CADA Enforcement

Summary Under the proposed Cloud and AI Development Act (CADA), the EU establishes the substantive standards for cloud sovereignty, but national law plays the decisive role in defining the procedural framework for enforcement and the specific rules on penalties. As proposed in Article 26(4), Member States must set out specific rules and procedures for the exercise of investigative and enforcement powers, ensuring these measures are subject to adequate safeguards under applicable national law and the general principles of Union law (including rights of defence and access to the file). Furthermore, Article 24 mandates that Member States lay down the rules on penalties for infringements, requiring them to be "effective, proportionate and dissuasive," without the EU setting fixed maximum fines. This creates a dual-layer compliance landscape where providers must navigate harmonised EU criteria alongside divergent national procedural safeguards and penalty regimes.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty across the Union. However, the legislative design deliberately decentralises the mechanics of enforcement. While the substantive criteria for Union assurance levels are uniform, the process of investigation, the procedural rights of providers, and the quantum of penalties are largely determined by national law. For legal counsel and compliance officers, understanding this interplay is critical for managing regulatory risk.

Procedural Safeguards and Investigative Powers (Article 26)

Article 26 of the CADA proposal grants national competent authorities (NCAs) substantial powers to supervise cloud computing service providers. These powers include the ability to require information, conduct inspections of premises, seize or obtain copies of information, and order the cessation of infringements. However, the exercise of these powers is not unconditional; it is strictly bounded by national procedural law.

Article 26(4) is the cornerstone of this procedural framework. It explicitly states that Member States "shall set out specific rules and procedures for the exercise of the powers pursuant to paragraphs 1 and 2." Crucially, the provision mandates that "any exercise of those powers is subject to adequate safeguards under applicable national law in compliance with the general principles of Union law."

The text of Article 26(4) enumerates specific rights that must be protected under these national safeguards:

• The right to respect for private life.
• The rights of defence.
• The right to be heard.
• The right to have access to the file.
• The right of all affected parties to an effective judicial remedy.

This creates a scenario where the scope of an investigation (e.g., what data can be requested) is defined by CADA, but the process (e.g., notice periods, the requirement for a judicial warrant, the specific mechanisms for challenging an authority's actions) is determined by the national law of the Member State where the NCA operates. For instance, one Member State might require a judicial warrant before an NCA can inspect premises, while another might allow administrative authorities to conduct such inspections subject to subsequent judicial review. Compliance teams must therefore monitor the specific administrative and judicial review laws in the Member State of their main establishment to understand the precise procedural rights and obligations that will apply.

Penalties and Compensation (Article 24)

Unlike the EU AI Act, which sets specific maximum fines (e.g., €35 million or 7% of turnover), the CADA proposal does not harmonise the specific monetary values or types of penalties. Instead, Article 24 places the onus on Member States to lay down the rules on penalties applicable to infringements of the sovereignty framework (Title IV, Chapter I).

Article 24(1) requires that these penalties be "effective, proportionate and dissuasive." Member States must notify the Commission of these rules and any subsequent amendments. While the EU does not set a cap, Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when imposing penalties. These criteria include:

• The nature, gravity, scale and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage caused.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

Because the specific penalty structures are set nationally, a cloud computing service provider could face significantly different financial exposures for the same substantive breach depending on the Member State where the competent authority is located. One jurisdiction might impose a fixed maximum fine, while another might tie the fine to a percentage of global turnover, mirroring the approach of the GDPR or the AI Act.

The Role of National Competent Authorities and Exclusive Competence

The enforcement architecture relies on Article 25, which designates one or more national competent authorities in each Member State. Crucially, Article 25(4) establishes the "main establishment" rule: the Member State where the cloud computing service provider has its main establishment (head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter.

This "single point of entry" model simplifies oversight for providers by ensuring they are primarily regulated by one authority. However, it also concentrates risk. The procedural laws of that specific Member State become the primary lens through which all enforcement actions will be viewed and challenged. If a provider is based in Germany, German administrative law and procedural safeguards will govern the investigation, even if the infringement affects users across the entire Union.

What this means for you

For in-house counsel and compliance officers, the reliance on national law for enforcement procedures necessitates a nuanced, multi-jurisdictional strategy.

1. Map National Procedural Laws: Do not assume a uniform investigative process across the EU. Identify the specific administrative and judicial review laws in the Member State where your main establishment is located. Understand the precise safeguards for data seizures, employee interviews, and premises inspections under that national law.
2. Monitor Penalty Frameworks: Since Article 24 requires Member States to define their own penalties, track legislative developments in key jurisdictions. Assess whether your current risk models account for the highest potential penalty exposure across all relevant Member States, as the "effective, proportionate and dissuasive" standard could be interpreted differently in different legal systems.
3. Prepare for Judicial Review: Article 26(4) guarantees the right to an effective judicial remedy. Ensure your internal escalation protocols include immediate legal intervention when an authority exercises investigative powers, to preserve rights of defence and access to the file.
4. Document Mitigation Efforts: Article 24(2)(b) lists actions taken to mitigate damage as a key criterion for penalties. Maintain robust records of any corrective actions taken following an audit finding or regulatory notice, as this can directly influence the severity of national penalties.

Common misconceptions

Misconception 1: CADA harmonises penalty amounts across the EU. Incorrect. While CADA harmonises the criteria for sovereignty assurance levels and the factors to consider when setting penalties (Article 24(2)), it explicitly leaves the determination of specific penalty rules and amounts to Member States (Article 24(1)). Penalties will likely vary significantly across the Union, unlike the fixed caps in the AI Act.

Misconception 2: EU law overrides all national procedural safeguards. Incorrect. Article 26(4) explicitly requires that enforcement measures comply with applicable national law and general principles of Union law. National procedural rights, such as specific notice requirements or judicial oversight mechanisms, remain integral to the enforcement process and cannot be bypassed by EU authorities.

Misconception 3: Only the substantive sovereignty rules matter for compliance. Incorrect. Procedural compliance is equally critical. A failure to adhere to national procedural safeguards during an investigation can lead to the exclusion of evidence or the overturning of penalties in judicial review. Ignoring national procedural law can be as costly as violating the substantive sovereignty criteria.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Enforcement: The Commission's Coordinating Role vs. National Powers
• CADA Enforcement Timeline: Designating Authorities and Notifying Penalties
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers
• CADA Enforcement: Burden of Proof, Rights of Defence & National Rules

This is general information about a draft EU regulation, not legal advice.