CADA Cross-Border Requests

Summary Under the proposed Cloud and AI Development Act (CADA), when a competent authority in a Member State where a cloud service is used (the "destination authority") suspects a provider no longer meets Union assurance criteria, the authority of the provider's main establishment (the "establishment authority") must respond with a formal report. Article 28(4) mandates that this authority communicate its assessment of the suspected infringement and an explanation of any investigatory or enforcement measures taken or envisaged to both the requesting authority and the Commission. This report must be delivered "as soon as possible and in any event not later than two months" after receiving the request, unless the clock is suspended due to a request for additional information under Article 28(3).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. To ensure this framework is applied consistently across the single market, Title IV, Chapter I, Section 5 introduces a robust mechanism for cross-border cooperation. Article 28 is the operational core of this mechanism, defining the obligations of the "establishment authority" when a "destination authority" raises concerns about a cloud provider's compliance.

The Trigger: Suspected Non-Compliance

The reporting obligation is triggered when a competent authority of a Member State where a cloud computing service is used (the destination authority) has reason to suspect that a provider no longer fulfils the requirements set out in Annex II of the Regulation. These requirements cover the four Union assurance levels (1 through 4) regarding establishment, infrastructure location, data localisation, personnel citizenship, cybersecurity certification, and absence of third-country control.

Upon forming such a suspicion, the destination authority may request the competent authority of the Member State where the provider has its main establishment (the establishment authority) to assess the matter and take necessary measures. The Commission also retains the power to initiate such a request directly.

The Core Reporting Obligation: Article 28(4)

Article 28(4) sets out the precise content of the response required from the establishment authority. The provision states that the authority must communicate two specific elements:

1. Its assessment of the suspected infringement: This is the establishment authority's formal conclusion regarding the validity of the suspicion. It must determine whether the provider actually fails to meet the criteria of the relevant Union assurance level.
2. An explanation of any investigatory or enforcement measures taken or envisaged: The report must detail the actions the authority has already undertaken (e.g., inspections, requests for information) or plans to undertake (e.g., ordering the cessation of infringements, imposing fines, or revoking recognition) to ensure compliance.

This dual requirement ensures that the requesting authority receives not just a "yes/no" answer, but a transparent account of the regulatory response. It prevents the situation where a destination authority suspects a breach but receives no information on how the home authority is addressing it.

The Recipients: Dual Reporting

The regulation mandates that this communication be sent to two distinct recipients to ensure both local and Union-level oversight:

• The competent authority that sent the request: This allows the destination authority to understand the outcome and, if necessary, take local protective measures (such as suspending the use of the service within its jurisdiction) while the enforcement action is ongoing.
• The Commission: This ensures the European Commission maintains visibility over systemic risks, patterns of non-compliance, and the consistent application of the sovereignty framework across the Union.

The Deadline and Suspension Mechanism

Time is critical in maintaining the integrity of the sovereignty framework. Article 28(4) imposes a strict deadline: the establishment authority must communicate its assessment and measures "as soon as possible and in any event not later than two months after receipt of the request."

However, the proposal includes a safeguard to ensure assessments are based on complete information. Article 28(3) provides a suspension mechanism. If the establishment authority considers the information provided in the initial request to be insufficient, it may request additional information. In such cases, the two-month period is suspended from the date the request for additional information is issued until the date the information is received. This prevents authorities from being forced to make rushed assessments based on incomplete data, while incentivising destination authorities to provide well-reasoned, comprehensive initial requests.

The Nature of the Request

It is important to note that the process is not open to arbitrary interference. Article 28(3) stipulates that requests under this article must be "duly reasoned." A destination authority cannot make frivolous requests; it must provide a substantive basis for its suspicion. Conversely, the establishment authority is legally bound to "duly take into account" these requests. It cannot ignore them and must engage in the assessment process and report back within the statutory timeframe.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers, the cross-border cooperation mechanism in Article 28 has significant operational and strategic implications:

• Centralised Enforcement, Decentralised Triggers: While Article 25(4) grants the establishment authority exclusive competence for enforcing the sovereignty framework, any Member State where the service is used can trigger an investigation. Providers must maintain a unified compliance posture across all EU markets, as a suspicion in one Member State can activate the full Article 28 process.
• Documentation Readiness is Critical: The establishment authority's assessment under Article 28(4) will rely heavily on evidence. Providers must ensure their audit trails, security logs, sovereignty compliance documentation, and personnel records are readily accessible and accurate. Delays in providing this information can trigger the suspension of the two-month clock, prolonging uncertainty.
• Monitoring the "Two-Month" Clock: If a destination authority raises a concern, providers should monitor the interaction between the two authorities. If the establishment authority requests additional information, the deadline is paused. This period should be used to ensure all supplementary data is provided accurately to avoid further delays or a negative assessment.
• High Stakes of Enforcement Measures: The "measures taken or envisaged" reported under Article 28(4) can include severe consequences. Under Article 26, competent authorities have the power to order the cessation of infringements, impose fines, and revoke recognition. Losing recognition at the Union level under Article 17 would effectively bar a provider from public sector contracts across the EU, as Article 30 mandates that contracting authorities procure only recognised services.
• Strategic Communication: Since the report goes to both the requester and the Commission, providers should be prepared for a coordinated regulatory response. A negative assessment in one jurisdiction could quickly become a Union-wide issue if the Commission identifies a pattern.

Common misconceptions

• "The destination authority can enforce directly." Incorrect. Under CADA, the establishment authority holds exclusive competence for enforcing the sovereignty framework (Article 25(4)). The destination authority can only request an assessment and enforcement action from the establishment authority. They cannot impose fines or revoke recognition themselves.

• "The two-month deadline is fixed and unchangeable." Incorrect. The deadline can be suspended if the establishment authority deems the initial request insufficient and requests additional information under Article 28(3). The clock stops until the information is received.

• "Only the requesting authority gets the report." Incorrect. Article 28(4) explicitly requires the report to be sent to both the requesting authority and the Commission. This ensures the Commission maintains visibility over cross-border compliance issues and can intervene if necessary.

• "The establishment authority can ignore the request if it disagrees with the suspicion." Incorrect. Article 28(3) requires the establishment authority to "duly take into account" the request. Even if the final assessment concludes there is no infringement, the authority must still communicate that assessment and any measures taken (or the decision not to take measures) within the two-month timeframe.

Related

• Must cross-border CADA requests be reasoned?
• Can a CADA authority ask for more information on a cross-border request?
• When must Member States designate a CADA competent authority?
• CADA Enforcement: Explanatory Memorandum view on NCAs, penalties & cross-border cooperation
• CADA Enforcement: Authority of Establishment vs. Destination

This is general information about a draft EU regulation, not legal advice.