CADA Enforcement Timeline

Summary Under the proposed Cloud and AI Development Act (CADA), Member States face two distinct but critical deadlines regarding enforcement. First, Article 25(1) mandates that Member States designate one or more national competent authorities to enforce the cloud sovereignty framework within one year of the Regulation's entry into force. Second, regarding sanctions, Article 24(1) requires Member States to notify the Commission of their penalty rules "as soon as possible" after the Regulation becomes applicable. This notification duty is continuous; Member States must also report any subsequent amendments to these rules. These timelines ensure that supervisory infrastructure is in place before the substantive obligations for cloud providers fully take effect.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on sovereignty, data localisation, and public sector procurement. To ensure this framework is enforceable, the proposal assigns specific, time-bound duties to Member States regarding the designation of supervisory bodies and the transparency of their enforcement regimes. These obligations are primarily detailed in Title IV, Chapter I, Section 4 (National Competent Authorities) and Section 1 (Penalties and Compensation) of the proposal.

Designation of National Competent Authorities

Article 25 of the CADA proposal sets out the obligations for Member States to establish the supervisory infrastructure necessary to enforce the cloud computing sovereignty framework. The proposal recognises that effective enforcement requires dedicated national bodies with clear mandates.

Article 25(1) establishes a firm deadline for this designation:

"By [P.O. insert date of entry into force plus 1 year], Member States shall designate one or more national competent authorities responsible for enforcing this Chapter. To that effect, Member States may designate an existing authority or existing authorities ('competent authorities')."

This provision offers administrative flexibility while maintaining a strict timeline. Member States are not required to create entirely new bodies from scratch; they may designate existing authorities (such as data protection authorities, cybersecurity agencies, or market surveillance bodies), provided these bodies are granted the necessary mandate. However, the deadline is non-negotiable: the designation must be completed within one year of the Regulation's entry into force.

Once designated, these authorities must be formally communicated to the EU level. Article 25(2) requires Member States to notify the Commission of the names of the competent authorities and their specific tasks and powers. The Commission is then obligated to maintain a public register of these authorities, ensuring transparency for market participants, auditing organisations, and other Member States.

Crucially, the proposal defines the scope of jurisdiction to prevent regulatory fragmentation. Article 25(4) clarifies the "main establishment" rule:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This "single point of contact" model ensures that a provider is regulated by a single national authority, mirroring mechanisms found in other EU digital legislation like the GDPR and the NIS2 Directive.

Notification of Penalty Rules

The enforcement of CADA's sovereignty requirements is backed by a penalty regime outlined in Article 24. This article empowers Member States to impose penalties on cloud computing service providers that infringe the provisions of the sovereignty chapter. The proposal emphasises that these penalties must be "effective, proportionate and dissuasive."

Article 24(1) imposes a specific notification obligation on Member States:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, as soon as possible, notify the Commission of those rules and of those measures and shall notify the Commission of any subsequent amendment affecting them."

This provision contains three distinct obligations for legal and compliance teams to note:

1. Initial Notification: Member States must notify the Commission of their penalty rules "as soon as possible" after the Regulation becomes applicable. Unlike the designation of authorities, which has a fixed calendar deadline (one year from entry into force), the penalty notification is tied to the application of the Regulation. The phrase "as soon as possible" implies a duty of immediate action following the date the rules become binding on providers, rather than a fixed number of days.
2. Content of Notification: The notification must cover both the substantive rules on penalties and the administrative or legal measures taken to ensure their implementation.
3. Ongoing Duty: The obligation is continuous. Member States must notify the Commission of any subsequent amendment affecting these rules. This creates a dynamic compliance loop for national legislators and regulators, ensuring the Commission's oversight remains current as national laws evolve.

To guide Member States in setting these penalties, Article 24(2) lists non-exhaustive criteria for their imposition, including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the preceding financial year in the Union.

Entry into Force and Application Context

Understanding these deadlines requires contextualising them within the Regulation's overall timeline, as defined in Article 48.

• Entry into Force: The Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.
• Application: The Regulation shall apply from a date one year after its entry into force.

Consequently, the timeline for Article 25(1) (designation of authorities) is calculated from the entry into force date. This means authorities must be designated roughly one year and 20 days after publication, but before the substantive obligations for cloud providers fully kick in. This ensures that the supervisory infrastructure is ready before providers are required to seek recognition or comply with sovereignty levels.

In contrast, the notification of penalty rules under Article 24(1) is tied to the application date. Since the Regulation applies one year after entry into force, Member States must notify the Commission of their penalty regimes shortly after that one-year mark. This ensures that when providers become subject to the rules, the penalty framework is already established and transparent.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, these timelines are critical for mapping your regulatory risk landscape and preparing for enforcement.

1. Identify Your Competent Authority Early: Because Article 25(4) assigns exclusive competence to the Member State of your main establishment, you must identify which national authority will regulate you well in advance. Once that authority is designated (within one year of entry into force), it will be your primary interlocutor for recognition applications under Article 17 and for any enforcement actions. You should monitor the public register maintained by the Commission to confirm the identity of this authority as soon as the designation deadline passes.
2. Monitor National Penalty Regimes Proactively: Since Article 24(1) requires Member States to notify penalty rules "as soon as possible," these regimes may be implemented at different speeds across the EU. You should proactively track national legislative developments in the Member States where you have your main establishment. The criteria in Article 24(2) indicate that penalties can be significant, factoring in annual turnover and financial benefits gained from non-compliance.
3. Prepare for a Dynamic Regulatory Environment: The ongoing duty to notify amendments means that penalty frameworks may evolve rapidly as national authorities gain experience with enforcement. Compliance programs should include regular reviews of national penalty laws in relevant jurisdictions to ensure internal policies remain aligned with the latest "effective, proportionate and dissuasive" standards.
4. Align with the "Main Establishment" Test: Ensure your corporate structure and operational control are clearly documented. The definition of "main establishment" in Article 25(4) focuses on where principal financial functions and operational control are exercised, not just where a legal entity is registered. Misalignment here could lead to jurisdictional disputes or unexpected regulatory oversight.

Common misconceptions

Misconception 1: Member States have a fixed calendar deadline to notify penalty rules. The text of Article 24(1) uses the phrase "as soon as possible" rather than a specific number of days or months (e.g., "within 6 months"). This differs from the hard deadline for authority designation. While this creates some uncertainty regarding the exact date, it generally implies that notification should occur concurrently with or immediately after the national measures are finalised and the Regulation becomes applicable.

Misconception 2: Cloud providers can choose which Member State's authority regulates them. No. Article 25(4) explicitly grants exclusive competence to the Member State where the provider has its "main establishment." This is defined as the head office or registered office from which principal financial functions and operational control are exercised. Providers cannot "shop" for a more lenient regulator by establishing a nominal presence in another Member State if their operational control remains elsewhere.

Misconception 3: The penalty notification is a one-time event. Article 24(1) explicitly states that Member States "shall notify the Commission of any subsequent amendment affecting them." This creates a dynamic regulatory environment where penalty rules can change, and those changes must be formally reported to the Commission. Compliance officers must treat national penalty laws as living documents that require continuous monitoring.

Misconception 4: Authorities must be designated before the Regulation enters into force. The deadline in Article 25(1) is "one year after entry into force," not before. The Regulation enters into force 20 days after publication, but the substantive rules apply one year later. This one-year window is designed to give Member States time to designate authorities before the rules become applicable to providers.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Enforcement: How National Law Shapes Penalties and Procedures
• What is the role of judicial authorities in CADA enforcement?
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• What enforcement powers do CADA authorities have?
• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers

This is general information about a draft EU regulation, not legal advice.