Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final, a proposal not yet in force), the competent authority of establishment would be the national regulator in the Member State where a cloud computing service provider has its main establishment — defined in Article 25(4) as the head office or registered office from which the provider's principal financial functions and operational control are exercised. As proposed, that authority alone would have exclusive competence to enforce the cloud computing sovereignty framework (Chapter I of Title IV). This creates a "one-stop-shop" model: a provider active in many Member States answers primarily to one lead regulator, with other Member States and the Commission acting through cooperation rather than direct enforcement.
Detail
CADA's Title IV ("Autonomy") establishes, in Chapter I, a Union cloud computing sovereignty framework graded into four Union assurance levels. To enforce that framework consistently without fragmenting the single market, the proposal concentrates supervisory power in a single national authority per provider: the competent authority of establishment.
Designation of national competent authorities
Article 25(1) would require each Member State to designate one or more national competent authorities responsible for enforcing Chapter I, doing so by one year after the Regulation's entry into force. Member States could designate an existing authority rather than create a new one. Under Article 25(2), Member States would notify the Commission of the names of these authorities and of their tasks and powers, and the Commission would maintain a public register of them.
Article 25(3) would oblige Member States to ensure their authorities act in an impartial, transparent and timely manner and have sufficient technical, financial and human resources to supervise all cloud computing service providers within their competence.
Exclusive competence of the authority of establishment
The pivotal allocation rule is in Article 25(4):
"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."
Two features deserve emphasis. First, "main establishment" turns on where principal financial functions and operational control sit — not on where a provider holds the most customers, the most data centres, or its largest revenue. Second, the competence is exclusive: as proposed, no other Member State could directly enforce Chapter I against that provider. This mirrors the "one-stop-shop" logic familiar from the GDPR (lead supervisory authority) and the Digital Markets Act, adapted here to cloud sovereignty.
The same authority of establishment also performs the recognition function: under Article 17 it acts as the evaluating national competent authority that assesses a provider's evidence and decides whether to recognise its service at a given Union assurance level.
The investigative and enforcement powers attached to the role
Article 26 attaches the operative powers to the competent authority of establishment, exercisable "where needed to carry out their tasks under Article 17":
- Investigative powers (Article 26(1)) — to require information from providers and from any other persons acting for purposes of their trade or business who may hold relevant information, including auditing organisations (point (a)); to carry out, or have a judicial authority order, inspections of premises and to examine, seize or copy information "in any form, irrespective of the storage medium" (point (b)); and to ask staff or representatives for explanations, recording answers with their consent (point (c)).
- Enforcement powers (Article 26(2)) — to order the cessation of infringements and impose proportionate remedies (point (a)); to impose fines, including for failure to comply with investigative orders (point (b)); and to impose periodic penalty payments (point (c)). Each can be exercised directly or by requesting a judicial authority to do so.
Article 26(3) requires every such measure to be effective, dissuasive and proportionate; Article 26(4) requires Member States to wrap the powers in safeguards — the right to respect for private life, the rights of defence (to be heard and to access the file) and the right to an effective judicial remedy.
Cooperation: how other Member States and the Commission engage
Exclusive competence does not mean isolation. Two mechanisms channel cross-border concerns back to the authority of establishment:
- Mutual assistance (Article 27): Competent authorities and the Commission must cooperate closely and exchange information. An authority needing information located in another Member State may request it; the receiving authority must comply and inform the authority of establishment of the action taken as soon as possible and no later than two months after receipt, unless duly justified.
- Cross-border cooperation (Article 28): A competent authority of destination — an authority in a Member State where the service is used — that suspects a provider no longer meets the Annex II requirements may ask the authority of establishment to assess the matter and take the necessary investigatory and enforcement measures. The Commission may make the same request (Article 28(2)). The authority of establishment must communicate its assessment and any measures taken or envisaged, as soon as possible and in any event within two months of the request (Article 28(4)).
So while enforcement is centralised, oversight is collaborative: any destination authority or the Commission can trigger scrutiny, but the authority of establishment carries it out.
Penalties and compensation behind the role
Article 24 supplies the sanctioning backdrop. Member States must lay down penalties for infringements of Chapter I by cloud computing service providers that are effective, proportionate and dissuasive (Article 24(1)), guided by the non-exhaustive criteria in Article 24(2) — including the nature, gravity, scale and duration of the infringement, mitigation, prior infringements, financial benefit, and Union turnover. Separately, Article 24(3) gives recipients of cloud services the right to seek compensation, in accordance with Union and national law, for damage or loss caused by a provider's infringement of its Chapter I obligations.
What this means for you
For in-house counsel and compliance leads at cloud computing service providers, the authority of establishment is the single most important regulatory relationship under CADA as proposed.
- Pin down your lead regulator early. Apply the Article 25(4) test honestly: where are your principal financial functions and operational control actually exercised? That, not customer footprint, fixes which authority holds exclusive competence and will handle your recognition applications (Article 17) and any enforcement.
- Expect concentrated, specialised scrutiny. Because one authority supervises you across the Union, it will likely build deep cloud-sovereignty expertise. Be ready to engage it directly with Annex II evidence and, for levels 2–4, audit reports and opinions under Article 20.
- Stay responsive to destination-authority concerns. A concern raised under Article 28 in any Member State where your service is used will be routed to your lead authority, which must respond within two months. Slow evidence on your side compresses that window and risks your recognition.
- Treat penalties and private claims as live exposure. Your lead authority can impose fines and periodic penalty payments (Article 26(2)), and customers can pursue compensation (Article 24(3)). Maintain documentation that lets you demonstrate compliance with your assurance-level criteria and transparency obligations on demand.
Common misconceptions
- "Any Member State can fine me for a sovereignty-framework breach." No. Article 25(4) gives exclusive competence to the authority of your main establishment. Other Member States cannot directly enforce Chapter I against you; they channel concerns through Articles 27 and 28.
- "The authority of establishment and the authority of destination are the same body." No. The authority of establishment supervises and enforces based on your main establishment. A competent authority of destination sits where your service is used and plays a triggering and assisting role only — it cannot itself impose Chapter I enforcement on you.
- "I can pick a favourable regulator." No. The competent authority of establishment is determined by fact — the location of your head office or registered office with principal financial functions and operational control — not by choice or convenience.
- "Exclusive competence means no one else is watching." No. Destination authorities and the Commission can both ask the authority of establishment to act (Article 28), and authorities must give each other mutual assistance (Article 27). Centralised enforcement coexists with Union-wide oversight.
Official sources
Related
- When must Member States designate a CADA competent authority?
- CADA Cross-Border Requests: What the Establishment Authority Must Report
- CADA Enforcement: Authority of Establishment vs. Destination
- What is the competent authority of destination under CADA?
- How do I find the CADA competent authority for my Member State?
This is general information about a draft EU regulation, not legal advice.