Summary Under the proposed Cloud and AI Development Act (CADA), cross-border cooperation is the mechanism that allows a national competent authority in the Member State where a cloud service is used (the authority of destination) to request the authority where the provider is established (the authority of establishment) to investigate and enforce compliance. As proposed in Article 28, if the authority of destination suspects a provider no longer meets the Union assurance criteria in Annex II, it can trigger a formal investigation. The authority of establishment must respond with its assessment and intended measures "as soon as possible and in any event not later than two months" after receiving the request.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. A critical challenge in such a framework is ensuring that a cloud service provider, recognised in one Member State, continues to meet the stringent requirements of Annex II when its services are consumed in another. To address this, the proposal introduces a specific cross-border cooperation mechanism in Article 28, which balances the exclusive enforcement powers of the authority of establishment with the oversight capabilities of the authority of destination.

The Distinction: Authority of Establishment vs. Authority of Destination

To understand the mechanics of Article 28, one must first distinguish the roles of the two national competent authorities involved, as defined in Article 25 and operationalised in Article 28.

  1. The Authority of Establishment: Under Article 25(4), the Member State where the cloud computing service provider has its "main establishment" (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter of the Regulation. This authority is the only body empowered to impose fines, order the cessation of infringements, or revoke the recognition of a cloud service under Article 17.

  2. The Authority of Destination: This is the national competent authority in the Member State where the cloud service is actually being procured and used by a public sector body or Union entity. While this authority lacks direct enforcement power over the provider, it is often the first to detect operational failures, service disruptions, or deviations from the required Union assurance levels (1–4) in the context of specific public-order activities.

The Trigger: Suspected Non-Compliance with Annex II

The cross-border cooperation mechanism is activated when the authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirements set out in Annex II of the Regulation.

Annex II contains the cumulative criteria for Union assurance levels, covering:

  • Establishment in the Union.
  • Location of infrastructure, assets, and personnel.
  • Data localisation (exclusively within the Union).
  • Personnel citizenship and security clearances.
  • Cybersecurity certification levels (e.g., "substantial" or "high").
  • Absence of third-country control.
  • Software supply chain transparency.

If the authority of destination observes evidence suggesting a breach of any of these criteriaβ€”for example, data being routed outside the Union, a failure to maintain the required cybersecurity certificate, or a change in third-country controlβ€”it may formally request the authority of establishment to assess the matter.

As stated in Article 28(1), the authority of destination "may request the competent authority of establishment to assess the matter and to take the necessary investigatory and enforcement measures to ensure compliance."

The Two-Month Response Duty

The proposal imposes a strict timeline to prevent regulatory delays that could compromise public order or the integrity of the single market. Article 28(4) mandates that the authority of establishment must act swiftly upon receiving a request.

The authority of establishment is required to communicate its assessment of the suspected infringement to both the requesting authority of destination and the Commission. This communication must include:

  1. The assessment of the suspected infringement.
  2. An explanation of any investigatory or enforcement measures taken or envisaged in relation to the matter.

The deadline for this response is explicit: it must be provided "as soon as possible and in any event not later than two months after receipt of the request."

This two-month window creates a binding accountability framework. It ensures that the authority of establishment cannot ignore concerns raised by other Member States and that public sector bodies relying on the service are not left in a state of uncertainty regarding the provider's compliance status.

Suspension of the Clock: The Role of Information Gaps

The proposal acknowledges that a request from an authority of destination may sometimes lack sufficient detail to trigger an immediate investigation. Article 28(3) addresses this by stating that requests must be "duly reasoned."

If the authority of establishment considers the information provided in the request to be insufficient, it may request additional information from the authority of destination. Crucially, Article 28(3) stipulates that in such cases, "the period set out in paragraph 4 shall be suspended until that additional information is provided."

This suspension mechanism ensures that the two-month deadline is not used to force a rushed or uninformed decision. However, it also places the onus on the authority of destination to provide a "duly reasoned" request with adequate evidence initially, as the clock only resumes once the missing information is supplied.

The Commission's Supervisory Role

The European Commission acts as a central overseer in this process to ensure consistency across the Union.

  • Direct Intervention: Under Article 28(2), the Commission itself may request the competent authority of establishment to assess a matter and take necessary measures, bypassing the authority of destination if systemic risks are identified.
  • Notification: Under Article 28(4), the authority of establishment must communicate its assessment and planned measures to the Commission alongside the requesting authority. This allows the Commission to monitor cross-border enforcement actions and intervene if divergent approaches threaten the uniform application of the Regulation.

The Limit of Destination Authority

It is vital to note that the authority of destination cannot directly sanction the provider. Under Article 25(4), enforcement powers are exclusive to the authority of establishment. The authority of destination's role is strictly to trigger the investigation and monitor the response. It cannot impose fines, order service cessation, or revoke recognition itself. This design prevents a fragmented enforcement landscape where a provider could face conflicting penalties from multiple Member States for the same alleged infringement.

What this means for you

For cloud computing service providers, public sector bodies, and legal counsel, the Article 28 mechanism introduces a dynamic layer of cross-border risk management.

1. For Cloud Service Providers: Prepare for Multi-Jurisdictional Triggers

Your compliance posture is no longer determined solely by your authority of establishment. Any Member State where you serve a public sector body (the authority of destination) can trigger a formal investigation if they suspect you have fallen out of compliance with Annex II.

  • Action: Ensure your technical and organisational measures are robust and consistent across all Member States where you operate. A failure in a subsidiary or a specific data centre in one country can trigger a cross-border request that your headquarters' authority must address within two months.
  • Documentation: Maintain real-time access to audit evidence, SBOMs, data flow diagrams, and personnel records. If an authority of destination raises a concern, your authority of establishment will need this data immediately to meet the two-month deadline.

2. For Public Sector Bodies (Contracting Authorities)

If you suspect your cloud provider is no longer meeting the required Union assurance level (e.g., due to a service disruption or a change in third-country control), you have a formal channel to act.

  • Action: Do not attempt to sanction the provider directly. Instead, report your concerns to your national competent authority (the authority of destination). They can then invoke Article 28 to compel your provider's authority of establishment to investigate.
  • Risk: If the authority of establishment confirms non-compliance, you may be required to migrate to a compliant service under Article 30, potentially within a 12-month transition period.

3. For Legal and Compliance Teams

The "two-month" rule is a hard deadline with a specific suspension condition.

  • Strategy: If you are the authority of establishment, ensure your internal workflows can ingest external requests and produce a formal assessment within 60 days. If the request is vague, issue a formal request for additional information immediately to suspend the clock.
  • Strategy: If you are the authority of destination, ensure your initial request is "duly reasoned" with concrete evidence to avoid delays caused by suspension.

Common misconceptions

Misconception 1: The authority of destination can fine the provider directly. Correction: No. Article 25(4) grants exclusive enforcement competence to the authority of establishment. The authority of destination can only request action; it cannot impose fines or revoke recognition.

Misconception 2: The two-month deadline is a soft guideline. Correction: The deadline is strict: "in any event not later than two months." It is only suspended if the authority of establishment formally requests additional information due to an insufficient initial request. Once the information is provided, the clock resumes immediately.

Misconception 3: Cross-border cooperation only applies to data breaches. Correction: Article 28 applies to any failure to meet the Annex II criteria. This includes infrastructure location, personnel citizenship, cybersecurity certification levels, software supply chain transparency, and the absence of third-country control. A breach in any of these areas can trigger the process.

Misconception 4: The Commission can override the authority of establishment. Correction: The Commission can request an assessment (Article 28(2)) and receive notifications, but the actual investigatory and enforcement measures remain the responsibility of the authority of establishment. The Commission's role is supervisory and coordinative, not a direct substitute for national enforcement.

Related

This is general information about a draft EU regulation, not legal advice.