Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) establishes a rigorous enforcement regime for cloud computing service providers seeking Union assurance levels. Readiness hinges on three pillars: mapping the specific obligations under Article 24 that trigger penalties, preparing for the broad investigative and inspection powers of national competent authorities under Article 26, and correctly identifying your supervising authority via the public register mandated by Article 25. Failure to align with these provisions could result in "effective, proportionate and dissuasive" penalties and civil liability.

Detail

The CADA proposal introduces a robust enforcement framework designed to ensure that cloud computing service providers adhere to the sovereignty and autonomy standards set out in Title IV, Chapter I. For providers aiming to serve Union entities and public sector bodies, readiness is not optional; it is a prerequisite for market access. The enforcement architecture rests on the interplay between penalty provisions, supervisory powers, and clear jurisdictional attribution.

Unlike general data protection regulations, CADA's enforcement is tightly coupled with the technical and operational criteria of the Union assurance levels. The proposal explicitly empowers Member States to impose penalties for infringements of this chapter, creating a direct link between operational sovereignty (e.g., data location, personnel citizenship) and legal liability.

1. Mapping Obligations Triggering Penalties (Article 24)

Article 24 of the CADA proposal mandates that Member States lay down rules on penalties applicable to infringements of Title IV, Chapter I by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." To prepare, providers must conduct a gap analysis against the specific obligations in this chapter, as non-compliance exposes the provider to financial liability and reputational damage.

The scope of infringements is broad, covering the entire lifecycle of the sovereignty framework:

  • Recognition and Audit Compliance: Providers must submit accurate applications for recognition of Union assurance levels (Article 17) and undergo independent third-party audits for levels 2, 3, and 4 (Article 20). Crucially, Article 20(2) requires providers to cooperate with auditing organisations, providing access to all relevant data and premises. Failure to cooperate, or supplying incorrect or misleading audit evidence, constitutes a direct infringement.
  • Transparency and Reporting: Under Article 23, providers are required to promptly notify their auditing organisation and the national competent authority of establishment of any information or material change in circumstances that may affect the audit report, the "positive" audit opinion, or the recognition status. Delayed or omitted reporting is a trigger for penalties.
  • Data Sovereignty and Operational Criteria: Providers must strictly adhere to the cumulative criteria for Union assurance levels 1–4 set out in Annex II. This includes ensuring that infrastructure, assets, and personnel are located in the Union, and that customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body. Deviations from these criteria, once recognised, constitute an infringement.

Article 24(2) lists non-exhaustive criteria that Member States must consider when imposing penalties. These include:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) establishes a dual-risk model: recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement. This means a provider faces not only regulatory fines from authorities but also civil liability from customers.

2. Preparing for Investigative and Inspection Powers (Article 26)

Article 26 grants national competent authorities significant investigative and enforcement powers to verify compliance. Providers must operationalise their internal processes to accommodate these powers without disrupting service continuity. The proposal empowers authorities to act swiftly and decisively.

Investigative Powers (Article 26(1)) Competent authorities have the power to:

  • Require Information: Demand that providers, as well as any other persons acting for purposes related to their trade (including auditing organisations), provide information "as soon as possible."
  • Inspect Premises: Carry out, or request a judicial authority to order, inspections of any premises used for trade, business, or profession. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Question Staff: Ask any member of staff or representative to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)) If infringements are found, authorities can:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose Fines: Impose fines for failure to comply with the Regulation, including with any investigative orders issued.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated or that investigative orders are complied with.

Readiness requires that providers maintain organised, accessible records of their technical and operational setups, audit trails, and subcontractor agreements. Data must be retrievable quickly to satisfy the "as soon as possible" requirement for information requests. Providers should also prepare their staff for potential questioning, ensuring they understand their obligations to cooperate while protecting legitimate trade secrets.

3. Knowing Your Authority via the Article 25 Register

Article 25 clarifies jurisdictional competence to prevent regulatory fragmentation and ensure a "one-stop-shop" approach for providers. By the date of entry into force plus one year, Member States must designate one or more national competent authorities responsible for enforcing Chapter I.

Crucially, Article 25(4) establishes the principle of exclusive competence: the Member State in which the cloud computing service provider has its main establishment shall have exclusive competence for enforcing this Chapter. The proposal defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

The Commission will maintain a public register of these authorities (Article 25(2)). Providers must identify their "competent authority of establishment" to ensure they are submitting applications, audit reports, and notifications to the correct body. Misidentifying the authority can lead to procedural delays, rejection of applications, and potential non-compliance findings.

What this means for you

For cloud service providers and data centre operators, the CADA enforcement framework demands a shift from passive compliance to active governance. The proposal creates a high-stakes environment where operational decisions directly impact legal exposure.

Operationalise Audit Cooperation Your IT, legal, and security teams must establish protocols for immediate cooperation with auditing organisations and national competent authorities. This includes granting secure, timely access to premises, data, and personnel. Ensure that your staff are trained to respond to investigative inquiries under Article 26 without compromising trade secrets unnecessarily, while still fulfilling legal obligations. The power to "seize" information means you must be able to produce evidence instantly.

Implement Change Management for Transparency Article 23 requires prompt notification of material changes. Integrate sovereignty and autonomy checks into your change management processes. Any shift in infrastructure location, subcontractor usage, corporate control structure, or personnel citizenship must trigger an immediate assessment of its impact on your Union assurance level. If a change affects your status, notify your auditor and competent authority without delay to avoid penalties for non-reporting.

Map Your Penalty Exposure Conduct a risk assessment based on the criteria in Article 24(2). Identify areas where your current operations might be deemed non-compliant, such as data residency gaps, insufficient subcontractor oversight, or lack of transparency in the software supply chain. Prioritise remediation in high-risk areas to mitigate the scale and gravity of potential infringements. Remember that penalties are calculated based on turnover and the duration of the infringement, making early detection critical.

Verify Your Jurisdiction Consult the Commission's register of competent authorities (once established) to confirm your designated supervisory body. Ensure all future communications, applications for recognition, and notifications are directed to this authority. If your main establishment moves, you must update your registration and coordinate with the new competent authority to maintain exclusive competence.

Common misconceptions

"Penalties are only for large-scale data breaches." No. Under Article 24, penalties apply to infringements of Chapter I, which includes procedural failures such as failing to provide information to authorities, supplying incorrect audit evidence, failing to report material changes, or non-cooperation with auditors. Even administrative non-compliance can trigger fines.

"Any national authority can investigate me." Incorrect. Article 25(4) grants exclusive competence to the Member State where your main establishment is located. While other Member States can request mutual assistance (Article 27) or cross-border cooperation (Article 28), the primary enforcement and investigative powers rest with your competent authority of establishment. You do not need to prepare for simultaneous investigations from multiple Member States for the same infringement.

"Audits are a one-time event." False. Article 20(8) requires providers to annually submit the audit report and the associated "positive" audit opinion for review. Compliance is continuous. Failure to maintain ongoing cooperation with auditing organisations or to update your audit status when conditions change is an infringement subject to penalties.

"CADA penalties are fixed like the AI Act." No. Unlike the AI Act, which sets specific maximum fines (e.g., €35 million or 7% of turnover), Article 24 of CADA does not fix a maximum fine. Instead, it requires Member States to lay down rules that are "effective, proportionate and dissuasive," taking into account criteria like turnover and gravity. The actual penalty amount will vary by Member State.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.