Summary Under the proposed Cloud and AI Development Act (CADA), the "competent authority of destination" is the national supervisory body in the Member State where a cloud computing service is actually used or provided, distinct from the "competent authority of establishment" located where the provider is headquartered. As proposed in Article 28(1), this authority acts as a critical "watchdog": if it suspects a provider no longer meets the Union assurance level criteria set out in Annex II, it may request the authority of establishment to investigate and take enforcement measures. This mechanism ensures consistent supervision across the EU while centralizing enforcement power with the provider's home state, preventing regulatory fragmentation.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a unified framework for cloud sovereignty, data-centre deployment, and the recognition of Union assurance levels (Levels 1–4). A cornerstone of this framework is the governance structure designed to ensure compliance with these assurance levels without creating a fragmented regulatory landscape. To achieve this, CADA delineates specific roles for national competent authorities, distinguishing between the authority where a provider is established and the authority where its services are consumed.

Defining the Competent Authority of Destination

While Article 25(4) of CADA explicitly establishes that the Member State where a cloud computing service provider has its main establishment (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter, this does not render other Member States powerless.

The competent authority of destination refers to the national competent authority designated under Article 25 in the Member State where the cloud service is being used by a public sector body, a Union entity, or where the service is otherwise provided within the EU. This authority is typically the same body designated to oversee compliance in its own territory but acts in a specific, reactive capacity when issues arise involving providers established in other Member States. Its primary function is to monitor the practical application of the service within its jurisdiction and to detect discrepancies between the recognized assurance level and actual operational reality.

The Role Under Article 28: Cross-Border Cooperation

Article 28 of CADA outlines the principles of cross-border cooperation between competent authorities. Its primary function is to bridge the gap between where a provider is legally headquartered and where its services are actually consumed, ensuring that sovereignty risks are addressed regardless of the provider's location.

Article 28(1) provides the specific legal basis for the authority of destination to trigger enforcement:

"Where a competent authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirement under Annex II to this Regulation, it may request the competent authority of establishment to assess the matter and to take the necessary investigatory and enforcement measures to ensure compliance."

This provision creates a formal, mandatory channel for the destination authority to alert the establishment authority to potential non-compliance. The destination authority does not have the power to directly impose fines, revoke recognition, or order remedial measures against a provider established in another Member State. Instead, it initiates the process by raising a "reasoned suspicion" that the provider's service no longer meets the specific cumulative criteria for its recognized Union assurance level (as detailed in Annex II).

Article 28(2) extends this mechanism to the European Commission, which may also request the competent authority of establishment to assess and enforce compliance if it identifies similar risks.

The Process for Investigation and Enforcement

Once the competent authority of destination submits a request under Article 28(1), a strict procedural framework applies to ensure timely and effective action:

  1. Reasoned Request: The request must be "duly reasoned." The destination authority must provide sufficient context and evidence to allow the establishment authority to understand the nature of the suspected non-compliance.
  2. Assessment by Establishment Authority: The competent authority of establishment is obligated to take the request into account. If it considers the information provided insufficient to proceed, it may request additional information from the destination authority.
  3. Suspension of Deadlines: If the establishment authority requests additional information, the statutory timeline for response is suspended until that information is provided. This ensures that the investigation is not rushed due to incomplete data.
  4. Response Deadline: The competent authority of establishment must communicate its assessment, along with an explanation of any investigatory or enforcement measures taken or envisaged, to the requesting authority (and the Commission) no later than two months after receipt of the request. This deadline is stipulated in Article 28(4).

Contrast with the Authority of Establishment

It is crucial to distinguish the roles to avoid confusion in compliance strategies and legal interpretation:

  • Competent Authority of Establishment: This is the primary regulator with exclusive competence (Article 25(4)). It holds the power to recognize services under Union assurance levels, conduct investigations, impose fines, and revoke recognitions. It acts as the single point of contact for the provider regarding sovereignty compliance.
  • Competent Authority of Destination: This is the "watchdog" in the user's jurisdiction. It monitors the service in practice. If it detects discrepanciesβ€”such as data being processed outside the Union contrary to Annex II criteria, or personnel screening failuresβ€”it cannot act unilaterally. It must escalate the issue to the authority of establishment via Article 28.

This separation of powers is designed to prevent a scenario where a provider faces contradictory penalties or compliance demands from multiple Member States simultaneously, thereby preserving the integrity of the single market while ensuring robust oversight.

Implications for the Union Assurance Framework

The role of the competent authority of destination is integral to the integrity of the Union assurance levels. Since cloud services are inherently borderless, a provider established in Member State A may serve critical public sector activities in Member State B. If the provider fails to maintain the technical or organizational measures required for Union Assurance Level 3 or 4 (such as strict data localization, personnel screening, or software supply chain controls), the authority in Member State B is often best positioned to detect the failure during local audits, incident reviews, or operational monitoring.

Article 28 ensures that this detection leads to action without creating regulatory chaos. By mandating that the authority of establishment takes the lead on enforcement, CADA avoids the risk of fragmented enforcement while ensuring that local risks are not ignored.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, understanding the dynamic between the authority of establishment and the authority of destination is vital for risk management.

  • Single Point of Contact, Multiple Eyes: You will primarily interact with your competent authority of establishment for recognition and ongoing compliance. However, you must be prepared to respond to inquiries that originate from authorities in other Member States. While they cannot fine you directly, their requests to your home authority can trigger formal investigations under Article 28.
  • Maintain Consistent Evidence: Ensure that your compliance evidence (audit reports, technical documentation, operational logs) is consistent across all jurisdictions. A discrepancy identified by an authority of destinationβ€”such as a data flow leaving the Union in a specific regionβ€”could lead to a swift escalation under Article 28(1).
  • Monitor Service Delivery: If you provide services across multiple Member States, ensure that your operational practices in each destination align with the assurance level you have been recognized for. The authority of destination is empowered to suspect non-compliance if the service in their territory does not match the certified standards.
  • Timely Cooperation: If your provider receives a request for information from an authority of establishment that was triggered by a destination authority, cooperate promptly. Delays in providing additional information can suspend the two-month response window, prolonging uncertainty and potentially leading to enforcement actions.

Common misconceptions

  • Misconception 1: The destination authority can fine the provider.
    • Correction: No. Under CADA, only the competent authority of establishment has the power to impose fines and enforcement measures (Article 25(4)). The destination authority can only request an assessment and trigger the enforcement process.
  • Misconception 2: Providers must register separately with every destination authority.
    • Correction: Recognition is Union-wide. Once a service is recognized by the authority of establishment, it is recognized across the Union (Article 17(7)). The destination authority does not re-evaluate the recognition but monitors its validity in practice.
  • Misconception 3: Article 28 applies to all cloud services.
    • Correction: Article 28 specifically relates to the enforcement of the cloud computing sovereignty framework (Chapter I, Title IV). It applies to services recognized under Union assurance levels 1–4. It does not apply to general data protection issues (which fall under GDPR enforcement mechanisms) or general market surveillance issues unless they intersect with specific sovereignty criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.