Summary Under the proposed Cloud and AI Development Act (CADA), the regulatory landscape is defined by a strict division of powers to ensure a single market without fragmentation. The national competent authority of establishment holds exclusive competence for enforcing the cloud sovereignty framework, meaning it is the sole body empowered to investigate, sanction, and revoke recognition for a provider. This is codified in Article 25(4). Conversely, the national competent authority of destination (where the service is used) acts as a watchdog; it cannot fine a provider directly but holds the power to flag suspected non-compliance. Under Article 28(1), a destination authority can formally request the authority of establishment to assess and act on specific suspicions. This interaction creates a "single point of enforcement" model that relies on robust cross-border cooperation to protect public order across the Union.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. A critical design choice in this proposal is the centralisation of enforcement powers to prevent regulatory arbitrage and ensure legal certainty for cloud service providers operating across multiple Member States. The proposal explicitly distinguishes between the national competent authority of establishment and the national competent authority of destination, assigning them distinct but complementary roles.

The Authority of Establishment: Exclusive Competence

The authority of establishment is the national competent authority designated by the Member State where the cloud computing service provider has its "main establishment." The proposal provides a precise definition for this concept to avoid ambiguity regarding jurisdiction.

Article 25(4) of the CADA proposal states:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This provision establishes a "one-stop-shop" enforcement model. The term "exclusive competence" carries significant legal weight, implying that no other national authority within the Union may exercise enforcement powers over the provider regarding the sovereignty framework. This exclusivity manifests in three key areas:

  1. Sole Investigative and Sanctioning Power: Only the authority of establishment may exercise the investigative powers listed in Article 26(1) (e.g., requiring information, conducting inspections) and the enforcement powers in Article 26(2) (e.g., ordering cessation of infringements, imposing fines, or periodic penalty payments).
  2. Recognition Authority: The authority of establishment is the sole body responsible for assessing applications for recognition of Union assurance levels (Levels 1–4) under Article 17. It evaluates the evidence, manages the review period with other Member States, and ultimately adopts the recognition decision that is valid across the entire Union.
  3. Primary Liability for Penalties: While Member States must lay down penalty rules under Article 24, the authority of establishment is the entity that applies these rules to the provider. The penalty regime of the establishment Member State effectively becomes the provider's primary regulatory burden for sovereignty infringements.

Member States are required to designate these competent authorities by the date of entry into force plus one year (Article 25(1)). These authorities must be equipped with sufficient technical, financial, and human resources to supervise all providers within their competence (Article 25(3)).

The Authority of Destination: The Watchdog Role

The authority of destination is the national competent authority in a Member State where the cloud computing service is actually procured or used by a public sector body or Union entity. While this authority lacks the power to directly impose fines or revoke recognition, it plays a vital "eyes and ears" role in the ecosystem.

The mechanism for interaction is detailed in Article 28, specifically Article 28(1), which states:

"Where a competent authority of destination has reason to suspect that a cloud computing service provider no longer fulfils the requirement under Annex II to this Regulation, it may request the competent authority of establishment to assess the matter and to take the necessary investigatory and enforcement measures to ensure compliance."

This provision creates a formal trigger mechanism. The authority of destination does not act unilaterally against the provider; instead, it initiates a cross-border cooperation procedure. The process functions as follows:

  1. Reasoned Request: The destination authority must provide a "duly reasoned" request to the authority of establishment. This request must articulate the specific suspicion regarding non-compliance with the Union assurance level criteria (e.g., evidence of third-country control, data exfiltration, or failure to meet cybersecurity standards).
  2. Obligation to Assess: Upon receipt, the authority of establishment is legally obligated to assess the matter. It cannot ignore the request. If the information provided is insufficient, the establishment authority may request additional details, though this suspends the response timeline (Article 28(3)).
  3. Strict Timeline: The authority of establishment must communicate its assessment and any investigatory or enforcement measures taken or envisaged to the requesting authority and the Commission within two months of receiving the request (Article 28(4)).

The Interaction: A Coordinated Enforcement Model

The interplay between Article 25(4) and Article 28(1) creates a balanced system that respects the principle of exclusive competence while ensuring that local risks are not ignored.

The Article 25(4) exclusivity ensures that providers face a single regulatory burden, avoiding the chaos of multiple national investigations for the same issue. However, without the Article 28(1) mechanism, the authority of establishment might remain unaware of local non-compliance occurring in a distant Member State.

The system is further reinforced by Article 27 (Mutual Assistance), which mandates that competent authorities cooperate closely and exchange information. If the authority of establishment needs data located in another Member State to conduct its investigation, it can request it from the local authority, which must comply within two months (Article 27(2)-(3)).

In practice, the authority of destination acts as the sensor, detecting potential breaches in the local market. It then alerts the authority of establishment, which acts as the enforcer, conducting the investigation and applying sanctions if necessary. This ensures that the "exclusive competence" of the establishment authority does not result in a "blind spot" for the destination Member State.

What this means for you

For legal counsel, compliance officers, and cloud service providers, understanding this distinction is critical for risk management and regulatory strategy.

1. Centralise Your Regulatory Engagement Your primary point of contact for all sovereignty compliance matters is the authority of your main establishment. You must ensure that your application for recognition (Article 17) and all subsequent communications are directed to this single authority. Do not attempt to negotiate compliance terms with destination authorities, as they lack the legal power to grant or deny recognition.

2. Prepare for "Triggered" Investigations While you do not report to destination authorities, you must assume they are monitoring your service. If a public sector body in a destination Member State raises a concern, their authority can trigger a formal investigation under Article 28. You must be prepared to provide your authority of establishment with immediate, robust evidence to refute any suspicion raised by a destination authority.

3. Manage the Two-Month Clock The Article 28(4) timeline is strict. If a destination authority flags an issue, your authority of establishment has only two months to respond. Delays in your internal response to your establishment authority can cause the regulator to miss this deadline, potentially leading to reputational damage or the perception of non-cooperation.

4. Consistency is Key Your compliance documentation (e.g., data flow diagrams, audit reports, SBOMs) must be consistent across the Union. Discrepancies between what you report to your establishment authority and what a destination authority observes can be the catalyst for an Article 28 request. Ensure your global operations align with the specific criteria of your recognised Union assurance level.

5. Liability and Compensation While the authority of establishment imposes penalties, remember that under Article 24(3), recipients of your service (in destination Member States) have the right to seek compensation for damage suffered due to your infringement. Your liability exposure is Union-wide, even if the enforcement action is localised to your establishment state.

Common misconceptions

Misconception 1: "I can ignore regulators in Member States where I don't have an office." Incorrect. While you do not file routine reports with destination authorities, they have a statutory duty to monitor compliance. Under Article 28(1), they can initiate a formal investigation request that leads to enforcement actions by your establishment authority. Ignoring local concerns can trigger a cross-border enforcement cascade.

Misconception 2: "The authority of destination can fine me directly if I break the rules in their country." Incorrect. Article 25(4) grants exclusive competence to the authority of establishment. A destination authority cannot impose fines, order the cessation of services, or revoke recognition directly. They can only request the establishment authority to take these actions.

Misconception 3: "Establishment is just where my company is legally registered." Incorrect. Article 25(4) defines main establishment as the place where "principal financial functions and operational control are exercised." If your registered office is in Ireland but your operational control and financial functions are in Germany, Germany may be your authority of establishment. Misidentifying this can lead to jurisdictional disputes.

Misconception 4: "Cross-border cooperation is informal or optional." Incorrect. Article 28 establishes a binding legal obligation with strict timelines. The authority of establishment must respond to a duly reasoned request within two months. This is a formal procedural requirement, not a matter of administrative courtesy.

Related

This is general information about a draft EU regulation, not legal advice.