Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities designated by Member States have specific, time-bound reporting and cooperation obligations toward the European Commission. As proposed in Article 25(2), authorities must notify the Commission of their names, tasks, and powers, which the Commission will then publish in a public register. Article 27(1) mandates close cooperation and mutual assistance, including the exchange of information, to ensure consistent application of the sovereignty framework. Crucially, Article 28(4) requires authorities to report their assessment of suspected infringements and any enforcement measures taken to the Commission within two months of receiving a cross-border cooperation request. These mechanisms ensure the Commission retains oversight of the EU-wide cloud sovereignty framework.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized framework for cloud computing sovereignty. Because cloud services often operate across multiple Member States, the proposal relies on a network of national competent authorities working in tandem with the European Commission. The draft regulation delineates clear, mandatory obligations for these authorities to maintain transparency, facilitate cross-border enforcement, and ensure the Commission is kept informed of all supervisory activities.

Notification and the Public Register (Article 25)

The foundational obligation for national competent authorities lies in their formal designation and immediate notification to the Commission. Under Article 25, Member States are required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. This designation must occur by the date of entry into force of the Regulation plus one year. These authorities may be existing bodies (such as data protection or cybersecurity authorities) or newly created entities, provided they possess the necessary resources and expertise.

Crucially, Article 25(2) stipulates that Member States must notify the Commission of the names of the competent authorities, along with their specific tasks and powers. This notification is not merely an administrative formality; it is the trigger for the Commission to maintain a public register of these authorities. This register serves as a central point of reference for stakeholders, including cloud computing service providers, other Member States, and the public, ensuring transparency regarding who holds supervisory power in each jurisdiction.

By mandating this disclosure, CADA aims to prevent regulatory ambiguity. It ensures that providers know exactly which authority has exclusive competence for enforcing the sovereignty framework in the Member State where their main establishment is located. The Commission's role in maintaining this register ensures that the landscape of enforcement is visible and up-to-date across the Union.

Mutual Assistance and Information Exchange (Article 27)

Effective supervision of cloud services, which frequently operate across borders, requires seamless cooperation between national authorities and the Commission. Article 27 establishes the principles of mutual assistance. Article 27(1) explicitly states that competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply the sovereignty framework in a consistent and efficient manner. This cooperation explicitly includes the exchange of information.

This provision is vital for addressing the cross-border nature of cloud infrastructure. If a competent authority in one Member State suspects an infringement by a provider established in another Member State, Article 27(2) allows it to request specific information from the authority in the provider's home Member State. The receiving authority is obligated to comply with such requests and inform the authority of establishment about the action taken as soon as possible, and no later than two months after receipt of the request, unless duly justified. This timeline ensures that investigations are not stalled by bureaucratic delays, allowing for timely enforcement actions and preventing regulatory arbitrage.

Cross-Border Cooperation and Reporting (Article 28)

Article 28 governs cross-border cooperation, particularly in scenarios where a competent authority in a destination Member State suspects that a cloud computing service no longer fulfills the requirements of the sovereignty framework. In such cases, the destination authority may request the competent authority of establishment to assess the matter and take necessary investigatory and enforcement measures.

The obligation to report back to the Commission is a key feature of this process, ensuring EU-level oversight. Under Article 28(4), the competent authority of establishment must, as soon as possible and in any event not later than two months after receipt of the request, communicate to the requesting authority and the Commission its assessment of the suspected infringement. This communication must include an explanation of any investigatory or enforcement measures taken or envisaged to ensure compliance.

This reporting requirement ensures that the Commission retains oversight of cross-border enforcement actions. It allows the Commission to monitor whether national authorities are acting consistently and effectively to protect public order and data sovereignty. If the competent authority of establishment considers the information provided by the requesting authority to be insufficient, it may request additional information. In such cases, the two-month deadline is suspended until that additional information is provided, ensuring that the assessment is thorough before a final report is filed.

Implications for Compliance

For in-house counsel and compliance officers, these provisions highlight the increased visibility and accountability of national regulators. The public register maintained by the Commission means that the specific powers and tasks of each national authority are transparent and accessible. Companies must be prepared to interact with these authorities, providing information and cooperating with investigations as required by Article 26.

Furthermore, the two-month deadlines for information exchange and reporting under Articles 27 and 28 create a predictable timeline for regulatory interactions. However, this also means that authorities are expected to act promptly. Compliance teams should ensure their internal processes can respond quickly to requests for information from national authorities, as delays could hinder the authorities' ability to meet their reporting obligations to the Commission. The interconnected nature of these reporting duties means that a local issue can rapidly escalate to an EU-level review if cross-border cooperation is triggered.

What this means for you

As an in-house counsel or compliance officer, understanding these obligations is critical for managing regulatory risk under the proposed CADA. The requirement for Member States to notify the Commission of their authorities' names, tasks, and powers (Article 25(2)) means you should regularly check the Commission's public register to identify your primary regulatory contact. This register will clarify which authority has exclusive competence over your provider's main establishment, streamlining your compliance communications and ensuring you engage with the correct body.

The cooperation mandates in Articles 27 and 28 imply that regulatory scrutiny is not isolated to national borders. If a provider operates in multiple Member States, an issue identified in one country can trigger an investigation in the provider's home country, with the Commission kept in the loop. You should prepare for the possibility of receiving information requests from authorities in other Member States, facilitated through mutual assistance. Ensure your data governance and audit trails are robust enough to support rapid responses to such requests, respecting the two-month deadlines set for authorities to act and report.

Additionally, the Commission's role in monitoring these interactions means that inconsistencies in national enforcement could be flagged at the EU level. Maintaining consistent compliance standards across all your operations will help mitigate the risk of conflicting interpretations or enforcement actions by different national authorities. The transparency of the process ensures that the Commission can intervene if a Member State fails to meet its reporting obligations or if enforcement actions appear disproportionate.

Common misconceptions

Misconception 1: The Commission directly enforces CADA against providers. While the Commission plays a significant oversight role, primary enforcement responsibility lies with the national competent authorities of the Member State where the provider has its main establishment. The Commission does not typically investigate individual providers directly unless referred by national authorities or in specific cross-border disputes. Its role is more about ensuring consistent application, maintaining the central repository of recognized services, and monitoring the reporting obligations of national authorities.

Misconception 2: Authorities can ignore cross-border requests if they are inconvenient. Article 27(2) and Article 28(4) impose strict timelines (two months) for responding to requests and reporting assessments. Authorities cannot simply ignore requests from other Member States. They must either comply, provide the requested information, or duly justify any delay. This ensures that cross-border cooperation is not hindered by local administrative bottlenecks, and the Commission is kept informed of any justifications for delays.

Misconception 3: The public register is just a list of names. The register maintained by the Commission under Article 25(2) includes not just the names of the authorities but also their specific tasks and powers. This detailed information is crucial for providers to understand the scope of regulatory oversight and the specific capabilities of each national authority. It ensures that providers know exactly what powers an authority holds, such as investigative powers or the ability to impose fines, before engaging with them.

Related

This is general information about a draft EU regulation, not legal advice.