What is a periodic penalty payment under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a periodic penalty payment is a coercive enforcement tool designed to compel cloud computing service providers to comply with regulatory orders. Specifically, Article 26(2)(c) empowers national competent authorities to impose these payments "to ensure that an infringement is terminated in compliance with an order" or "for failure to comply with any of the investigative orders." Unlike a standard fine which penalizes a past act, this payment accrues over time until the provider rectifies the breach. The calculation and application of these payments are governed by the broader penalty framework in Article 24, which mandates that penalties be "effective, proportionate and dissuasive," taking into account factors such as the duration of the infringement and the provider's annual turnover.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous enforcement regime to safeguard the Union's cloud and AI ecosystem, with a particular focus on the sovereignty framework. A cornerstone of this regime is the power of national competent authorities to impose periodic penalty payments. This mechanism serves a distinct function from standard administrative fines: it is not merely a retrospective punishment for a violation, but a forward-looking, coercive instrument intended to force immediate and ongoing compliance.

Legal Basis and Scope of the Power

The specific authority to impose periodic penalty payments is explicitly codified in Article 26(2)(c) of the CADA proposal. This provision grants national competent authorities of establishment the power to:

"impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders issued pursuant to paragraph 1."

This power operates within a broader suite of enforcement tools available under Article 26(2). While Article 26(2)(a) allows authorities to order the cessation of infringements and impose remedies, and Article 26(2)(b) empowers them to impose standard fines for failure to comply with the Regulation, Article 26(2)(c) specifically targets the continuation of non-compliance. It is triggered in two primary scenarios:

1. Termination of Infringement: When a provider fails to stop an ongoing violation after being ordered to do so under Article 26(2)(a).
2. Non-Compliance with Investigations: When a provider refuses or fails to cooperate with investigative orders issued under Article 26(1), such as requests for information, inspections of premises, or the recording of staff explanations.

The Governing Framework: Article 24

While Article 26 grants the power to impose periodic penalties, Article 24 establishes the substantive rules governing their application. Article 24(1) mandates that Member States lay down rules on penalties applicable to infringements by cloud computing service providers, ensuring they are "effective, proportionate and dissuasive."

Crucially, Article 26(2)(c) explicitly links the periodic penalty to Article 24, meaning the criteria for determining the severity and calculation of the payment must align with the factors listed in Article 24(2). These non-exhaustive criteria include:

• The nature, gravity, scale, and duration of the infringement (a critical factor for periodic payments which accrue over time).
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

This linkage ensures that periodic penalties are not arbitrary but are calibrated to the specific circumstances of the non-compliance and the economic capacity of the provider.

Investigative Orders and the Trigger for Penalties

The utility of periodic penalty payments is most evident in the context of investigative powers. Article 26(1) outlines the investigative powers of competent authorities, which include:

• The power to require any cloud computing service provider (and other relevant persons) to provide information.
• The power to carry out inspections of premises and seize or obtain copies of information.
• The power to ask staff or representatives to give explanations and record their answers.

Failure to comply with these investigative orders triggers the mechanism under Article 26(2)(c). This ensures that authorities can effectively gather the evidence necessary to assess compliance with the Union assurance levels (Levels 1–4) defined in Annex II. Without this coercive tool, a provider could simply ignore an investigation, rendering the sovereignty framework unenforceable.

Procedural Safeguards and Limitations

The exercise of these powers is not absolute; it is subject to strict procedural safeguards to protect the rights of the service providers. Article 26(3) stipulates that measures taken by competent authorities must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Furthermore, Article 26(4) requires Member States to ensure that the exercise of these powers is subject to adequate safeguards under applicable national law, in compliance with the general principles of Union law. These safeguards explicitly include:

• The right to respect for private life.
• The rights of defence, including the right to be heard and to have access to the file.
• The right of all affected parties to an effective judicial remedy.

Additionally, Article 24(3) establishes a civil liability dimension, granting recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement. This creates a dual layer of financial risk for non-compliant providers: regulatory periodic penalties and civil compensation claims.

What this means for you

For in-house counsel, compliance officers, and general counsel at cloud computing service providers, the introduction of periodic penalty payments under CADA represents a significant escalation in enforcement risk. Unlike a standard administrative fine, which is a one-off penalty for a past event, a periodic penalty payment is a continuous financial drain that accrues daily (or per period) until the provider achieves full compliance. This creates a powerful financial incentive for immediate remediation.

Immediate Action Items for Providers

1. Establish Rapid-Response Protocols for Investigative Requests: Your legal and compliance teams must have clear, pre-defined workflows for handling information requests, inspection orders, and staff interviews from national competent authorities. Any delay, refusal, or perceived obstruction can trigger periodic penalties under Article 26(2)(c). Ensure that your team understands the scope of "investigative orders" and the consequences of non-compliance.
2. Monitor Union Assurance Level Status Rigorously: If your provider is seeking or maintaining recognition for Union assurance levels 1–4, ensure that all transparency obligations under Article 23 are met. Any material change in circumstances must be reported promptly to the auditing organization and the competent authority. Failure to report can lead to recognition revocation, which may subsequently trigger an infringement order and, if ignored, periodic penalties.
3. Review Internal Audit and Governance Documentation: The CADA framework relies heavily on independent audits (Article 20) and conformity self-assessments (Article 19). Ensure that your internal controls are robust enough to support these audits and that you can demonstrate compliance with the criteria in Annex II. Inadequate documentation or failure to provide requested audit evidence can be deemed an infringement, leading to orders for cessation and potential periodic penalties if not rectified immediately.
4. Quantify Financial Exposure: Given that penalties are calculated with reference to the provider's annual turnover (Article 24(2)(f)) and the duration of the infringement, the financial exposure can be substantial. Conduct a risk assessment to model the potential cost of non-compliance, including both the accrual of periodic penalties and potential civil compensation claims from customers under Article 24(3).

Strategic Considerations

• Proactive Mitigation: If an infringement is identified, proactive engagement with the competent authority to mitigate or remedy the damage is critical. Article 24(2)(b) lists "any action taken by the infringing party to mitigate or remedy the damage" as a specific criterion for penalty imposition. Swift remediation can significantly reduce the duration of the periodic penalty and the overall financial impact.
• Cross-Border Coordination: Since the competent authority of establishment has exclusive competence (Article 25(4)), ensure that your global compliance structure is aligned with the specific requirements of the Member State where your main establishment is located. However, be aware of mutual assistance (Article 27) and cross-border cooperation (Article 28) mechanisms, which may involve other national authorities in the enforcement process.

Common misconceptions

Misconception 1: Periodic penalties are only for serious data breaches. Reality: Under CADA, periodic penalty payments are explicitly tied to the failure to comply with orders to terminate infringements or to comply with investigative orders. They are not limited to data breaches but apply to any violation of the sovereignty framework obligations, including failures to provide required audit evidence, transparency reports, or to cooperate with inspections.

Misconception 2: The amount of the periodic penalty is a fixed statutory sum. Reality: CADA does not set a fixed monetary amount for periodic penalties. Instead, Article 24 requires Member States to lay down rules that are "effective, proportionate and dissuasive." The specific amount will depend on the circumstances of the case, including the provider's turnover, the gravity of the infringement, and the duration of the non-compliance.

Misconception 3: Only the cloud provider is liable for these payments. Reality: While the primary obligations fall on the cloud computing service provider, the framework casts a wide net. Article 26(1) allows authorities to require information from "any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement," including auditing organizations. While the penalty is typically imposed on the provider, the scope of entities involved in the enforcement process is broad.

Misconception 4: Periodic penalties replace standard fines. Reality: They are complementary, not mutually exclusive. Article 26(2) lists multiple enforcement powers, including standard fines (Article 26(2)(b)) and periodic penalties (Article 26(2)(c)). An authority may impose a standard fine for the initial infringement and then impose periodic penalties to ensure the infringement is terminated. The periodic penalty continues to accrue until the provider complies with the order to cease the infringement.

Related

• Can a CADA fine and a periodic penalty be combined?
• Are CADA periodic penalty payments capped? Article 24 & 26 explained
• Who sets the penalty rules under CADA? Article 24 explained
• Do Member States notify the Commission of their CADA penalty rules?
• Can taking remedial action reduce a CADA penalty?

This is general information about a draft EU regulation, not legal advice.