Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final — a proposal, not yet in force), national competent authorities would have three investigative powers under Article 26(1): to require information, to inspect premises (examining, seizing or copying information in any form, irrespective of the storage medium), and to obtain explanations from staff. As proposed, these powers reach not only cloud computing service providers but any person acting for purposes of their trade or business who may hold relevant information — expressly including auditing organisations. They are exercisable by the competent authority of the Member State where the provider has its main establishment, and only "where needed to carry out their tasks under Article 17" (recognition of Union assurance levels).

Detail

CADA's Chapter I of Title IV ("Autonomy") establishes a Union cloud computing sovereignty framework that grades services into four Union assurance levels by their independence from third-country control and related criteria. To keep that framework honest, the proposal gives national competent authorities investigative tools that let them look behind a provider's claims rather than rely on self-reporting.

The investigative powers sit in Article 26(1). They are exercised by the competent authority of establishment — the authority in the Member State where the provider has its main establishment, defined in Article 25(4) as the head office or registered office from which principal financial functions and operational control are exercised — and only "where needed to carry out their tasks under Article 17," the recognition procedure for assurance levels. Crucially, the powers extend beyond the provider itself to "any other persons acting for purposes related to their trade, business, craft or profession" who may reasonably be expected to be aware of relevant information, including auditing organisations, which certify services at levels 2, 3 and 4.

Power to require information (Article 26(1)(a))

Authorities may require any cloud computing service provider, and any other such person who may reasonably be expected to be aware of information relating to a suspected infringement — including auditing organisations — to provide that information "as soon as possible." In practice this lets an authority demand documentation, logs, contracts and other evidence needed to test a claimed Union assurance level. For a service claiming, say, level 3, the authority could require evidence about whether any third-country measure could compel the provider to disrupt service continuity or to act against the lawful-access and control conditions that Article 18 applies to associated third countries.

Power to inspect premises (Article 26(1)(b))

Authorities may carry out — or request a judicial authority in their Member State to order, or request other public authorities to perform — inspections of any premises that the provider or relevant persons use for trade or business purposes, "in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium." This reaches data centres, offices and the premises of subcontractors and auditors alike, and covers evidence in any form, digital or physical. It lets authorities physically verify infrastructure and operations rather than rely on self-reported data.

Power to obtain explanations (Article 26(1)(c))

Authorities may ask any staff member or representative of the provider or relevant person to give explanations on information relating to a suspected infringement and, with that person's consent, record the answers by any technical means. This supports direct interviews about operational procedures, data handling and subcontractor arrangements, with a formal record where consent is given.

How investigation connects to enforcement and cooperation

Article 26(1) provides the investigative toolkit; Article 26(2) supplies the enforcement powers that follow — ordering cessation and remedies, imposing fines, and imposing periodic penalty payments. Both sets of measures must be effective, dissuasive and proportionate (Article 26(3)), and Member States must build in defence-rights safeguards and an effective judicial remedy (Article 26(4)).

Because cloud services are cross-border, two cooperation mechanisms support investigation:

  • Mutual assistance (Article 27): Competent authorities and the Commission must cooperate closely and exchange information. An authority may request information held in another Member State to exercise its Article 26 powers; the receiving authority must comply and report back to the authority of establishment as soon as possible and no later than two months after receipt, unless duly justified.
  • Cross-border cooperation (Article 28): A competent authority of destination — where the service is used — that suspects a provider no longer meets the Annex II requirements may ask the authority of establishment to assess the matter and take the necessary investigatory and enforcement measures; the Commission may make the same request. Any Member State can thus trigger scrutiny, but the authority of establishment carries out the investigation.

The limits built into the investigative powers

Three limits run through Article 26(1). First, the powers exist only "where needed to carry out their tasks under Article 17" — they serve the recognition function, not open-ended supervision. Second, every measure must be proportionate under Article 26(3), weighed against the nature, gravity, recurrence and duration of the suspected infringement and, where relevant, the provider's economic, technical and operational capacity. Third, Article 26(4) requires Member States to subject the powers to adequate safeguards under national law in compliance with the general principles of Union law, and measures may be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to access the file, and subject to an effective judicial remedy. Investigative reach is therefore broad in scope but disciplined in exercise.

It is also worth noting what the text does not grant. The recording of explanations under Article 26(1)(c) requires the individual's consent; there is no power to compel a recorded statement. And inspections under point (b) are framed around examining, seizing and copying information relating to a suspected infringement — the trigger is suspicion tied to the Article 17 tasks, not routine or random checking.

Auditing organisations as direct subjects

The express inclusion of auditing organisations in Article 26(1)(a) matters because, for levels 2 to 4, recognition under Article 17 depends on an independent audit report and a "positive" audit opinion under Article 20. The framework's integrity therefore rests partly on auditors. If an authority suspects an infringement — a provider falsely claiming compliance, or an auditor failing to detect non-compliance — it may require information from the auditor, inspect the auditor's premises and obtain explanations from the auditor's staff. This builds accountability into both layers: the provider and the body certifying it.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, subcontractors and auditing organisations, Article 26(1) carries concrete operational obligations.

  1. Prepare for broad, fast information requests. You may have to provide information "as soon as possible." Keep the evidence behind your assurance-level claims — data-localisation proofs, subcontractor due-diligence records, relevant certificates and audit materials — organised and quickly retrievable; delay reflects poorly in an investigation.
  2. Secure premises and data for inspection. Authorities can inspect premises and seize or copy information regardless of medium. Maintain access controls and clear records, and have counsel available during an inspection to advise on scope and to protect legitimate business secrets.
  3. Brief staff on the explanation power. Key personnel may be asked for explanations and, with consent, recorded. Train them on accuracy and consistency, and take legal advice before consenting to recorded interviews in sensitive matters.
  4. Coordinate with auditors — they are in scope too. Providers should keep documented, transparent communication with their auditing organisation; auditors should ensure their methodology, evidence-gathering and reporting are defensible, because suspicion about a client can lead to investigation of the auditor.
  5. Watch the cross-border channels. A concern raised in one Member State under Article 27 or 28 can prompt your home authority to act. Maintain a single regulatory point of contact for consistent responses.

Common misconceptions

Misconception 1: Investigative powers reach only cloud providers. Reality: Article 26(1) extends to "any other persons acting for purposes related to their trade, business, craft or profession" who may hold relevant information — expressly including auditing organisations, and capable of reaching subcontractors holding relevant information.

Misconception 2: Every inspection needs a prior court order. Reality: Article 26(1)(b) lets authorities carry out inspections or request a judicial authority to order them. Whether a direct inspection or a judicial order applies depends on the safeguards each Member State sets under Article 26(4); verify the procedure in the relevant Member State.

Misconception 3: Only the home Member State can investigate. Reality: The authority of establishment has exclusive enforcement competence (Article 25(4)), but a destination authority can trigger an investigation by asking it to act (Article 28). Compliance problems in one market can surface as an investigation in your home Member State.

Misconception 4: Investigative powers are limited to digital data. Reality: Article 26(1)(b) allows examining, seizing or copying information "in any form, irrespective of the storage medium" — physical documents and tangible evidence included, not just digital files.

Related

This is general information about a draft EU regulation, not legal advice.