Summary As proposed in the Cloud and AI Development Act (CADA), the European Commission will maintain a public register of national competent authorities designated by Member States. Under Article 25(2), each entry in this register must contain the names of the designated authorities, along with a detailed description of their tasks and powers under the sovereignty framework. Cloud computing service providers rely on this publicly accessible list to identify the specific "national competent authority of establishment" responsible for their recognition applications and regulatory oversight, ensuring they engage with the correct body that holds exclusive competence for enforcement.

Detail

The Cloud and AI Development Act (CADA) establishes a harmonised sovereignty framework for cloud computing services across the European Union. A cornerstone of this framework is the designation of national competent authorities responsible for enforcing the rules on Union assurance levels (Title IV, Chapter I). To ensure transparency, legal certainty, and the smooth functioning of the single market, the proposal mandates the creation of a centralised, public register of these authorities.

The Legal Basis: Article 25

The primary provision governing this register is Article 25 of the CADA proposal. This article outlines the obligations of Member States to designate authorities and the Commission's role in maintaining a public record of them.

Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing Chapter IV of the Regulation (the autonomy and sovereignty framework) by a date to be inserted by the Official Journal (specifically, within one year of the Regulation's entry into force). Member States may designate existing authorities for this purpose.

Article 25(2) explicitly defines the content of the register entry:

"Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers. The Commission shall maintain a public register of those authorities."

Therefore, the specific information contained in each register entry consists of three distinct elements:

  1. The Names of the designated competent authority or authorities.
  2. Their Tasks as defined under the CADA framework (e.g., recognition of services, supervision, investigation).
  3. Their Powers to investigate, enforce, and supervise cloud computing service providers (e.g., requesting information, conducting inspections, imposing fines).

Maintenance and Accessibility

The Commission is responsible for maintaining this register. While the text of Article 25(2) states that the register shall be "public," the proposal implies that this register will be accessible to cloud computing service providers, auditing organisations, and the general public to facilitate the smooth operation of the single market. This ensures that any entity seeking to provide cloud services to Union entities or public sector bodies can easily identify the regulatory body with jurisdiction over them.

The register acts as the definitive source of truth for regulatory jurisdiction. Unlike the "central repository" of recognised cloud services (established under Article 22), which lists certified providers, the Article 25 register lists the regulators themselves.

Purpose of the Register

The register serves several critical functions within the CADA ecosystem:

  • Identification of Regulator: Cloud computing service providers must submit applications for recognition of their Union assurance levels to the "national competent authority of establishment" (Article 17). The register allows providers to pinpoint exactly which authority holds this competence in their Member State of establishment.
  • Clarity of Competence: Under Article 25(4), the Member State where the cloud computing service provider has its main establishment (head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing Chapter IV. The register helps clarify which authority holds this exclusive power, preventing conflicting oversight from multiple national bodies.
  • Transparency of Powers: By listing the "tasks and powers," the register informs providers of the scope of the authority's investigative and enforcement capabilities, as detailed in Article 26. This includes powers to require information, carry out inspections, and impose fines.

Interaction with Other Provisions

The register is not an isolated tool; it is integral to the enforcement mechanisms outlined in Title IV of CADA:

  • Recognition Process (Article 17): When a provider applies for recognition of a Union assurance level, they apply to the authority listed in the register for their Member State of establishment. This authority becomes the "evaluating national competent authority."
  • Mutual Assistance (Article 27): The register facilitates cooperation between authorities. If one authority needs information from another regarding a specific provider, the public register helps identify the correct counterpart for mutual assistance requests.
  • Cross-Border Cooperation (Article 28): In cases where a competent authority in a Member State of destination suspects non-compliance, they may request the authority of establishment to assess the matter. The register ensures these cross-border enforcement actions are directed to the correct legal entity.

What this means for you

For cloud computing service providers and data centre operators subject to CADA, the public register is your primary reference point for regulatory engagement.

  1. Identify Your Regulator: Before submitting any application for Union assurance level recognition, consult the Commission's public register. Locate your Member State of establishment to find the designated competent authority. Ensure you are contacting the correct body, as submitting to the wrong authority could delay your recognition process.
  2. Understand Your Obligations: Review the "tasks and powers" listed for your national authority. This will give you insight into the scrutiny you may face, including potential inspections and information requests under Article 26.
  3. Monitor for Changes: Member States may update their designations. Keep an eye on the Commission's register for any changes in the named authorities or their defined roles, especially during the initial implementation phase when Member States are designating their bodies within one year of the Regulation's entry into force.
  4. Prepare for Enforcement: Knowing the powers of your competent authority helps you prepare for compliance. Authorities have significant investigative powers, including the ability to inspect premises and seize information. Understanding these powers via the register allows you to align your internal compliance procedures accordingly.

Common misconceptions

  • Misconception: The register lists all cloud providers.
    • Reality: The register under Article 25 lists national competent authorities, not cloud providers. A separate "central repository" of recognised cloud computing services is established under Article 22. Do not confuse the register of regulators with the repository of certified services.
  • Misconception: Any national authority can enforce CADA rules.
    • Reality: Only the authorities specifically designated under Article 25 and listed in the register have the competence to enforce Chapter IV. Furthermore, only the authority in the Member State of the provider's main establishment has exclusive competence.
  • Misconception: The register is static.
    • Reality: The register is maintained by the Commission and updated as Member States notify changes. Authorities may be added, removed, or have their tasks and powers redefined. It is a living document that reflects the current regulatory landscape.

Related

This is general information about a draft EU regulation, not legal advice.