence can suspend the two-month deadline, prolonging uncertainty.
  3. Document Everything: Maintain detailed records of your compliance with Annex II criteria. If a request under Article 28(1) is made, you will need to provide immediate evidence to your establishment authority to refute the suspicion or demonstrate remediation.
  4. Engage Proactively: If you anticipate changes that might affect your Annex II compliance (e.g., a planned merger, infrastructure relocation, or change in third-country control), engage with your competent authority of establishment early. Proactive communication can mitigate the risk of a formal enforcement action.
  5. Understand the Consequences: Non-compliance can lead to fines, periodic penalty payments, and ultimately, the revocation of your Union assurance level. This would exclude you from a significant portion of the EU public sector market, particularly for activities identified as contributing to the preservation of public order under Article 29.

Common misconceptions

Misconception 1: Only the home authority can investigate. Reality: While the competent authority of establishment has exclusive competence for enforcement under Article 25(4), the competent authority of destination can trigger the investigation under Article 28(1). This creates a collaborative enforcement model where any Member State can raise concerns about a provider serving their public sector.

Misconception 2: Article 28 applies to Level 1 services. Reality: Article 28 specifically addresses providers recognised under Article 17, which primarily concerns Levels 2, 3, and 4 (which require independent audits and formal recognition). Level 1 is based on self-assessment and does not involve the same level of formal recognition and audit evidence, though general market surveillance rules under the Data Act and other frameworks may still apply.

Misconception 3: The destination authority can directly fine the provider. Reality: No. The destination authority can only request the establishment authority to act. The establishment authority is the sole entity with the legal power to impose fines, order cessation, or revoke recognition under Article 26.

Misconception 4: A request under Article 28 is optional for the establishment authority. Reality: While the destination authority has discretion in making the request, once the request is made, the establishment authority is legally obligated to assess the matter and communicate its findings within two months. Failure to act could lead to Commission intervention under Article 28(2).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.