Summary Under the proposed Cloud and AI Development Act (CADA), mutual assistance is a mandatory cooperation mechanism designed to ensure the consistent and efficient application of the Union cloud computing sovereignty framework. As established in Article 27, national competent authorities and the European Commission are legally obliged to cooperate closely and exchange information. This framework prevents cloud providers from evading scrutiny by operating across borders, ensuring that a sovereignty assessment or audit finding in one Member State can trigger supervisory actions or information requests in another. For compliance teams, this means that documentation must be audit-ready for cross-border scrutiny, as authorities have a statutory duty to share data within strict timelines.

Detail

The Cloud and AI Development Act (CADA) proposes a harmonised sovereignty framework for cloud computing services across the European Union. Because cloud infrastructure and services are inherently borderless, a fragmented approach to enforcement would undermine the regulation's core objective: strategic autonomy and public order protection. A single national authority cannot effectively supervise a provider operating in multiple Member States if it lacks visibility into activities or data located elsewhere. To address this, CADA establishes a robust system of mutual assistance and cross-border cooperation, with Article 27 serving as the primary legal engine for information exchange.

The Legal Basis: Article 27

The foundation of this cooperative regime is Article 27 of the CADA proposal. This article imposes a positive duty on both national competent authorities and the Commission to work together.

Article 27(1) explicitly states:

"Competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply this Chapter in a consistent and efficient manner. Mutual assistance shall include the exchange of information."

This provision creates a binding obligation for authorities to actively share data rather than waiting for formal, case-by-case requests. The phrase "apply this Chapter" refers to Title IV, Chapter I (the sovereignty framework), ensuring that the four Union assurance levels (1–4) are interpreted and enforced uniformly. The inclusion of the Commission ensures that the EU executive can monitor compliance and intervene if national practices diverge, preventing regulatory arbitrage.

How Mutual Assistance Works in Practice

Mutual assistance under CADA operates through two distinct but complementary channels: proactive information sharing and reactive investigative support.

1. Proactive Information Exchange

While Article 27(1) sets the general duty to exchange information, the mechanism is designed to support the mutual recognition of cloud services. If a provider is recognised at a specific Union assurance level (e.g., Level 2 or 3) by the competent authority of establishment in one Member State, that recognition is valid across the Union. Article 27 facilitates the background communication necessary to maintain this system. Authorities are expected to share relevant supervisory data voluntarily to ensure that the "central repository" of recognised services (Article 22) remains accurate and that any material changes affecting a provider's status are immediately known to all relevant authorities.

2. Reactive Investigative Support (Article 27(2) and (3))

When a competent authority suspects an infringement or requires specific evidence located in another Member State, it can invoke the reactive mechanism.

  • Requesting Information: Under Article 27(2), a competent authority may request other competent authorities to provide specific information in their possession relating to a specific cloud computing service provider. This is a critical enabler for exercising the investigative powers granted under Article 26, which include the power to require information, conduct inspections, and record explanations from staff. Without Article 27, an authority in Member State A would be powerless to gather evidence held by a provider's subsidiary or data centre in Member State B.
  • Obligation to Comply and Timelines: Under Article 27(3), the authority receiving the request is legally bound to comply. The regulation sets a strict deadline: the receiving authority must inform the requesting authority of the action taken "as soon as possible and no later than two months after receipt of the request, unless duly justified." This two-month cap prevents bureaucratic delays from stalling enforcement actions and ensures that cross-border investigations proceed with urgency.

Distinction from Cross-Border Cooperation (Article 28)

It is vital to distinguish mutual assistance (Article 27) from cross-border cooperation (Article 28), as they serve different procedural functions within the enforcement architecture:

  • Mutual Assistance (Article 27) is primarily an information-gathering tool. It focuses on the exchange of data and investigative support to build a factual picture. It is the mechanism used to answer the question: "What is happening?"
  • Cross-Border Cooperation (Article 28) is an enforcement coordination tool. It is triggered when a "competent authority of destination" (where the service is used) suspects that a provider no longer meets the sovereignty criteria. In this scenario, the destination authority requests the "competent authority of establishment" (where the provider is based) to assess the matter and take necessary investigatory or enforcement measures.

In practice, these mechanisms often work in sequence. Authorities may first use mutual assistance (Article 27) to exchange information and verify facts. If those facts indicate a breach of the sovereignty framework, they may then escalate to cross-border cooperation (Article 28) to trigger formal enforcement actions by the authority of establishment.

The Role of the Commission

The European Commission is an active participant in the mutual assistance network under Article 27(1). Its role is twofold:

  1. Facilitator: The Commission ensures that the exchange of information flows smoothly between Member States, acting as a central node in the network.
  2. Oversight: By participating in the exchange, the Commission can monitor the consistent application of the regulation. If national authorities fail to cooperate or if interpretations of the sovereignty criteria diverge significantly, the Commission can intervene to ensure the "consistent and efficient" application of the law, as mandated by the article.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers, the mutual assistance framework has profound operational implications.

1. No "Safe Havens" Within the EU

You cannot structure your operations to exploit gaps between national supervisory practices. If your provider is established in Member State A but provides services to public sector bodies in Member State B, the authorities in both states are legally obliged to share information. A failure to meet the criteria for Union Assurance Level 2 in one jurisdiction will likely be flagged in others. The "two-month" deadline for information exchange means that regulatory scrutiny can move rapidly across borders, leaving little time to correct issues once a request is made.

2. Robust, Cross-Border Documentation is Essential

Because authorities can request specific information from each other under Article 27(2), your internal records must be audit-ready at all times, regardless of where your data or personnel are located. Ensure that your conformity self-assessments (for Level 1) or third-party audit reports (for Levels 2–4) are comprehensive, up-to-date, and easily accessible. The documentation must be capable of being shared with any competent authority in the Union, as the "competent authority of establishment" may need to forward it to others upon request.

3. Transparency Obligations Trigger Cooperation

Under Article 23, providers must notify the auditing organisation and the national competent authority of establishment of any material changes affecting their assurance level. This notification is the trigger for the mutual assistance mechanism. If a change affects the provider's status in other Member States, the establishment authority must notify other relevant authorities. Compliance teams must therefore have rapid internal processes to identify and report material changes, as a delay in reporting could be interpreted as a failure to cooperate with the mutual assistance framework.

4. Engagement with Multiple Authorities

While the "competent authority of establishment" (where your main establishment is located) is the primary supervisor under Article 25(4), you may still need to engage with authorities in other Member States if they request information or raise concerns. Maintain open lines of communication with all relevant national competent authorities, not just your home regulator. Be prepared to provide evidence to authorities in destination states if they invoke Article 27 to gather information for their own investigations.

Common misconceptions

Misconception 1: Mutual assistance only applies to high-assurance levels (3 and 4). Reality: Article 27 applies to the entire Title IV, Chapter I, which covers all Union assurance levels (1–4). Even providers recognised at Level 1 (based on self-assessment) are subject to the mutual assistance framework if authorities suspect non-compliance or need to verify the validity of a self-declaration.

Misconception 2: Authorities can only request information if there is a formal investigation. Reality: Article 27(2) allows authorities to request information to "exercise its investigative powers." While this often happens during an investigation, the broad language of "mutual assistance" and "exchange of information" in Article 27(1) suggests a more proactive duty to share relevant supervisory data, even before a formal investigation is launched, to ensure consistent application of the rules.

Misconception 3: The Commission has direct enforcement powers over providers. Reality: The Commission facilitates cooperation and can resolve disputes between authorities (e.g., under Article 17(10) regarding recognition), but primary enforcement powers (investigations, fines, orders) lie with the national competent authority of establishment (Article 26). The Commission's role in mutual assistance is supportive and coordinative, not directly punitive.

Misconception 4: Mutual assistance is optional for authorities. Reality: Article 27(1) uses the mandatory language "shall cooperate closely." Article 27(3) mandates that the receiving authority "shall comply" with the request. Non-cooperation by a national authority could be challenged as a failure to implement EU law correctly, potentially leading to infringement proceedings by the Commission.

Related

This is general information about a draft EU regulation, not legal advice.