Summary Under the proposed Cloud and AI Development Act (CADA), Article 24 requires Member States to establish penalties for cloud computing service providers that infringe the Union cloud computing sovereignty framework. These penalties must be "effective, proportionate and dissuasive," but the proposal does not set fixed maximum fine amounts (unlike the EU AI Act). Instead, national authorities must consider specific criteria when imposing sanctions, including the nature, gravity, scale and duration of the infringement, any remedial actions taken to mitigate damage, previous infringements, and the provider's annual turnover in the Union. Crucially, Article 24(3) grants recipients of cloud services the right to seek compensation for damage or loss suffered due to a provider's infringement. To reduce exposure, providers must proactively report material changes, cooperate fully with audits, and implement immediate remedial measures upon detecting non-compliance.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud services used by Union entities and public sector bodies. While the Act defines the technical and operational criteria for four "Union assurance levels" in Annex II, the enforcement mechanism relies on national implementation. The cornerstone of this enforcement is Article 24, which governs penalties and compensation.

The Legal Mandate: Article 24

Article 24(1) imposes a direct obligation on Member States to "lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence." The proposal explicitly mandates that these penalties must be "effective, proportionate and dissuasive."

Unlike the EU AI Act, which sets specific maximum fines (e.g., €35 million or 7% of turnover), CADA does not enumerate fixed monetary caps. Instead, it delegates the specific quantification of fines to national legislation, provided they adhere to the principles of effectiveness, proportionality, and dissuasiveness. Member States are required to notify the Commission of these rules and any subsequent amendments "as soon as possible."

The Criteria for Imposing Penalties

To ensure consistency across the Single Market while respecting national legal traditions, Article 24(2) provides a non-exhaustive list of criteria that Member States must take into account when determining the severity of a penalty. These criteria are critical for providers seeking to understand their potential liability and how to mitigate it:

  1. Nature, gravity, scale and duration: Authorities will assess the fundamental character of the breach, how severe its impact was, the geographic or operational scope (scale), and how long the non-compliance persisted. A short-lived, isolated error will likely be treated differently from a systemic, long-term violation.
  2. Remedial action (Mitigation): This is a pivotal factor for reducing exposure. The text explicitly requires authorities to consider "any action taken by the infringing party to mitigate or remedy the damage caused by the infringement." Promptly fixing a breach, notifying authorities, and implementing corrective measures can significantly lower the penalty.
  3. Previous infringements: A provider's compliance history matters. "Any previous infringements by the infringing party" will be weighed, meaning repeat offenders face escalated penalties.
  4. Financial benefits gained or losses avoided: If the provider derived an economic advantage from the infringement (e.g., saving costs by not implementing required security measures) or avoided losses that would have occurred had they been compliant, this will be factored in, "insofar as such benefits or losses can be reliably established."
  5. Aggravating or mitigating factors: Authorities retain discretion to consider "any other aggravating or mitigating factor applicable to the circumstances of the case."
  6. Annual turnover: To ensure proportionality, the "infringing party's annual turnover in the preceding financial year in the Union" must be considered. This ensures that penalties are meaningful for large hyperscalers while remaining manageable for smaller entities, though the "dissuasive" requirement implies they must still be significant.

The Right to Compensation: Article 24(3)

Beyond administrative fines, Article 24(3) introduces a civil liability dimension that directly impacts a provider's commercial risk. It states: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a dual-exposure risk:

  • Administrative: Fines imposed by the national competent authority.
  • Civil: Lawsuits from public sector bodies or Union entities that suffered operational disruption, data loss, or reputational harm due to the provider's failure to meet sovereignty criteria (e.g., unauthorized data transfers or failure to maintain the required assurance level).

Enforcement Powers and Context

The penalties under Article 24 are enforced by the national competent authorities designated by each Member State under Article 25. These authorities possess broad powers under Article 26, including the ability to:

  • Require information and conduct inspections of premises.
  • Order the cessation of infringements.
  • Impose fines or periodic penalty payments to ensure compliance.

These measures must be exercised in compliance with the rights of defense and the right to an effective judicial remedy. The enforcement framework is designed to be robust, ensuring that the sovereignty framework is not merely aspirational but legally binding.

What this means for you

For cloud computing service providers targeting the EU public sector market, the penalty regime under CADA requires a proactive compliance strategy. Since the proposal does not set fixed fine amounts, the outcome of an enforcement action will depend heavily on how well a provider can demonstrate adherence to the mitigating criteria in Article 24(2).

1. Prioritize Remedial Action as a Defense

The most effective way to reduce penalty exposure is to act immediately upon discovering a non-compliance. Because Article 24(2)(b) explicitly lists "action taken... to mitigate or remedy the damage" as a criterion, a provider that self-discovers a breach, stops the violation, and fixes the root cause before an authority intervenes will be in a far stronger position than one that is caught after a long period of non-compliance.

  • Action: Establish internal "stop-the-bleed" protocols. If a data flow leaves the Union in violation of assurance criteria, cut the flow immediately and document the cessation.

2. Leverage Transparency Obligations (Article 23)

Article 23 requires providers to notify the auditing organisation and the national competent authority "as soon as possible" upon becoming aware of any "material change in circumstances" that may affect their recognition.

  • Strategy: Treat self-reporting as a mitigating factor. By voluntarily disclosing a material change (e.g., a change in ownership structure or a subcontractor issue) before it is discovered by an auditor, you demonstrate good faith. This aligns with the "mitigating factors" criterion in Article 24(2)(e) and may prevent the "duration" of the infringement from being counted from the date of discovery by authorities.

3. Manage Civil Liability Risks

With Article 24(3) granting recipients the right to compensation, your contractual and operational posture must address civil liability.

  • Contract Review: Ensure your Service Level Agreements (SLAs) with public sector bodies clearly define the scope of your assurance levels and the specific obligations you undertake. While you cannot contract out of statutory liability, clear definitions can help manage the scope of "damage or loss" claimed.
  • Insurance: Consider whether your cyber liability insurance covers regulatory fines (where legally permissible) and civil compensation claims arising from sovereignty breaches.

4. Maintain a Clean Compliance History

Article 24(2)(c) mandates consideration of "any previous infringements." A history of violations will almost certainly lead to higher penalties for subsequent breaches.

  • Action: Implement continuous monitoring to prevent repeat offenses. If a minor breach occurs, treat it as a critical learning opportunity to overhaul the relevant control, ensuring it never happens again.

5. Cooperate Fully with Audits and Authorities

Article 20 requires providers to cooperate with auditing organisations, providing access to data and premises. Hindering an audit or providing misleading information can be an aggravating factor.

  • Strategy: View audits as a compliance tool, not a hurdle. Full cooperation demonstrates a commitment to the framework, which can be weighed as a mitigating factor under the general "circumstances of the case" in Article 24(2)(e).

6. Monitor National Implementation

Since CADA is a regulation, it applies directly, but the penalty rules are national.

  • Action: Monitor the transposition of CADA into national law in the Member State where you are established. Different Member States may interpret "proportionate" and "dissuasive" differently, and the specific procedural rules for imposing fines will vary.

Common misconceptions

"CADA sets fixed fines like the GDPR or AI Act." No. Unlike the GDPR (which sets fines up to 4% of turnover) or the AI Act (which sets fines up to 7% or €35 million), CADA does not specify maximum fine amounts. Article 24 requires Member States to create their own penalty regimes, provided they are "effective, proportionate and dissuasive." The actual fine will depend on national law and the specific criteria applied by the competent authority.

"Only intentional misconduct triggers penalties." Incorrect. Article 24 applies to "infringements" generally. While intent may influence the severity (as an aggravating or mitigating factor), negligence, failure to maintain required controls, or inadvertent data leaks that violate assurance level criteria can all trigger penalties. The focus is on the breach of the obligation itself.

"Compensation is handled by the regulator." No. Article 24(3) explicitly states that recipients have the right to seek compensation "in accordance with Union and national law." This is a civil matter between the provider and the recipient (e.g., a public body). A provider can face a regulatory fine from the authority and a separate civil lawsuit for damages for the same incident.

"Small providers are exempt from penalties." While Article 24(2)(f) requires authorities to consider the provider's "annual turnover," this is a factor for proportionality, not an exemption. Small and medium-sized enterprises (SMEs) are subject to the same sovereignty framework obligations. Non-compliance can still lead to significant reputational damage, loss of public sector contracts, and penalties that are "dissuasive" relative to their size.

"Reporting a breach automatically waives penalties." Reporting a breach is a strong mitigating factor, but it does not guarantee immunity. Article 24(2) lists remedial action as one of several criteria. Authorities will still consider the gravity, scale, and duration of the infringement. However, failure to report (violating Article 23) would likely be an aggravating factor.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.