What penalties apply if a public body ignores its CADA risk assessment obligations?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are legally required to conduct risk assessments under Article 29 to determine the appropriate Union assurance level for cloud services. While the Regulation does not set fixed fine amounts for public bodies, it mandates that Member States establish penalties that are "effective, proportionate and dissuasive." Non-compliance triggers the enforcement powers of National Competent Authorities (NCAs) under Articles 25–28, including orders to cease infringements, periodic penalty payments, and fines. Furthermore, if a Member State's assessment is deemed inadequate, the Commission may intervene under Article 29(5) via implementing acts to specify the required assurance level, creating a direct Union-level obligation. Failure to comply with such an act would constitute a breach of Union law, exposing the public body to national sanctions and potential state liability.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services used by the public sector. At the heart of this framework lies Article 29, which imposes a mandatory duty on Member States and Union entities to assess the risks associated with their cloud procurement. The consequences of ignoring this duty are not merely administrative; they activate a comprehensive enforcement regime spanning Articles 24 through 28.

The Substantive Obligation: Article 29 Risk Assessments

Article 29 requires Member States and Union entities to carry out risk assessments by a deadline of one year after the Regulation's entry into force, and subsequently every two years or whenever necessary. These assessments serve two critical functions:

1. Identification: They must identify public sector activities that contribute to the preservation of public order. This explicitly includes sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and areas such as national security, internal security, external border management, defence, justice, and law enforcement.
2. Determination: They must determine which Union assurance level (Level 2, 3, or 4) is appropriate for the cloud services supporting these activities.

The assessment must consider the sensitivity, criticality, and magnitude of data processed, the risk of unlawful third-country access, and the risk of service disruption. Crucially, Article 29(4) mandates that Member States provide the results of these assessments to the Commission within three months.

If the Commission concludes that a Member State's identified assurance level is inappropriate or fails to adequately address public order concerns, Article 29(5) empowers the Commission to adopt implementing acts specifying the Union assurance levels needed for that specific public sector activity. This creates a "corrective override" mechanism where the Commission can unilaterally set the compliance standard if national authorities fail to do so.

The Enforcement Regime: Linking Article 29 to Articles 24–28

While Article 29 defines the obligation, the enforcement machinery is located in Title IV, Chapter I of the proposal. The interplay between the risk assessment duty and the penalty regime is structured as follows:

1. National Penalties and Liability (Article 24)

Article 24 requires Member States to lay down rules on penalties applicable to infringements of the sovereignty chapter.

• Scope: While Article 24(1) explicitly mentions penalties for infringements by "cloud computing service providers," the enforcement powers granted to NCAs under Article 26 apply to the entire Chapter. This includes the obligations of contracting authorities and public bodies under Articles 29 and 30. A public body failing to conduct an Article 29 assessment or procuring services at an incorrect assurance level is infringing the Chapter.
• Criteria: Under Article 24(2), national authorities must consider non-exhaustive criteria when imposing penalties, including:
  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken to mitigate damage.
  • Previous infringements.
  • Financial benefits gained or losses avoided.
  • The infringing party's annual turnover in the preceding financial year in the Union.
• Compensation: Article 24(3) grants recipients of cloud services the right to seek compensation for damage caused by a provider's infringement. While this targets providers, it highlights the high-stakes environment: a public body's failure to assess risk could lead to the procurement of non-compliant services, potentially exposing the state to liability if data breaches or service disruptions occur due to sovereignty failures.

2. Powers of National Competent Authorities (Articles 25 & 26)

Article 25 requires Member States to designate one or more National Competent Authorities (NCAs) responsible for enforcing the Chapter. These authorities possess robust powers under Article 26:

• Investigative Powers: NCAs can require any person, including public bodies, to provide information regarding a suspected infringement. They can inspect premises, seize information, and request explanations from staff.
• Enforcement Powers: NCAs can order the cessation of infringements and impose remedies proportionate to the breach. They can impose fines or periodic penalty payments to ensure compliance.
• Proportionality: Measures must be effective, dissuasive, and proportionate, taking into account the economic, technical, and operational capacity of the entity. For a public body, this means an NCA can issue a binding order to migrate to a compliant cloud service and impose daily fines until the migration is complete.

3. Cross-Border Cooperation and Commission Oversight (Articles 27 & 28)

Articles 27 and 28 establish mechanisms for mutual assistance and cross-border cooperation. If a public body in one Member State uses a cloud service from an entity established in another, NCAs must cooperate to ensure consistent enforcement.

More critically, the Commission retains a direct oversight role via Article 29(5). If a Member State's risk assessment is inadequate, the Commission can issue an implementing act specifying the correct assurance level. Ignoring such an act constitutes a direct breach of Union law. While the Regulation does not explicitly detail Commission fines for public bodies, failure to comply with a binding Commission implementing act triggers general EU law enforcement mechanisms, including infringement proceedings by the Commission against the Member State, which can lead to significant financial penalties under the Treaty on the Functioning of the European Union (TFEU).

Comparison with the AI Act

It is vital to distinguish CADA's penalty structure from the EU AI Act (Regulation (EU) 2024/1689). The AI Act, under Article 99, sets specific maximum fines (up to €35 million or 7% of turnover for prohibited practices). CADA, by contrast, does not set fixed maximums in the text itself. Instead, it delegates the setting of specific penalty amounts to Member States, provided they are "effective, proportionate and dissuasive." This means the financial impact on a public body will vary by Member State but will be guided by the turnover and gravity criteria in Article 24(2).

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the CADA proposal transforms risk assessment from a strategic recommendation into a legally binding obligation with tangible enforcement consequences.

• Treat Article 29 as a Compliance Trigger: Do not view the risk assessment as a one-off exercise. It is a recurring duty (every two years) that dictates your procurement strategy. Failure to conduct it is an infringement subject to NCA enforcement.
• Prepare for NCA Intervention: National Competent Authorities have the power to inspect your records, demand information, and order you to stop using non-compliant services. They can also impose periodic penalty payments until you comply.
• Monitor Commission Implementing Acts: Under Article 29(5), the Commission can override your national assessment. If the Commission specifies a higher assurance level for your sector, you must comply immediately. Ignoring a Commission act exposes the Member State to infringement proceedings and the public body to national penalties.
• Document Rigorously: The criteria for penalties in Article 24(2) include the "gravity" and "duration" of the infringement. Comprehensive documentation of your risk assessment methodology, the data sensitivity analysis, and the rationale for your chosen assurance level is your primary defense against severe penalties.
• Engage Early: Build a working relationship with your designated NCA. Early engagement can clarify expectations and may mitigate the severity of enforcement actions if discrepancies are identified.

Common misconceptions

Misconception 1: "Penalties only apply to cloud providers, not public bodies." While Article 24 explicitly lists penalties for "cloud computing service providers," the enforcement powers of NCAs under Article 26 apply to the entire Chapter. This includes the obligations of public bodies under Articles 29 and 30. Public bodies can face orders to cease infringements, fines, and periodic penalty payments for failing to conduct risk assessments or procure compliant services.

Misconception 2: "The EU sets a fixed fine amount for non-compliance." Unlike the GDPR or the AI Act, which specify maximum fine percentages or amounts, CADA leaves the specific penalty amounts to Member States. However, it mandates that penalties be "effective, proportionate and dissuasive" and lists criteria such as annual turnover to guide national legislators. This means fines could be substantial, especially for large public entities or those with significant digital budgets, depending on the national transposition.

Misconception 3: "Risk assessments are a one-time task." Article 29 requires risk assessments to be conducted every two years, or whenever necessary. Failing to update assessments in response to changing threats, new service deployments, or changes in the public order landscape is a continuing infringement that could attract escalating penalties.

Misconception 4: "The Commission cannot intervene in national risk assessments." Article 29(5) explicitly grants the Commission the power to adopt implementing acts to specify the required Union assurance level if a Member State's assessment is inadequate. This is a direct override mechanism that supersedes national discretion.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What public sector activities must be identified in a CADA risk assessment?
• CADA Article 29: Purpose, Risk Assessment & Public Order
• CADA Risk Assessment: What Public Sector Buyers Must Do
• How should an SME public contractor prepare for CADA risk assessment requirements?
• CADA Risk Assessment & Public Procurement: The Link Explained

This is general information about a draft EU regulation, not legal advice.