What is the difference between an investigative order and an enforcement order under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities wield two distinct but interconnected sets of powers to ensure cloud providers adhere to sovereignty standards. Investigative powers (Article 26(1)) are fact-finding tools that allow authorities to demand information, conduct inspections, and interview staff to detect potential infringements. Enforcement powers (Article 26(2)) are corrective tools that enable authorities to order the cessation of violations, impose fines, and levy periodic penalty payments. Crucially, the proposal explicitly states that non-compliance with either type of order constitutes a standalone infringement, meaning a provider can be sanctioned for ignoring an information request just as severely as for failing to meet a sovereignty criterion.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a robust sovereignty framework for cloud computing services. To ensure this framework is not merely theoretical, the proposal grants national competent authorities of establishment specific, legally binding powers to monitor and enforce compliance. These powers are clearly bifurcated in Article 26 into investigative and enforcement categories. Understanding the precise legal distinction between these two is critical for in-house counsel, as the procedural obligations and potential sanctions differ, yet the consequences of non-compliance are equally severe.

Investigative Powers: The Right to Gather Evidence

Article 26(1) of the CADA proposal defines the investigative powers available to national competent authorities. These powers are proactive and designed to equip authorities with the necessary tools to determine whether a cloud computing service provider is complying with the Regulation, particularly regarding the Union assurance levels (sovereignty tiers) they claim to offer.

The investigative powers outlined in Article 26(1) include three primary mechanisms:

1. Requesting Information: Authorities have the power to require any cloud computing service provider, as well as "any other persons acting for purposes related to their trade, business, craft or profession" (which explicitly includes auditing organisations), to provide information relating to a suspected infringement. The proposal mandates that this information be provided "as soon as possible" (Article 26(1)(a)). This is not a voluntary consultation; it is a binding legal obligation.
2. Inspections: Authorities possess the power to carry out, or to request a judicial authority in their Member State to order, inspections of any premises used by the provider for purposes related to their trade, business, craft, or profession. During these inspections, authorities may "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium" (Article 26(1)(b)). This ensures that digital evidence cannot be hidden behind technical barriers.
3. Interviews and Explanations: Authorities can ask any member of staff or representative of the provider to give explanations in respect of any information relating to a suspected infringement. With the consent of the person being interviewed, authorities may "record their answers by any technical means" (Article 26(1)(c)).

These powers are strictly fact-finding. They do not, in themselves, impose a final sanction or mandate a change in business practices. However, they are the necessary procedural precursor to any enforcement action. Without the ability to gather evidence through these means, the enforcement mechanism would be paralyzed.

Enforcement Powers: Stopping Violations and Imposing Sanctions

Once an investigation reveals a potential or actual infringement, or if a provider fails to cooperate with the investigation, authorities transition to the enforcement phase. Article 26(2) outlines the enforcement powers available to national competent authorities. These powers are reactive, corrective, and punitive, aimed at stopping violations and punishing non-compliance.

The enforcement powers include:

1. Cessation Orders: Authorities have the power to "order the cessation of infringements" and, where appropriate, "impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end." They may also request a judicial authority to do so (Article 26(2)(a)). This is the primary tool for halting non-compliant activities immediately.
2. Fines: Authorities can "impose fines, or request a judicial authority in their Member State to do so, for failure to comply with this Regulation." Crucially, the text explicitly states this includes "failure to comply with... any of the investigative orders issued pursuant to paragraph 1" (Article 26(2)(b)). This creates a direct financial penalty for ignoring an information request or refusing an inspection.
3. Periodic Penalty Payments: To ensure that an infringement is terminated in compliance with an order issued under point (a), or for "failure to comply with any of the investigative orders issued pursuant to paragraph 1," authorities can impose a periodic penalty payment (Article 26(2)(c)). This mechanism creates a cumulative financial incentive for the provider to comply with cessation orders or provide requested information. Unlike a one-off fine, this penalty accrues over time until compliance is achieved.

The Consequence of Non-Compliance

A critical legal point for compliance officers is that the CADA proposal treats non-compliance with investigative orders with the same severity as non-compliance with substantive sovereignty rules. Article 26(2)(b) explicitly states that fines can be imposed for failure to comply with the Regulation, "including with any of the investigative orders issued pursuant to paragraph 1." Similarly, Article 26(2)(c) allows for periodic penalty payments for failure to comply with investigative orders.

This means that ignoring a request for information under Article 26(1)(a) or refusing to allow an inspection under Article 26(1)(b) is not a passive act of delay; it is a standalone infringement that can trigger immediate financial penalties. Furthermore, if a provider fails to comply with an order to cease an infringement, the periodic penalty payment mechanism ensures that the cost of non-compliance accumulates daily or monthly, creating significant financial pressure to remedy the situation swiftly.

Article 26(3) reinforces the legal standard for these measures, stating that they shall be "effective, dissuasive and proportionate." When exercising these powers, authorities must consider the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. However, the threshold for triggering these powers remains low: a suspected infringement is sufficient to initiate an investigation, and a failure to cooperate is sufficient to trigger enforcement.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the distinction between investigative and enforcement orders dictates your response strategy and risk management protocols. The proposed CADA framework requires a proactive approach to regulatory interaction.

1. Treat Investigative Requests as Binding Legal Orders When a national competent authority issues a request for information under Article 26(1)(a), it is not a voluntary inquiry or a "soft" request. It is a binding legal order. Failure to respond "as soon as possible" can be sanctioned with fines under Article 26(2)(b). Your compliance team must have a clear, documented protocol for logging, escalating, and responding to such requests immediately. Delaying responses can be interpreted as non-cooperation, potentially aggravating the nature of the infringement and leading to higher penalties.

2. Prepare for On-Site Inspections and Data Seizure Authorities have the power to inspect your premises and seize data under Article 26(1)(b). Ensure that your internal data governance and record-keeping practices are robust and that your physical and digital premises are organized to facilitate such inspections. You should be able to quickly locate and provide documentation related to your Union assurance level claims, audit reports, and subcontractor arrangements. Having a designated liaison for authorities can streamline this process and minimize operational disruption while ensuring you do not inadvertently obstruct the investigation.

3. Understand the Escalation Path and Cumulative Penalties If an investigation leads to an enforcement order under Article 26(2)(a), you must act immediately to cease the infringement. The alternative is facing periodic penalty payments under Article 26(2)(c). These penalties are designed to be cumulative, meaning the longer you delay compliance, the higher the cost. Your legal team should assess the feasibility of immediate remediation versus the escalating cost of ongoing penalties. In many cases, the cost of rapid remediation will be significantly lower than the accumulated periodic penalties.

4. Document Everything for Proportionality Arguments Given that authorities must ensure their measures are "proportionate" under Article 26(3), maintaining a detailed record of your compliance efforts, responses to inquiries, and steps taken to remedy infringements is crucial. This documentation can be vital if you need to demonstrate good faith or contest the proportionality of a sanction. If you can show that you cooperated fully with investigative orders and acted swiftly to remedy issues, you may be able to mitigate the severity of any fines imposed.

5. Monitor for Cross-Border Cooperation While Article 26 focuses on the authority of the Member State where the provider has its main establishment, Articles 27 and 28 detail mutual assistance and cross-border cooperation. If your services operate across multiple Member States, an investigation in one jurisdiction could trigger information sharing or coordinated enforcement actions. Ensure your compliance framework is consistent across all EU operations, as a failure in one Member State can lead to enforcement actions in another.

Common misconceptions

Misconception 1: Investigative powers are optional or advisory. Some providers may view requests for information as informal inquiries that can be delayed or ignored if they believe no infringement has occurred. This is incorrect. Under Article 26(1), these are binding legal orders. Non-compliance is explicitly listed as a ground for fines under Article 26(2)(b). Ignoring an investigative order is itself a violation of the Regulation.

Misconception 2: Enforcement powers only apply to the underlying sovereignty violation. Providers may assume that penalties only apply if they fail to meet the technical criteria for a Union assurance level (e.g., data location or personnel citizenship). However, Article 26(2) makes it clear that penalties also apply for failing to comply with the authorities' procedural orders, such as refusing an inspection or not providing requested documents. The process of enforcement is as regulated as the substance of the sovereignty rules.

Misconception 3: Periodic penalty payments are a one-time fine. Article 26(2)(c) introduces periodic penalty payments to ensure the termination of an infringement. This is not a single fine but a recurring financial charge intended to pressure the provider into compliance. The cost can escalate significantly if the provider does not act swiftly to remedy the violation. The "periodic" nature means the penalty repeats until the infringement ceases.

Misconception 4: Only the main establishment is subject to these powers. While Article 25(4) states that the Member State where the provider has its main establishment has exclusive competence for enforcing the Chapter, the investigative and enforcement powers under Article 26 apply to the provider's activities as a whole. Furthermore, cross-border cooperation mechanisms (Articles 27 and 28) mean that authorities in other Member States can request assistance or trigger investigations if they suspect non-compliance, effectively extending the reach of these powers.

Related

• What happens if a provider ignores a CADA investigative order?
• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• What records should a provider keep for CADA enforcement?
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: How National Law Shapes Penalties and Procedures

This is general information about a draft EU regulation, not legal advice.