Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final — a proposal, not yet in force), national competent authorities would hold both investigative and enforcement powers over cloud computing service providers under the Union sovereignty framework. As proposed in Article 26, they could require information, inspect premises and obtain explanations (Article 26(1)), and order the cessation of infringements, impose fines and impose periodic penalty payments (Article 26(2)). These powers are not free-standing: they are exercisable only "where needed to carry out their tasks under Article 17," which governs recognition of cloud services at Union assurance levels 1 to 4. Every measure must be effective, dissuasive and proportionate, and is wrapped in defence-rights safeguards (Article 26(3)–(4)).

Detail

CADA's Chapter I of Title IV ("Autonomy") establishes a Union cloud computing sovereignty framework with four graded assurance levels. To make that framework credible, the proposal arms each Member State's designated national competent authorities with supervisory powers. Article 25(4) concentrates those powers: the authority of the Member State where a provider has its main establishment (head office or registered office with principal financial functions and operational control) has exclusive competence to enforce the Chapter.

The powers themselves are set out in Article 26, in two groups — investigative and enforcement. A key framing point applies to both: Article 26(1) and (2) each open with "Where needed to carry out their tasks under Article 17." Article 17 is the recognition procedure under which the authority of establishment, acting as the evaluating national competent authority, assesses providers' evidence and recognises (or refuses, or later revokes) a service at a given assurance level. The Article 26 powers are therefore tethered to that recognition function rather than being general policing powers.

Investigative powers (Article 26(1))

  1. Require information (point (a)). Authorities may require any cloud computing service provider — and any other person acting for purposes related to their trade, business, craft or profession who may reasonably be expected to be aware of information relating to a suspected infringement, including auditing organisations — to provide that information "as soon as possible."
  2. Inspect premises (point (b)). Authorities may carry out, or request a judicial authority in their Member State to order, inspections of any premises used for trade or business purposes by those providers or persons — or request other public authorities to do so — in order to examine, seize, take or obtain copies of information relating to a suspected infringement "in any form, irrespective of the storage medium."
  3. Obtain explanations (point (c)). Authorities may ask any staff member or representative to give explanations in respect of information relating to a suspected infringement and, with that person's consent, record the answers by any technical means.

Enforcement powers (Article 26(2))

  1. Order cessation and remedies (point (a)). Authorities may order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring it effectively to an end — or request a judicial authority to do so.
  2. Impose fines (point (b)). Authorities may impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including failure to comply with any investigative order issued under Article 26(1).
  3. Impose periodic penalty payments (point (c)). Authorities may impose periodic penalty payments, or request a judicial authority to do so, in accordance with Article 24, to secure compliance with a cessation order under point (a) or with an investigative order under paragraph 1.

Proportionality and safeguards (Article 26(3)–(4))

The powers are bounded. Article 26(3) requires that measures be effective, dissuasive and proportionate, having regard in particular to the nature, gravity, recurrence and duration of the (suspected) infringement and, where relevant, the economic, technical and operational capacity of the provider.

Article 26(4) requires Member States to set out specific rules and procedures for exercising the powers, subject to adequate safeguards under national law in compliance with the general principles of Union law. Measures may be taken only in accordance with the right to respect for private life and the rights of defence — including the rights to be heard and to access the file — and are subject to the right of all affected parties to an effective judicial remedy.

Why the powers are anchored in Article 17

Article 17 makes the authority of establishment the evaluating authority for recognition. Its tasks include assessing the evidence providers submit (the EU statement of conformity for level 1; the audit report and "positive" audit opinion for levels 2–4), preparing draft recognition decisions, running the cross-Member-State review period, and — under Article 17(11) — revoking a recognition where it finds that the provider intentionally or negligently supplied incorrect or misleading information. In practice, then, an authority reaching for its Article 26 powers is usually verifying recognition evidence, investigating suspected misrepresentation, or enforcing the conditions of a recognition it has granted.

The anchoring to Article 17 also shapes who exercises the powers. Article 26(1) and (2) both refer to the "competent authorities of establishment" and "national competent authorities of establishment" respectively — that is, the lead authority for the provider's main establishment under Article 25(4). Other Member States do not wield these powers directly against a provider established elsewhere; they engage through mutual assistance (Article 27) and cross-border cooperation (Article 28), asking the authority of establishment to act. So the powers in Article 26 are both substantively bounded (to Article 17 tasks) and institutionally bounded (to the one authority with exclusive competence).

How the investigative and enforcement powers interlock

The two groups are designed to work together. An authority typically uses Article 26(1) to establish the facts — requiring documents, inspecting premises, taking explanations — and then, if an infringement is confirmed or continuing, deploys Article 26(2) to stop it and deter repetition. The link is explicit in the text: a fine under Article 26(2)(b) can be imposed for "failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1," and a periodic penalty payment under Article 26(2)(c) can be imposed both to secure compliance with a cessation order and to address failure to comply with an investigative order. In other words, obstructing the investigation is itself an enforceable wrong, not merely an obstacle the authority must work around.

Because periodic penalty payments are imposed "in accordance with Article 24," they sit within the same penalties architecture as the substantive fines — Member States set the rules, and the effective-proportionate-dissuasive standard and the Article 24(2) criteria apply.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers (and at auditing organisations), Article 26 sets the contours of regulatory risk.

  1. Be inspection- and disclosure-ready. The authority can require information "as soon as possible" and inspect premises, seizing or copying information regardless of medium. Keep your assurance-level evidence, audit trails and compliance records organised and quickly retrievable.
  2. Cooperate, but know that non-cooperation is itself sanctionable. Failure to comply with an investigative order under Article 26(1) can attract fines (Article 26(2)(b)) and periodic penalty payments (Article 26(2)(c)). Build internal protocols for responding accurately and on time while protecting legitimately privileged or confidential material.
  3. Manage periodic-penalty exposure. Because periodic penalty payments are designed to compel ongoing compliance, slow remediation becomes expensive. Have an incident-response process to close findings fast.
  4. Use your procedural rights. Article 26(4) guarantees the right to be heard, access to the file and an effective judicial remedy. When a measure is imposed, test its proportionality and procedural correctness.
  5. Track which authority is yours. Member States must designate their authorities within one year of entry into force (Article 25(1)). The authority over your main establishment holds exclusive competence (Article 25(4)) — that is the body whose powers will bear on you.

Common misconceptions

Misconception 1: These powers reach every aspect of a cloud business. Correction: Article 26 powers are exercisable "where needed to carry out their tasks under Article 17" — the recognition of Union assurance levels. They target the sovereignty framework and providers seeking or holding recognition, not a provider's affairs at large.

Misconception 2: Authorities can inspect with no legal constraint. Correction: Inspections under Article 26(1)(b) may be carried out by the authority or ordered by a judicial authority, and Article 26(3)–(4) require proportionality plus respect for private life, defence rights and an effective judicial remedy.

Misconception 3: Only the provider can be investigated. Correction: Article 26(1)(a) extends information requests to "any other persons acting for purposes related to their trade, business, craft or profession," expressly including auditing organisations. Auditors — and other parties holding relevant information — can be drawn in.

Misconception 4: Fines are automatic. Correction: Fines and periodic penalty payments are discretionary tools, governed by the proportionality test in Article 26(3). They are not a fixed tariff for every slip, but serious or repeated non-compliance can carry significant financial consequences.

Related

This is general information about a draft EU regulation, not legal advice.