Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally alter cloud service agreements by introducing binding sovereignty criteria and a potent enforcement regime. National competent authorities would gain the power under Article 26(2)(a) to order the "cessation of infringements," potentially forcing immediate service shutdowns that standard Force Majeure clauses may not cover. Simultaneously, Article 24(3) establishes a direct statutory right for recipients to seek compensation for any damage or loss resulting from a provider's infringement. In-house counsel must urgently renegotiate liability caps, indemnities, and termination clauses to address these new statutory risks, ensuring contracts explicitly cover sovereignty breaches, migration timelines, and the specific conditions under which third-country controlled providers may qualify for Union assurance levels.

Detail

The proposed CADA moves beyond voluntary best practices to establish a binding legal framework for cloud sovereignty, with enforcement mechanisms that directly intersect with commercial contract law. For in-house counsel and compliance officers, the practical impact lies in the translation of regulatory obligations into contractual liabilities, particularly regarding service continuity, data sovereignty, and financial exposure.

Enforcement Powers and Service Continuity Risks

The most immediate operational risk for cloud providers stems from the enforcement powers granted to national competent authorities. Under Article 26(2)(a), these authorities possess the power to "order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end."

Crucially, Article 26(1) specifies that these powers are exercised "Where needed to carry out their tasks under Article 17" (Recognition of cloud computing service providers). This means the power to order a cessation is triggered specifically when a provider fails to meet the criteria for Union assurance levels or loses recognition. In a commercial context, a "cessation order" could effectively mandate a provider to halt services if they are found non-compliant (e.g., failing to keep data within the Union, lacking proper audit evidence, or being subject to unapproved third-country control).

This creates a significant continuity risk. Existing Service Level Agreements (SLAs) typically define "Force Majeure" or "Service Interruption" narrowly, often excluding regulatory actions caused by the provider's negligence. A regulatory cessation order may not qualify as Force Majeure if the provider was negligent in maintaining compliance with the Union assurance levels. Consequently, contracts must be drafted to address scenarios where regulatory intervention forces a service shutdown, distinguishing between provider fault and external regulatory mandates.

Furthermore, Article 26(2)(c) allows authorities to impose periodic penalty payments to ensure infringements are terminated. While these fines are paid to the state, the underlying cause is often a breach of the provider's contractual warranties regarding compliance with applicable law. This creates a cascading liability where a regulatory fine triggers a breach of contract claim from the customer.

The Right to Compensation and Contractual Liability

A critical shift in CADA is the explicit statutory right for customers to seek damages. Article 24(3) states: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision fundamentally alters the liability landscape. Traditionally, cloud contracts limit provider liability to a multiple of fees paid (e.g., 12 months' fees) and exclude indirect damages. However, Article 24(3) establishes a direct statutory cause of action for "any damage or loss." While national laws govern the specifics of damages, the existence of this right suggests that contractual exclusions of liability for CADA infringements may be challenged as unfair or invalid, particularly in B2G (Business-to-Government) contracts where the public sector is the recipient.

For private sector entities, while Article 24(3) specifically mentions "recipients" in the context of the sovereignty chapter (which primarily targets public procurement under Article 30), the principle of effective enforcement suggests that contractual indemnities will need to reflect this heightened standard. Providers may need to offer specific indemnities for losses arising from sovereignty failures, such as data exfiltration or unauthorized third-country access, which are central to the Union assurance levels.

Penalties and Indemnity Structures

Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing these penalties, including the nature, gravity, scale, and duration of the infringement, as well as the infringing party's annual turnover.

From a contracting perspective, this means that the financial exposure for a CADA violation is not capped by the contract but by national penalty regimes, which can be substantial. In-house counsel must therefore review indemnity clauses to ensure they cover regulatory fines and associated costs. If a provider's non-compliance leads to a fine imposed on the customer (e.g., for using a non-assured service in a public order context), the contract must clearly allocate this risk back to the provider.

Drafting for CADA Compliance

To mitigate these risks, contracts must evolve from generic "compliance with law" clauses to specific CADA-aligned warranties. Key drafting considerations include:

  1. Sovereignty Warranties: Providers must explicitly warrant that their service meets the specific Union assurance level required by the customer's risk assessment (as mandated by Article 29). This requires dynamic warranties that can be updated if assurance levels change via delegated acts under Article 16(2).
  2. Third-Country Control and Article 18: For providers subject to the control of a third country, a critical dependency exists. Under Annex II, 3.1(g), such providers can only qualify for Union assurance level 3 if the Commission has adopted an implementing act under Article 18 ("Associated third countries"). Contracts must include warranties that the provider is not subject to third-country control unless a valid Article 18 decision is in place. Relying on a provider's self-declaration without verifying the Article 18 status is a significant legal risk.
  3. Audit Cooperation: Article 20 and Article 21 detail audit obligations. Contracts must include robust access clauses allowing auditing organizations and competent authorities access to premises and data, without breaching confidentiality with other customers. This often requires "cellular" architecture or strict data isolation warranties.
  4. Termination for Regulatory Cause: Customers should include termination rights triggered by the revocation of a provider's recognition under Article 17 or a negative audit opinion under Article 20. Conversely, providers need protection if a cessation order is issued due to factors beyond their reasonable control.
  5. Data Portability and Migration: Given the risk of cessation orders, contracts must prioritize seamless data portability. Article 29(6) notes that where a risk assessment requires migration, "the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months." Crucially, this 12-month statutory cap applies specifically to Member States and Union entities. It does not automatically apply to private sector entities under Article 31. Therefore, private contracts must explicitly define the migration transition period and associated costs to avoid disputes, as the statute does not impose a universal 12-month cap on commercial agreements.

What this means for you

For in-house counsel and compliance officers, the proposed CADA enforcement framework necessitates a proactive review of cloud procurement and contract management strategies.

  • Conduct a Contract Audit: Review existing cloud agreements to identify gaps in sovereignty warranties. Ensure that providers explicitly warrant compliance with the relevant Union assurance levels (1–4) as defined in Annex II of the proposal.
  • Verify Third-Country Status: If your provider is subject to third-country control, verify the existence of a Commission implementing act under Article 18 before accepting Union assurance level 3. Do not rely on general assurances.
  • Renegotiate Liability Caps: Engage with providers to discuss liability caps in the context of Article 24(3). While you may not be able to eliminate caps entirely, you should seek carve-outs for damages resulting from CADA infringements, particularly those involving data sovereignty breaches.
  • Update Risk Assessments: Under Article 29, public sector bodies must conduct risk assessments to determine the required assurance level. Ensure these assessments are documented and linked to contractual requirements. For private sector entities in critical sectors (under Article 31), similar impact assessments are encouraged, and contracts should reflect the outcomes of these assessments.
  • Define Migration Timelines: For public sector contracts, align termination and migration clauses with the Article 29(6) 12-month statutory limit. For private contracts, explicitly negotiate and define the transition period, as no statutory cap exists for private entities.
  • Prepare for Enforcement Scenarios: Develop incident response plans that account for regulatory cessation orders. Ensure that your contracts include clear protocols for data extraction and service migration in the event of a provider's non-compliance, minimizing downtime and business disruption.
  • Monitor Provider Recognition Status: Use the central repository established under Article 22 to monitor the recognition status of your providers. Integrate this monitoring into your compliance programs to trigger early warning signs if a provider's assurance level is under review or revoked.

Common misconceptions

  • Misconception: CADA only applies to the public sector. While the procurement mandates in Article 30 target public sector bodies, the sovereignty framework and enforcement powers in Title IV apply to all cloud computing service providers offering services in the Union. Private sector entities, especially those in critical infrastructure sectors listed in Annex I of the NIS2 Directive, are encouraged to conduct impact assessments under Article 31 and may face similar contractual expectations from their customers.
  • Misconception: Existing "compliance with law" clauses are sufficient. Generic compliance clauses do not adequately address the specific, technical sovereignty criteria of CADA. The proposal requires specific audits, data localization guarantees, and third-country control assessments. Contracts must explicitly reference CADA obligations to ensure providers are contractually bound to meet these detailed requirements.
  • Misconception: Liability caps fully protect providers from CADA risks. Article 24(3) creates a statutory right to compensation. While contractual liability caps may still apply to general breaches, the specific nature of CADA infringements (e.g., data sovereignty failures) may render standard caps unenforceable or subject to challenge, particularly if the infringement is intentional or negligent. Providers cannot rely solely on standard boilerplate to shield themselves from CADA-related damages.
  • Misconception: The 12-month migration rule applies to everyone. The 12-month migration limit in Article 29(6) applies strictly to "Member States and Union entities." Private sector entities are not subject to this statutory cap unless a delegated act under Article 31(3) specifically imposes it. Private contracts must define their own migration timelines.
  • Misconception: Third-country providers can automatically qualify for Level 3. Providers subject to third-country control cannot qualify for Union assurance level 3 unless the Commission has adopted a specific implementing act under Article 18. Without this specific decision, such providers are ineligible for Level 3, regardless of their internal controls.

Related

This is general information about a draft EU regulation, not legal advice.