Summary Under the proposed Cloud and AI Development Act (CADA), enforcement competence is exclusively vested in the national competent authority of the Member State where the cloud computing service provider has its main establishment (Article 25(4)). If a "destination" authority (where the public sector customer is located) suspects non-compliance, it cannot act unilaterally. Instead, it must trigger the cross-border cooperation mechanism in Article 28. The destination authority submits a "duly reasoned" request, which the establishment authority is legally obliged to take into account under Article 28(3). The establishment authority may request additional information, suspending the statutory timeline, but it retains the sole power to make the final assessment and enforce measures. If the establishment authority fails to act or the disagreement persists, the European Commission may intervene directly under Article 28(2) to mandate an assessment.
Detail
The proposed CADA establishes a "single market" framework for cloud sovereignty, designed to prevent fragmented enforcement across the EU. To achieve this, Article 25(4) grants exclusive competence for enforcing the sovereignty framework to the national competent authority of the Member State where the cloud computing service provider has its main establishment (i.e., where its head office or registered office is located and from which principal financial functions and operational control are exercised).
However, cloud services are inherently cross-border. A public sector body in one Member State may procure services from a provider established in another. If the destination authority identifies potential risksβsuch as a service no longer meeting the criteria for its recognised Union assurance levelβit cannot impose fines or orders directly on a provider established elsewhere. Instead, it must rely on the structured cooperation mechanism set out in Article 28.
The Trigger: A Duly Reasoned Request
The process begins when a competent authority of a destination Member State suspects that a cloud computing service provider no longer fulfils the requirements of Annex II (the criteria for Union assurance levels). Under Article 28(1), this authority may request the competent authority of the provider's establishment to assess the matter and take necessary investigatory and enforcement measures.
Crucially, this request must be "duly reasoned." It cannot be a vague suspicion; it must provide specific evidence or indicators of non-compliance. This ensures that the establishment authority receives a substantive basis for its investigation.
The Obligation to Consider and the Right to Request More Information
Once a request is received, the establishment authority is bound by Article 28(3), which states that the request "shall be duly taken into account." This creates a mandatory obligation for the establishment authority to engage with the concerns raised by its peer authority. It cannot simply ignore the request or dismiss it without consideration.
However, the establishment authority retains the right to scrutinise the quality of the request. Article 28(3) explicitly provides that if the establishment authority considers the information provided to be insufficient, it may request additional information from the requesting authority.
This provision has a critical procedural consequence: the statutory timeline for the establishment authority's response is suspended. The clock stops ticking from the moment the request for additional information is issued until that information is actually received. This mechanism prevents the establishment authority from being forced to make a rushed assessment based on incomplete data, while also preventing the requesting authority from stalling the process indefinitely by failing to provide necessary details.
The Final Assessment and the Two-Month Deadline
The establishment authority holds the exclusive competence to investigate and enforce (Article 25(4)). After receiving a complete request (or once the suspension for additional information ends), it must conduct its own assessment.
Under Article 28(4), the establishment authority must communicate its assessment to both the requesting authority and the Commission. This communication must include:
- The assessment of the suspected infringement.
- An explanation of any investigatory or enforcement measures taken or envisaged to ensure compliance.
This communication must occur "as soon as possible and in any event not later than two months after receipt of the request." This two-month deadline is strict. It ensures that cross-border disputes do not drag on, leaving public sector bodies in a state of regulatory uncertainty. The only exception to this timeline is the suspension triggered by a request for additional information under Article 28(3).
If the establishment authority concludes that the provider is compliant, the destination authority must accept this finding, provided the assessment was thorough and reasoned. If the establishment authority finds non-compliance, it must take enforcement measures. These measures, detailed in Article 26, may include ordering the cessation of infringements, imposing remedies, or levying fines.
Commission Intervention: The Ultimate Escalation
What happens if the destination authority believes the establishment authority is failing to act, or if the establishment authority refuses to take action despite clear evidence? The proposed CADA provides a direct escalation path to the European Commission.
Article 28(2) empowers the Commission to intervene. If the Commission deems it necessary, it may request the competent authority of establishment to assess the matter and take the necessary investigatory and enforcement measures. This ensures that a lack of action by one Member State does not create a regulatory loophole for non-compliant providers that could undermine the Union's public order or strategic autonomy.
While Article 17(10) of the broader sovereignty framework (in the context of recognition disputes) allows for Commission binding decisions, Article 28 specifically focuses on the Commission's power to request action in cross-border enforcement scenarios, acting as a safeguard against regulatory inaction.
What this means for you
For in-house counsel, compliance officers, and cloud service providers, the Article 28 mechanism introduces specific procedural risks and obligations. You are not just accountable to your home regulator; you are subject to scrutiny from any Member State where you sell to public sector bodies.
1. Prepare for "Duly Reasoned" Challenges
When a destination authority raises a concern, it must be "duly reasoned." Your legal team should immediately review the request to ensure it meets this standard. If the request is vague or lacks specific evidence, your establishment authority may have grounds to ask for clarification, potentially buying you time. However, do not assume this will happen; the establishment authority must act in good faith and cannot use this as a tactic to delay indefinitely.
2. Document Everything for the Two-Month Window
The establishment authority has a strict two-month window to respond under Article 28(4). During this period, you may be asked to provide audit evidence, technical documentation, or clarifications on your Union assurance level (1, 2, 3, or 4). Ensure your compliance records are readily accessible. Delays in providing information to your establishment authority can cause them to miss the deadline, which may reflect poorly on your cooperation and potentially trigger Commission scrutiny.
3. Understand the Finality of the Establishment Authority
If the destination authority disagrees with your establishment authority's assessment, the establishment authority's view prevails unless the Commission intervenes. This means your primary relationship for dispute resolution is with your home regulator. Maintain open lines of communication with them, as they will be the ones drafting the response to the destination authority and deciding on enforcement measures.
4. Penalties and Liability
If the establishment authority determines you are non-compliant, it can impose penalties under Article 24. These penalties must be "effective, proportionate and dissuasive." Factors include the nature, gravity, and duration of the infringement, as well as your annual turnover in the Union. Furthermore, under Article 24(3), recipients of your service (e.g., public sector bodies) have the right to seek compensation for damages caused by your non-compliance. A cross-border disagreement that results in a finding of non-compliance could trigger both regulatory fines and civil liability claims from your customers.
5. Audit Readiness
Cross-border disputes often centre on whether your service truly meets the criteria for your claimed Union assurance level. Ensure your independent audits (for levels 2-4) or self-assessments (for level 1) are robust. Article 28 disputes frequently arise when a destination authority suspects that your infrastructure, data localisation, or third-country control measures do not align with Annex II criteria.
Common misconceptions
Misconception 1: The destination authority can directly fine a non-compliant provider. Incorrect. Under CADA, enforcement powers rest exclusively with the establishment authority (Article 25(4)). A destination authority can only request an assessment. It cannot issue fines or orders directly to a provider established in another Member State.
Misconception 2: The establishment authority must blindly follow the destination authority's request. Incorrect. While Article 28(3) requires the request to be "duly taken into account," the establishment authority retains independent investigative powers. It can request more information if the initial request is insufficient and must form its own conclusion based on evidence. It is not an administrative rubber stamp.
Misconception 3: Disagreements are resolved by a vote among Member States. Incorrect. There is no voting mechanism between Member States in Article 28. The establishment authority makes the final assessment. If there is a stalemate or failure to act, the only escalation path is to the European Commission under Article 28(2).
Misconception 4: The two-month deadline is flexible. Incorrect. Article 28(4) sets a hard deadline of two months from receipt of the request. The only exception is if the establishment authority requests additional information, which suspends the timeline until that information is provided. Providers should not expect indefinite delays.
Related
- CADA Cross-Border Requests: What the Establishment Authority Must Report
- CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
- CADA Cross-Border Cooperation: How Article 28 Works
- CADA enforcement deadlines: Mutual assistance and cross-border cooperation timelines
- Must cross-border CADA requests be reasoned?
This is general information about a draft EU regulation, not legal advice.