Summary CADA is a proposal (COM(2026) 502 final) and is not yet in force. As proposed, Article 24(3) would give recipients of cloud computing services — including public sector bodies and Union entities — a direct right to seek compensation from a provider for any damage or loss they suffer because the provider infringed its obligations under the cloud computing sovereignty framework (Title IV, Chapter I). The right would be exercised "in accordance with Union and national law", so CADA would create the entitlement while leaving the procedure (where you sue, the time limits, the burden of proof) to existing national civil law. It would sit alongside, and be independent of, the administrative penalties that national authorities could impose under Article 24(1)-(2).

Detail

CADA, as proposed, would build a sovereignty framework for cloud services used by the public sector, organised around four "Union assurance levels" (Levels 1-4) that providers must meet to serve Union entities and public sector bodies. The enforcement backstop is Article 24 ("Penalties and compensation"), which would run on two independent tracks: administrative penalties imposed by national authorities, and civil compensation claimed by those who suffer harm.

The right itself (Article 24(3))

As proposed, Article 24(3) would provide:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

Several features stand out:

  1. A direct right. It would expressly give "recipients" — which in this framework includes public sector bodies, contracting authorities and Union entities — standing to seek compensation. You would not have to wait for a regulator to issue a fine before pursuing your own civil remedy.
  2. A broad measure of harm. The right would cover "any damage or loss." That wording is wide enough to reach financial loss, operational disruption, and costs such as migrating to a compliant provider, where they flow from the infringement.
  3. A specific basis. The claim would rest on an infringement of "obligations under this Chapter" — Title IV, Chapter I, which covers the Union assurance levels, the recognition procedure, independent audits, transparency duties and the central repository. If a provider held out a service as recognised at, say, Level 3 but failed to meet the Annex II criteria, and that failure harmed you, you would have a basis to claim.
  4. National procedure. "In accordance with Union and national law" means CADA would create the right but leave the mechanics — limitation periods, burden of proof, jurisdiction — to the civil law of the Member State where the claim is brought. CADA would harmonise the entitlement, not the litigation.

Penalties versus compensation

It helps to keep the two halves of Article 24 apart:

  • Article 24(1)-(2): administrative penalties. Fines that national competent authorities could impose on a provider that infringes the rules. Member States would set these so they are "effective, proportionate and dissuasive", weighing the non-exhaustive factors in Article 24(2) (gravity, mitigation, prior infringements, financial benefit, Union turnover, and any other relevant factor). This money is owed to the state.
  • Article 24(3): civil compensation. Money the provider would pay to you, the recipient, to make good your loss.

The two could operate at the same time: a provider might be fined by a regulator and, separately, be ordered to compensate an affected public sector body. They serve different purposes, too. A penalty looks backward at the provider's wrongdoing and forward at deterrence; it is owed to the public purse and does not, by itself, repair your loss. Compensation is purely about you — restoring the recipient to the position it would have occupied had the obligation been met. That distinction matters in practice: a regulator might decide an infringement was minor and impose a modest fine, yet the same infringement could still have caused you significant, recoverable loss. Conversely, an authority's decision that an infringement occurred could be useful evidence in your own claim, even though CADA would not make it automatically binding on a civil court.

What kinds of infringement could trigger a claim

Because Article 24(3) is tied to obligations under Title IV, Chapter I, the triggering breaches would be those of the sovereignty framework, for example:

  • Recognition (Article 17): operating without valid recognition, or after a recognition is revoked, for the assurance level claimed.
  • Audit obligations (Articles 20-21): for Levels 2, 3 and 4, failing to obtain or sustain a "positive" independent audit opinion, or supplying misleading audit evidence.
  • Transparency (Article 23): failing to report, promptly, a material change that may affect the assurance level.
  • Assurance-level criteria (Annex II): breaching the cumulative criteria for the claimed level — for example, conditions on data location, on personnel, and on the absence of third-country control that bear on the higher levels (with Level 3 eligibility for third-country-controlled services governed by Article 18). A breach of these criteria could ground a claim where it causes damage.

What this means for you

For public-sector procurement officers and legal teams, Article 24(3) would change the risk picture of cloud procurement.

  1. Use it as contractual leverage. When procuring services that require Levels 2, 3 or 4, you can reference the proposed Article 24(3) right in your strategy and contracts — noting that CADA is not yet in force — and align damages clauses with it, for instance covering emergency-migration and service-interruption costs.
  2. Make the right usable through due diligence. Compensation is reactive; detecting infringement is the precondition. Check the central repository (which the Commission would maintain under Article 22) to confirm a service is currently recognised at the level you need; insist on evidence of a positive audit opinion for Levels 2-4; and hold providers to their Article 23 duty to report material changes (such as changes to subcontractors, infrastructure location or ownership that could affect third-country control).
  3. Get the risk assessment right first. Your risk assessments under Article 29 would determine the assurance level you must procure. If you procure Level 1 for a use case that needed Level 3, you would have no claim against the provider for failing to deliver Level 3 — they were only engaged for Level 1. Accurate risk assessment is the first step to preserving the right.
  4. Expect to litigate under national law. Because CADA is a Regulation, the right would apply EU-wide, but you would still pursue a claim under the national civil law indicated by the "in accordance with... national law" clause.

Common misconceptions

"Compensation is automatic." Article 24(3) would grant the right to seek compensation, not an automatic payout. You would still have to show an infringement, damage or loss, and a causal link — typically through proceedings governed by national civil procedure.

"Only the Commission can hold providers to account." Administrative enforcement would rest with national competent authorities (Article 25), not the Commission, and compensation claims would be brought by recipients — you — not by the Commission. The Commission's role is coordination and the central repository (Article 22); it would not handle individual compensation claims.

"This applies to any cloud problem." Article 24(3) would attach to infringements of Title IV, Chapter I — the sovereignty framework. Ordinary SLA or commercial-contract breaches that fall outside CADA's sovereignty, audit and recognition obligations would be matters for general contract law, not Article 24(3).

"Third-country providers are exempt." The framework applies to any provider seeking to serve Union entities and public sector bodies, including third-country-controlled providers (whose recognition at Level 3 is governed by Article 18, with the strictest conditions at Levels 3 and 4). A provider that falsely claimed compliance and caused damage would still be exposed to a claim under Article 24(3).

Related

This is general information about a draft EU regulation, not legal advice.