Summary Under the proposed Cloud and AI Development Act (CADA), the national competent authority of establishment must respond to a request from the European Commission to assess and enforce compliance within two months of receipt. This strict deadline is mandated by Article 28(4) and applies specifically when the Commission exercises its power to trigger an assessment under Article 28(2). The two-month clock is suspended only if the authority formally requests additional information from the Commission, as provided for in Article 28(3). This mechanism ensures rapid cross-border enforcement while maintaining procedural fairness.
Detail
The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework for the sovereignty and security of cloud computing services. A critical pillar of this framework is the enforcement architecture, which relies on a cooperative mechanism between the European Commission and the national competent authorities designated by Member States. While the primary responsibility for enforcement lies with the Member State where the cloud provider is established, the Commission retains a supervisory role to ensure consistent application of Union assurance levels across the single market.
The Commission's Trigger Power (Article 28(2))
The enforcement process often begins when the Commission identifies a potential systemic risk or a specific instance of non-compliance that requires national intervention. Under Article 28(2) of the proposal, the Commission may request the competent authority of establishment to "assess the matter and take the necessary investigatory and enforcement measures to ensure compliance."
This provision empowers the Commission to act as a central coordinator, ensuring that no Member State fails to act on cross-border risks. It is distinct from the mutual assistance mechanism between Member States (Article 27), as it involves the Commission directly initiating the enforcement chain. The request is "duly reasoned," meaning the Commission must provide a factual and legal basis for why the authority of establishment needs to intervene.
The Statutory Two-Month Deadline (Article 28(4))
Once the competent authority of establishment receives a duly reasoned request from the Commission, the clock starts ticking. Article 28(4) imposes a strict temporal obligation on the authority. The regulation states:
"The competent authority of establishment shall, as soon as possible and in any event not later than two months after receipt of the request pursuant to paragraph 1 or 2, communicate to the competent authority that sent the request, and the Commission, its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged in relation to the matter to ensure compliance with this Regulation."
This deadline serves two purposes:
- Speed: It prevents administrative delays that could allow non-compliant providers to continue operating or to dissipate evidence.
- Transparency: It mandates that the authority not only act but also report back. The communication must include the authority's assessment of the suspected infringement and a detailed explanation of any measures taken or envisaged.
The deadline applies equally to requests from another competent authority (Article 28(1)) and requests from the Commission (Article 28(2)), ensuring a uniform timeline for all cross-border enforcement triggers.
Suspension of the Deadline (Article 28(3))
The two-month period is not rigid if the initial request lacks necessary details. Article 28(3) provides a specific suspension mechanism to ensure that authorities are not forced to act on incomplete information.
If the competent authority of establishment considers the information provided in the Commission's request to be insufficient, it may request additional information. The regulation explicitly states:
"The period set out in paragraph 4 shall be suspended until that additional information is provided."
This suspension is conditional. It only applies if:
- The authority formally requests the additional information.
- The request is made to the entity that sent the original request (in this case, the Commission).
- The suspension lasts only until the information is actually received.
Once the additional information is provided, the two-month clock resumes. This ensures that the authority has the necessary facts to conduct a proper assessment without being penalized for the Commission's initial lack of detail, while still maintaining pressure to resolve the matter quickly once the facts are clear.
The Role of the Authority of Establishment
It is vital to note that this deadline applies specifically to the competent authority of establishment. Under Article 25(4), this is the authority in the Member State where the cloud computing service provider has its main establishment (i.e., its head office or registered office from which principal financial functions and operational control are exercised). This centralization prevents "forum shopping" or fragmented enforcement where multiple Member States might attempt to act simultaneously. The authority of establishment holds exclusive competence for enforcing the sovereignty chapter, making it the sole entity responsible for meeting the Article 28(4) deadline.
What this means for you
For cloud computing service providers, legal counsel, and compliance teams, understanding the Article 28 timeline is essential for risk management and strategic planning.
1. Rapid Response Expectations
The two-month deadline creates a compressed timeline for regulatory action. If the Commission flags a potential breach of Union assurance levels, the national authority has a maximum of 60 days to complete its initial assessment and report back. This suggests that providers should be prepared for swift regulatory inquiries. Internal compliance teams should maintain "ready-to-go" documentation packages regarding their Union assurance level recognition, audit reports, and sovereignty criteria compliance to facilitate rapid responses.
2. The "Suspension" Dynamic
While the suspension mechanism in Article 28(3) offers a potential extension, it is not a tool for delay. It requires the authority to actively request more information from the Commission. For providers, this means that if an investigation stalls, it is likely due to a procedural gap in the Commission's initial request rather than the authority's inaction. Providers should monitor the flow of information between the Commission and the authority; if the authority requests more data, the provider should anticipate a pause in the formal reporting deadline but not necessarily a pause in the underlying investigation.
3. Centralized Communication
Since the deadline applies to the authority of establishment, your primary point of contact for any Commission-triggered investigation will be that specific national authority. Providers operating across the EU should ensure their legal and compliance teams are aligned with the specific procedural rules and timelines of their Member State of establishment. Misunderstanding the local implementation of Article 28 could lead to missed deadlines or procedural errors.
4. Reporting Obligations
Article 28(4) requires the authority to explain "any investigatory or enforcement measures taken or envisaged." This implies a high level of transparency. Providers should expect formal notifications detailing the scope of the investigation and the potential remedies or penalties being considered. This reporting requirement also means that the Commission will be kept informed in real-time, reducing the likelihood of "black box" enforcement actions.
Common misconceptions
Misconception 1: The two-month deadline applies to all Commission interactions. This is incorrect. The specific "not later than two months" deadline in Article 28(4) applies strictly to requests for assessment and enforcement measures triggered under Article 28(1) (between authorities) or Article 28(2) (from the Commission). It does not apply to general information requests, routine monitoring, or the separate mutual assistance procedures under Article 27, which have their own distinct timelines (e.g., Article 27(3) requires informing the authority "as soon as possible and no later than two months" but focuses on the action taken rather than a full assessment report).
Misconception 2: The Commission can extend the deadline unilaterally. The Commission cannot simply extend the deadline by issuing a new request. The only statutory mechanism for extending the timeline is the suspension provided in Article 28(3), which requires the authority to request additional information. If the authority does not request more information, the two-month clock continues to run regardless of the complexity of the case.
Misconception 3: The deadline is for the final resolution of the case. The deadline in Article 28(4) is for the communication of the assessment and the explanation of measures taken or envisaged. It is not a deadline for the final conclusion of the investigation or the imposition of penalties. The authority must report within two months on what it has done or plans to do, but the actual enforcement process (e.g., audits, fines, remediation) may continue beyond this period.
Related
- What obligations do CADA authorities have toward the Commission?
- Must CADA authorities act impartially and transparently?
- Does the Commission cooperate with CADA national authorities?
- Can CADA authorities act before an infringement is confirmed?
- Can CADA authorities act against a non-EU cloud provider?
This is general information about a draft EU regulation, not legal advice.