Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities (NCAs) serve as the enforcement and supervisory backbone of the cloud sovereignty framework, but they do not conduct the risk assessments themselves. As proposed in Article 29, the legal obligation to carry out risk assessments falls squarely on Member States and Union entities to determine which public sector activities require higher Union assurance levels. The NCAs' critical role is to designate the enforcement structure (Article 25), supervise cloud computing service providers (CSPs) through recognition and audits (Articles 17, 20), and enforce compliance via penalties (Article 24). Crucially, NCAs coordinate cross-border oversight under Articles 27 and 28, ensuring that a risk assessment conducted in one Member State is respected and enforced against providers established in another.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a distinct separation of powers between the entities that identify risk and the authorities that enforce the resulting sovereignty requirements. Understanding this division is essential for legal compliance, as the "risk assessor" and the "regulator" are different actors under the draft regulation.

The Distinction: Assessors vs. Enforcers

The draft regulation explicitly delineates responsibilities to ensure that the determination of public-order risks remains a sovereign decision of the Member State, while the technical verification of cloud providers remains a harmonized Union function.

1. The Assessors: Member States and Union Entities (Article 29) The primary actors in the risk assessment process are Member States and Union entities, not the NCAs. Article 29(1) mandates that these bodies must carry out risk assessments by the date of entry into force plus one year, and subsequently every two years, or whenever necessary. The purpose of these assessments is to:

  • Identify public sector activities that contribute to the preservation of public order (e.g., national security, defense, justice, law enforcement, and sectors listed in Annex I or II of Directive (EU) 2022/2555).
  • Determine the appropriate Union assurance level (2, 3, or 4) required for those specific activities.

Under Article 29(2), these assessments must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful third-country access or service disruption. While the Commission provides guidance and methodology via implementing acts (Article 29(3)), and retains the power to override a Member State's determination if it deems the assurance level inadequate (Article 29(5)), the initial and recurring duty to assess lies with the public sector bodies themselves.

2. The Enforcers: National Competent Authorities (Articles 25–28) Once a risk assessment determines that a specific activity requires a higher assurance level (e.g., Level 3), the contracting authority must procure only services recognized at that level. This is where the NCA becomes the pivotal actor. Article 25 requires Member States to designate one or more NCAs responsible for enforcing the sovereignty framework (Title IV, Chapter I). These authorities are granted exclusive competence for enforcement in the Member State where the CSP has its main establishment (Article 25(4)).

The NCA's role is not to decide which services are needed, but to verify if the providers meet the criteria for the levels identified in the risk assessment. This verification occurs through the recognition mechanism detailed in Article 17.

The Recognition Mechanism: Linking Assessment to Compliance

The operational link between the Member State's risk assessment and the NCA's enforcement is the recognition of cloud computing services.

  • Application and Evaluation: Under Article 17(1), a CSP seeking recognition at Level 1, 2, 3, or 4 must submit an application to the NCA of its establishment. For Levels 2, 3, and 4, this requires an independent audit report and a "positive" audit opinion (Article 17(4)).
  • The NCA's Gatekeeping Role: The evaluating NCA assesses the evidence submitted. If the evidence is sufficient, the NCA prepares a draft recognition decision (Article 17(5)). This decision is then subject to a 60-day review period where other Member States' NCAs can raise reasoned objections (Article 17(6)).
  • Union-Wide Effect: If no objections are raised, the service is recognized across the Union. Thus, the NCA acts as the technical gatekeeper ensuring that the providers available to the public sector actually meet the criteria (Annex II) that the Member State's risk assessment deemed necessary.

If a Member State's risk assessment under Article 29 concludes that a sector requires Level 3, the NCA ensures that only providers successfully recognized at Level 3 (or 4) are available for procurement. If a provider fails to maintain these standards, the NCA has the power to revoke recognition (Article 17(11)), effectively removing them from the market for that assurance level.

Member State Coordination and Cross-Border Oversight

Because cloud services are inherently cross-border, CADA establishes robust mechanisms for NCAs to cooperate, ensuring that a risk assessment in one country is not undermined by a provider established in another.

1. Mutual Assistance (Article 27) Article 27 establishes a framework for mutual assistance. If an NCA in one Member State needs information held by an NCA in another to exercise its investigative powers, it can request it. The receiving authority must comply and inform the establishment NCA of the action taken within two months. This ensures that NCAs can gather the necessary evidence to verify compliance with the assurance levels mandated by risk assessments.

2. Cross-Border Cooperation (Article 28) Article 28 addresses the scenario where a destination Member State (where the service is used) suspects non-compliance. If an NCA in a destination state suspects that a CSP no longer fulfills the criteria of Annex II (e.g., the provider no longer meets the Level 3 requirements identified in a risk assessment), it may request the NCA of the provider's establishment to assess the matter.

  • The establishment NCA must take necessary investigatory and enforcement measures.
  • The establishment NCA must communicate its assessment and any measures taken within two months (Article 28(4)).
  • This mechanism ensures that the sovereignty requirements derived from a Member State's risk assessment are enforced even if the provider is physically located in a different jurisdiction.

Penalties and Enforcement Powers

The NCAs are empowered with significant investigative and enforcement tools to ensure compliance with the framework. Article 24 mandates that Member States lay down rules on penalties for infringements by CSPs, which must be effective, proportionate, and dissuasive.

Under Article 26, NCAs possess specific powers, including:

  • Investigative Powers: The power to require information, inspect premises, and seize copies of information relating to suspected infringements.
  • Enforcement Powers: The power to order the cessation of infringements, impose remedies, and impose fines or periodic penalty payments.

If a CSP provides incorrect information during the recognition process or fails to maintain the assurance level required by a Member State's risk assessment, the NCA can revoke recognition (Article 17(11)). This revocation is published in the central repository (Article 22), creating a public record that prevents the provider from being used for public procurement requiring that assurance level.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the separation of roles between Member States (assessors) and NCAs (enforcers) dictates a dual-track compliance strategy.

  1. Track Member State Risk Assessments (Article 29): Your primary external risk is the reclassification of your sector by the Member State. If a Member State updates its risk assessment under Article 29 to require a higher assurance level (e.g., moving from Level 2 to Level 3 for healthcare data), your current contracts may become non-compliant. Article 29(6) allows a maximum 12-month transition period for migration. You must monitor these national assessments closely to anticipate procurement shifts.
  2. Engage the NCA of Establishment: Your relationship with the NCA in the Member State where your main establishment is located is critical. Under Article 25(4), this NCA has exclusive competence for enforcement. Ensure your audit evidence (for Levels 2–4) is robust and aligns with Annex II, as the NCA will validate your recognition under Article 17. Any deficiency here can lead to revocation.
  3. Prepare for Cross-Border Scrutiny: Do not assume that compliance with your home NCA is sufficient. Under Article 28, an NCA in any Member State where you operate can trigger an investigation if they suspect non-compliance. Maintain consistent compliance standards across all jurisdictions to avoid triggering cross-border enforcement actions that could jeopardize your Union-wide recognition.
  4. Audit Readiness is Non-Negotiable: For Levels 2, 3, and 4, independent audits are mandatory (Article 20). The NCA relies entirely on these audit reports for recognition. Ensure your chosen auditing organization meets the strict independence and competence requirements of Article 20(4). A "negative" audit opinion or a failure to cooperate with the auditor can block recognition entirely.

Common misconceptions

  • Misconception: "The NCA conducts the risk assessment for our public sector clients."
    • Reality: No. Article 29 explicitly places the obligation on Member States and Union entities to conduct risk assessments. The NCA's role is strictly to enforce the outcomes of those assessments by managing the recognition of service providers and penalizing non-compliance.
  • Misconception: "Once recognized by one NCA, we are immune from scrutiny by others."
    • Reality: While recognition is Union-wide, Article 28 allows any NCA in a destination Member State to challenge a provider's compliance. If a destination NCA suspects non-compliance, it can request the establishment NCA to investigate and potentially revoke recognition.
  • Misconception: "Risk assessments are a one-time event."
    • Reality: Article 29(1) mandates that risk assessments be carried out every two years, or whenever necessary. Compliance officers must prepare for periodic re-evaluations that could shift assurance level requirements, triggering migration obligations.
  • Misconception: "NCAs have unlimited discretion to set assurance levels."
    • Reality: NCAs do not set the levels; they verify compliance against the levels determined by the Member State's risk assessment. The Commission also retains the power to specify the required level if a Member State's assessment is deemed inadequate (Article 29(5)).

Related

This is general information about a draft EU regulation, not legal advice.