Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities supervise cloud providers through a continuous feedback loop driven by mandatory transparency notifications. Article 23 requires providers to report material changes immediately, triggering supervisory reassessments. Article 25(3) mandates that Member States equip authorities with sufficient technical, financial, and human resources to exercise these duties effectively. Article 26 grants authorities the investigative and enforcement powers necessary to act on these reports, including inspections, information requests, and fines. This framework ensures that the Union assurance levels remain dynamic and accurate.

Detail

The CADA proposal establishes a rigorous, active supervisory framework for cloud computing service providers seeking recognition under the Union cloud computing sovereignty framework. Unlike static compliance models, CADA relies on a continuous flow of data from providers to national competent authorities, governed by specific transparency and enforcement provisions. This system ensures that the "Union assurance" status of a service is not a one-time badge but a continuously verified state.

Transparency as the Primary Supervisory Trigger (Article 23)

Article 23 imposes strict, ongoing transparency obligations on cloud computing service providers that have been recognised as offering a Union assurance level (levels 1–4). These obligations serve as the primary informational feed for ongoing supervision, ensuring that the central repository of recognised services remains accurate.

A recognised provider must notify its auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect:

  1. The audit report and the 'positive' opinion under Article 20; or
  2. The recognition under Article 17.

This notification requirement is critical because it triggers a cascading supervisory workflow. Upon receiving such a notification, the auditing organisation must assess whether the audit report or opinion needs amendment or revocation. If the auditing organisation amends or revokes its findings, it must notify the national competent authority. Subsequently, the national competent authority must assess whether its initial recognition of the service needs amendment or revocation. If the authority amends or revokes the recognition, it must notify the competent authorities of all other Member States and the Commission.

This mechanism ensures that public sector bodies, who rely on the repository to determine which services meet the assurance levels required by their risk assessments under Article 29, are not misled by outdated information. A failure to notify material changes disrupts the integrity of the sovereignty framework and constitutes a direct infringement.

The Duty of Adequate Supervision (Article 25)

The effectiveness of the transparency feed described above depends entirely on the capacity of the national competent authorities. Article 25 mandates that Member States designate one or more national competent authorities responsible for enforcing the sovereignty framework chapter.

Crucially, Article 25(3) requires Member States to ensure that their competent authorities perform their tasks in an "impartial, transparent and timely manner." To achieve this, the proposal explicitly states that Member States must guarantee that these authorities possess "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

This provision acknowledges the technical complexity of auditing cloud infrastructure, data flows, and software supply chains. Supervisors cannot rely solely on self-certification (Article 19) or initial audit reports (Article 20); they must have the institutional capacity to verify compliance, investigate discrepancies triggered by Article 23 notifications, and enforce penalties. The authority with exclusive competence for enforcement is the Member State where the cloud provider has its main establishment (i.e., head office or registered office from which principal financial functions and operational control are exercised).

Investigative and Enforcement Powers (Article 26)

When transparency reports under Article 23 raise concerns, or when routine monitoring suggests non-compliance, national competent authorities exercise the powers detailed in Article 26. These powers are divided into investigative and enforcement categories, designed to be "effective, dissuasive and proportionate."

Investigative Powers: To carry out their tasks, competent authorities have the power to:

  • Require any cloud computing service provider, subcontractor, or auditing organisation to provide information "as soon as possible" regarding suspected infringements.
  • Conduct inspections of any premises used for trade or business purposes to examine, seize, take, or obtain copies of information relating to a suspected infringement, irrespective of the storage medium.
  • Ask any member of staff or representative to give explanations regarding suspected infringements, with the possibility to record answers by technical means (with consent).

Enforcement Powers: If an infringement is confirmed, authorities can:

  • Order the cessation of the infringement and impose proportionate remedies necessary to bring the infringement effectively to an end.
  • Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation or with investigative orders.
  • Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

These measures must be taken with regard to the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. All exercises of these powers are subject to safeguards under national law, including the right to respect for private life, the rights of defence (including the right to be heard and access to the file), and the right to an effective judicial remedy.

Integration with Audit Mechanisms

Supervision under CADA is tightly integrated with the independent audit requirements for Union assurance levels 2, 3, and 4 (Article 20). While the auditing organisation performs the technical verification, the national competent authority oversees the audit process and the provider's compliance with the recognition criteria. The transparency reports under Article 23 often involve the auditing organisation first, creating a two-layer verification system before the competent authority intervenes. This structure ensures that supervisory resources are focused on material risks rather than routine compliance checks, while maintaining a high level of scrutiny.

What this means for you

For in-house counsel and compliance officers at cloud providers, the CADA proposal introduces a continuous compliance burden that extends far beyond the initial recognition process.

  1. Establish Real-Time Monitoring: You must implement internal controls to detect "material changes in circumstances" immediately. This includes changes in subcontractor arrangements, infrastructure location, personnel citizenship, or cybersecurity certifications. Delayed notifications under Article 23 can lead to immediate reassessment and potential revocation of your assurance level, which would disqualify you from public procurement.
  2. Prepare for Inspections: Ensure your premises and digital records are inspection-ready at all times. Article 26 grants authorities broad powers to access data and premises, including the ability to seize information. Maintain clear, auditable logs of all communications with auditing organisations and competent authorities to demonstrate cooperation.
  3. Resource Allocation: Budget for ongoing engagement with national competent authorities. The requirement for authorities to have "sufficient technical, financial and human resources" (Article 25(3)) implies a more rigorous and frequent supervisory presence than current voluntary certification schemes. Expect deeper dives into your operational data.
  4. Cross-Border Coordination: If you operate across multiple Member States, remember that the authority in your main establishment has exclusive competence. Coordinate closely with this authority to manage notifications that affect your status in other Member States, as they will notify other national authorities and the Commission upon any amendment or revocation.

Common misconceptions

  • "Supervision is only about audits." While audits are central to recognition, supervision under CADA is broader. It includes monitoring transparency reports, investigating suspected infringements, and enforcing penalties. The competent authority's role is not limited to reviewing audit reports but extends to ensuring the overall integrity of the sovereignty framework.
  • "Only large providers are supervised." Article 25 applies to all cloud computing service providers within the competence of the national authority. While SMEs have simplified recognition for Level 1 (Article 17(3)), they are still subject to the transparency obligations of Article 23 if they hold a recognised status, and thus fall under supervisory purview.
  • "Transparency reports are optional." Article 23 uses mandatory language ("shall notify"). Failure to report material changes is a direct infringement that can trigger investigative powers under Article 26 and penalties under Article 24.

Related

This is general information about a draft EU regulation, not legal advice.