Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's "main establishment" is strictly defined as the location of its head office or registered office from which its principal financial functions and operational control are exercised. As set out in Article 25(4), this single location determines which Member State's national competent authority holds exclusive competence to enforce the Union cloud computing sovereignty framework. For providers, this means one national authorityβ€”not multipleβ€”will oversee your recognition applications, audits, and penalties across the entire EU, creating a "one-stop-shop" enforcement model specific to cloud sovereignty.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to safeguard the Union's public order through a tiered system of Union assurance levels. A critical pillar of this framework is the enforcement architecture, which relies on the precise identification of a provider's "main establishment" to assign jurisdiction. Unlike fragmented regulatory approaches where multiple national authorities might claim oversight, CADA as proposed centralises enforcement power in a single Member State to ensure legal certainty and prevent regulatory arbitrage.

The Legal Definition: Article 25(4)

The definition of "main establishment" is not left to interpretation or general corporate law principles alone; it is explicitly codified in Article 25(4) of the proposal. The text states:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This definition establishes a compound test that providers must satisfy to determine their competent authority:

  1. Formal Presence: The provider must have either a head office or a registered office within the Union. This ensures a tangible legal anchor in the EU.
  2. Functional Reality: Crucially, this location must be the place from which the provider exercises its principal financial functions and operational control.

The inclusion of "principal financial functions and operational control" is a deliberate safeguard against "letterbox" entities. A provider cannot simply register a shell company in a Member State with a lenient regulatory environment while maintaining its actual decision-making, treasury, and operational command in a third country or a different Member State. The authority of the main establishment must be the genuine centre of gravity for the provider's EU activities.

Exclusive Competence: The "One-Stop-Shop" for Sovereignty

Once the main establishment is identified, Article 25(4) triggers the rule of exclusive competence. This means the Member State where the main establishment is located is the sole authority responsible for enforcing Title IV, Chapter I (the sovereignty framework) of the proposal.

This exclusive competence covers the entire lifecycle of compliance under the sovereignty framework:

  • Recognition: The authority processes applications for recognition of Union assurance levels (Article 17).
  • Audit Supervision: It oversees the independent third-party audits required for levels 2, 3, and 4 (Article 20).
  • Penalties: It imposes penalties and manages compensation claims for infringements (Article 24).
  • Enforcement: It exercises investigative and enforcement powers, including ordering the cessation of infringements and imposing fines (Article 26).

This structure mirrors the "one-stop-shop" mechanism found in the GDPR but is tailored specifically to the unique risks of cloud sovereignty. It ensures that a provider operating across 27 Member States faces a single regulatory interlocutor for sovereignty matters, reducing administrative burden and preventing conflicting decisions from different national authorities.

Interaction with Other Member States and Cross-Border Cooperation

While the main establishment's authority holds exclusive competence, the proposal acknowledges the cross-border nature of cloud services. The framework includes mechanisms for cooperation to ensure effective supervision without diluting the exclusive competence rule.

  • Designation of Authorities: Under Article 25(1), Member States must designate one or more national competent authorities by the date of entry into force plus one year. Article 25(3) mandates that these authorities act impartially and possess sufficient technical, financial, and human resources.
  • Mutual Assistance (Article 27): If the competent authority of the main establishment requires information or evidence located in another Member State, it may request mutual assistance. The requested authority must comply and inform the requesting authority of the action taken within two months.
  • Cross-Border Cooperation (Article 28): If a competent authority in a "destination" Member State (where the provider offers services but is not established) suspects a provider no longer meets the criteria of Annex II, it may request the authority of the main establishment to assess the matter and take necessary measures. The main establishment authority must respond within two months.

Crucially, even in these cross-border scenarios, the power to take final enforcement action (such as revoking recognition or imposing fines) remains with the authority of the main establishment. The destination authority acts as a watchdog that triggers the process but does not assume the enforcement role.

Strategic Implications for Multi-Jurisdictional Providers

For large cloud providers with complex EU corporate structures, the definition of main establishment requires a rigorous internal audit. Providers must identify the specific location where the "principal financial functions and operational control" are genuinely exercised.

  • Substance Over Form: A registered office in a Member State with favourable tax laws or a perceived lighter regulatory touch will not suffice if the actual strategic decisions, budget approvals, and operational commands are issued from a different location. The competent authority will assess the substance of the activities.
  • Risk of Disputes: If a provider's structure is ambiguousβ€”e.g., financial functions are in Ireland while operational control is in Germanyβ€”there is a risk of jurisdictional disputes between Member States. While the proposal does not explicitly detail a hierarchy for resolving such conflicts, the Commission retains the power to intervene under Article 25(10) if national authorities cannot agree on a recognition decision, though this mechanism is primarily for recognition disputes, it suggests a pathway for resolving competence conflicts.
  • Operational Control: "Operational control" likely encompasses the management of the cloud infrastructure, security operations, and service delivery. Providers must ensure that the location claiming to be the main establishment is indeed the hub for these critical functions.

What this means for you

For in-house counsel, compliance officers, and legal teams, the "main establishment" rule under CADA is a strategic pivot point for your EU compliance strategy.

  1. Conduct a "Control" Audit: Immediately map your corporate governance. Identify where your principal financial functions (budgeting, treasury, financial reporting) and operational control (IT strategy, security operations, service delivery management) are actually exercised. Ensure this aligns with your declared head or registered office.
  2. Designate Your Single Regulator: Once the main establishment is confirmed, identify the specific national competent authority in that Member State. This will be your primary point of contact for all sovereignty-related matters, including recognition applications and audit coordination.
  3. Prepare for Exclusive Enforcement: Understand that this single authority has the power to impose penalties and enforce compliance across the entire EU. Your compliance protocols must be robust enough to satisfy this specific authority, as their decisions will have Union-wide effect.
  4. Manage Cross-Border Expectations: While you deal primarily with one authority, be prepared for mutual assistance requests. Ensure your internal data governance and audit trails are structured to facilitate the rapid sharing of information with the main establishment authority, which may need to coordinate with other national bodies.
  5. Monitor the Transition: Member States have one year from the entry into force to designate their competent authorities (Article 25(1)). Use this window to engage with the designated authority in your main establishment Member State to clarify any ambiguities regarding the application of the "principal control" test before formal recognition procedures begin.

Common misconceptions

"Any EU office can serve as the main establishment."

  • Reality: No. Article 25(4) requires the location to be the place where principal financial functions and operational control are exercised. A local sales office, a data centre, or a shell entity without decision-making power does not qualify.

"Multiple Member States can enforce CADA against a provider simultaneously."

  • Reality: Incorrect. Article 25(4) grants exclusive competence to the Member State of the main establishment. While other authorities can cooperate and request assistance, they cannot independently enforce the sovereignty framework or impose penalties on the provider.

"The main establishment is determined by where the largest data centre is located."

  • Reality: The definition focuses on administrative and strategic control, not physical infrastructure. A small office in a capital city housing the head office and strategic command is the main establishment, even if the bulk of the data processing occurs in large facilities elsewhere.

"CADA's definition is identical to the GDPR's 'main establishment'."

  • Reality: While similar in concept, CADA's definition is specific to cloud computing service providers and explicitly ties the concept to "principal financial functions and operational control" for the purpose of enforcing the sovereignty framework. GDPR's definition (Article 4(15)) focuses on where the main decisions on the purposes and means of processing are taken. Always refer to the specific CADA text for compliance obligations.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.