CADA Enforcement

Summary The Cloud and AI Development Act (CADA) explanatory memorandum outlines a decentralised enforcement model where Member States designate national competent authorities (NCAs) to supervise cloud providers' compliance with Union assurance levels. As proposed, NCAs would hold investigative and enforcement powers, including the ability to impose fines and periodic penalty payments, while cooperating through mutual assistance and cross-border mechanisms. The framework aims to ensure consistent application across the Union without creating a new central EU supervisory body, relying instead on the "competent authorities in the Member State where the main establishment of the cloud computing service provider is located" (Recital 53).

Detail

The CADA explanatory memorandum positions the enforcement of the cloud computing sovereignty framework as a shared responsibility between national authorities and the European Commission, relying heavily on existing regulatory structures rather than creating a new centralised agency. The memorandum explicitly states that "in the interest of clarity, simplicity and effectiveness, the powers to supervise and enforce the obligations relating to the cloud sovereignty framework should be conferred to the competent authorities in the Member State where the main establishment of the cloud computing service provider is located" (Recital 53). This design choice aligns with the broader EU regulatory trend of decentralised supervision, similar to the General Data Protection Regulation (GDPR) or the Digital Operational Resilience Act (DORA), but tailored specifically to cloud sovereignty and autonomy risks.

National Competent Authorities (NCAs) and Their Powers

Under Article 25, Member States are obligated to designate one or more national competent authorities responsible for enforcing the sovereignty chapter. The explanatory memorandum notes that Member States may designate existing authorities, potentially leveraging bodies already active in data protection, cybersecurity, or market surveillance, to reduce administrative burden. These authorities must be granted "necessary powers, resources, expertise and technical means to carry out their tasks in an effective, impartial and independent manner" (Recital 59).

Article 26 details the specific powers these NCAs would hold. Investigative powers include the ability to require cloud providers and related persons to provide information, inspect premises, and record answers from staff. Enforcement powers allow NCAs to order the cessation of infringements, impose fines, and levy periodic penalty payments to ensure compliance. The memorandum emphasises that these measures must be "effective, dissuasive and proportionate," taking into account the nature, gravity, and duration of the infringement, as well as the economic capacity of the service provider (Recital 59, Article 26(3)).

Penalties and Compensation

Article 24 establishes the framework for penalties. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers, ensuring they are effective, proportionate, and dissuasive. The explanatory memorandum highlights that when imposing penalties, authorities should consider criteria such as the nature and scale of the infringement, any previous infringements, financial benefits gained, and the infringing party's annual turnover in the Union. Additionally, Article 24(3) grants recipients of cloud services the right to seek compensation for damages suffered due to provider infringements, reinforcing private enforcement alongside public regulatory action.

Mutual Assistance and Cross-Border Cooperation

Recognising the cross-border nature of cloud services, the explanatory memorandum stresses the importance of cooperation between NCAs. Article 27 sets out principles of mutual assistance, requiring close cooperation and information sharing between authorities to apply the chapter consistently. Article 28 specifically addresses cross-border cooperation in enforcement actions. If an NCA in a destination Member State suspects a provider no longer meets the assurance level criteria, it can request the NCA of establishment to assess the matter and take necessary investigatory or enforcement measures. The Commission also retains the power to request such assessments. The memorandum notes that "effective enforcement requires robust cross-border cooperation between competent authorities to ensure the consistent application of this Regulation across Member States and the timely sharing of relevant information to address systemic risks within the Union" (Recital 60).

Decentralised Design Rationale

The explanatory memorandum justifies this decentralised approach by noting that national authorities are best placed to understand local market conditions and legal contexts. It states that "the current landscape of cloud and AI is characterised by a pronounced dependence on a limited pool of third-country providers," and a harmonised EU-wide framework is needed to prevent fragmentation (Recital 47). By assigning enforcement to NCAs with clear cooperation mechanisms, CADA would aim to balance the need for uniform sovereignty standards with the practical realities of national legal systems. The memorandum also clarifies that this framework complements, but does not replace, existing cybersecurity and data protection regimes, noting that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements" (Recital 5).

What this means for you

For in-house counsel and compliance officers, the CADA enforcement framework introduces several critical obligations and strategic considerations:

• Identify Your NCA: Determine which national competent authority has jurisdiction over your main establishment in the EU. This will be your primary regulatory contact for recognition applications and enforcement interactions.
• Prepare for Investigations: Ensure your organisation is ready to respond to NCA investigative powers under Article 26. This includes maintaining accessible records, facilitating premises inspections, and providing timely information on cloud service configurations and subcontractor arrangements.
• Penalty Risk Assessment: Evaluate your exposure to penalties under Article 24. Factors such as annual turnover in the Union and the severity of sovereignty criterion breaches will influence fine calculations. Implement robust internal monitoring to detect and remedy potential infringements before they escalate.
• Cross-Border Coordination: If you operate across multiple Member States, anticipate requests for mutual assistance under Articles 27 and 28. Establish internal processes to coordinate with NCAs in different jurisdictions to ensure consistent compliance and efficient resolution of cross-border issues.
• Compensation Claims: Be aware that service recipients can seek compensation for damages resulting from your non-compliance. Maintain clear documentation of compliance efforts to mitigate liability in such claims.

Common misconceptions

• Misconception: CADA creates a new EU-wide cloud regulator.
  • Clarification: The explanatory memorandum explicitly states that enforcement powers are conferred to national competent authorities in the Member State of the provider's main establishment. The Commission's role is primarily to coordinate and resolve disputes between NCAs, not to directly enforce against providers.
• Misconception: Only cybersecurity breaches are penalised.
  • Clarification: CADA focuses on sovereignty and autonomy risks, such as third-country control or data localisation failures, which are distinct from pure cybersecurity incidents. Penalties would apply to infringements of the sovereignty framework criteria, not just technical security failures.
• Misconception: NCAs have unlimited powers.
  • Clarification: NCA powers are subject to proportionality and safeguards. The memorandum stresses that measures must be effective, dissuasive, and proportionate, and subject to judicial review and defence rights.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA enforcement deadlines: Mutual assistance and cross-border cooperation timelines
• CADA Cross-Border Cooperation: How Article 28 Works
• CADA Mutual Assistance vs Cross-Border Cooperation: Key Differences
• CADA Cross-Border Requests: What the Establishment Authority Must Report
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties

This is general information about a draft EU regulation, not legal advice.