Summary As proposed in the Cloud and AI Development Act (CADA), Member States are legally required to ensure their designated national competent authorities possess sufficient technical, financial, and human resources to effectively supervise all cloud computing service providers within their jurisdiction. Article 25(3) explicitly mandates that these authorities must perform their tasks in an impartial, transparent, and timely manner. This resource obligation is the backbone of the Union cloud computing sovereignty framework; without it, the rigorous audit and recognition processes for Union assurance levels could fail, creating regulatory gaps that compromise public order and data security.

Detail

The Cloud and AI Development Act (CADA) establishes a complex, multi-layered sovereignty framework for cloud computing services. This framework requires providers to undergo conformity self-assessments (for Level 1) or independent third-party audits (for Levels 2, 3, and 4) to achieve specific "Union assurance levels." The credibility of this entire system hinges on the capacity of the national competent authorities (NCAs) designated by Member States to enforce these rules.

The Statutory Resource Mandate: Article 25(3)

Article 25 of the CADA proposal sets out the obligations for Member States regarding the designation and empowerment of national competent authorities. While Paragraph 1 requires the designation of these authorities within one year of the Regulation's entry into force, and Paragraph 2 requires notification to the Commission, Paragraph 3 establishes the critical operational baseline.

The text of Article 25(3) states:

"Member States shall ensure that their competent authorities perform their tasks under this Regulation in an impartial, transparent and timely manner. Member States shall ensure that their competent authorities have all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

This provision creates a binding, tripartite resource obligation that Member States must fulfill:

  1. Technical Resources: Authorities must possess the specialized technical expertise and tools necessary to evaluate complex cloud infrastructure, software supply chains, and cybersecurity certifications. This is not merely administrative oversight; it requires the capacity to assess compliance with the detailed criteria in Annex II of CADA. These criteria cover intricate technical requirements such as data localization, personnel citizenship, software bill of materials (SBOM) completeness, and the prevention of remote tampering mechanisms. An authority lacking technical depth cannot effectively verify a provider's claim to "Union assurance."
  2. Financial Resources: Member States must allocate adequate funding to sustain these authorities over the long term. This funding must cover operational costs, the management of the central repository of recognized services (established under Article 22), and the oversight of independent auditing organisations. Without dedicated financial streams, authorities may struggle to maintain the independence required to challenge non-compliant providers.
  3. Human Resources: Authorities must have sufficient staff with the appropriate expertise to handle the volume of applications for Union assurance levels and conduct ongoing supervisory activities. The workload is significant, involving the review of self-assessments, the validation of audit reports, and the investigation of material changes notified under Article 23.

The Operational Imperative: Impartiality, Transparency, and Timeliness

Beyond the allocation of raw resources, Article 25(3) imposes a qualitative standard on how these authorities must operate. They must perform their tasks in an "impartial, transparent and timely manner."

  • Impartiality: This ensures that authorities do not favor domestic providers or specific commercial interests, maintaining a level playing field across the Single Market.
  • Transparency: Authorities must operate openly, ensuring that the criteria for recognition and the outcomes of their assessments are clear to providers and the public.
  • Timeliness: This is critical for market efficiency. Article 17 sets a strict 60-day assessment period for recognition applications (extendable only under specific conditions). If an authority lacks the resources to meet this deadline, it creates bottlenecks that could fragment the single market or discourage European providers from seeking recognition. The resource mandate in Article 25(3) is the legal guarantee that these deadlines are realistic and enforceable.

Scope of Supervision: "All" Providers

The resource requirement is comprehensive. The text mandates that authorities have resources to "adequately supervise all cloud computing service providers within their competence." This scope is broad and includes:

  • Level 1 Providers: Authorities must review EU statements of conformity issued by providers (or verify the automatic recognition for SMEs).
  • Levels 2, 3, and 4 Providers: Authorities must review independent audit reports and "positive" audit opinions, ensuring the auditing organisations themselves are competent and independent.
  • Ongoing Compliance: Supervision is not a one-time event. Authorities must monitor providers for material changes (Article 23), handle revocation procedures if incorrect information is supplied, and manage the central repository.

Exclusive Competence and Cross-Border Implications

Article 25(4) clarifies the jurisdictional model: the Member State where the cloud computing service provider has its main establishment (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing Chapter IV (Autonomy).

This "single point of entry" model places a heavy burden on the resources of the authority in the provider's home Member State. Because a recognition decision made by one authority is valid across the entire Union, the technical and human capacity of that specific authority must be robust enough to handle cross-border implications. A resource deficit in the home Member State could theoretically create a bottleneck for the entire EU market, as no other authority can step in to perform the initial recognition.

Coordination and Cooperation Mechanisms

While the home Member State holds exclusive competence, the framework relies on cooperation. Article 27 (Mutual Assistance) and Article 28 (Cross-border Cooperation) require authorities to share information and assist each other.

Resources must therefore also support these collaborative mechanisms. Authorities must have the capacity to:

  • Exchange data with other Member States and the Commission.
  • Meet strict deadlines for cooperation requests (e.g., responding within two months under Article 28(4)).
  • Participate in the Commission's review of risk assessments and recognition decisions.

Without sufficient resources, these cooperation mechanisms could fail, undermining the harmonized nature of the CADA framework.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the resource requirements for competent authorities have direct implications for your strategy and risk management:

  • Expect Rigorous, Technical Scrutiny: The mandate for "sufficient technical... resources" signals that national authorities will not merely rubber-stamp audit reports. They will have the capacity to challenge findings, request additional evidence, and conduct their own investigations into your software supply chain and data flows. Ensure your internal documentation (e.g., SBOMs, data flow diagrams, personnel citizenship records) is audit-ready and technically robust.
  • Timeliness is a Legal Right: The requirement for "timely" performance supports the statutory deadlines in Article 17 (60 days for recognition assessment). If an authority delays beyond these limits without justification, it may be failing its CADA obligations. You can use this provision to push for procedural adherence and challenge undue delays.
  • Home State is Key: Since enforcement is concentrated in the Member State of your main establishment, prioritize building relationships with that specific authority. Their resource levels and technical expertise will directly impact your speed-to-market for Union assurance levels. If your home authority is under-resourced, it could delay your entire EU rollout.
  • Monitor Systemic Gaps: Because recognition in one Member State is valid across the EU, a resource deficit in one country could theoretically create bottlenecks for the entire market. Monitor the Commission's reports on the implementation of CADA to identify any systemic resource gaps among Member States that might affect your supply chain or the validity of your recognition.

Common misconceptions

"CADA authorities are just another layer of GDPR enforcement." Incorrect. While there is overlap in data protection concerns, CADA authorities focus on sovereignty, operational autonomy, and supply chain security. Their resource requirements reflect the need for deep technical expertise in cloud architecture, cybersecurity, and software supply chains, not just data privacy law. The "technical resources" mandate in Article 25(3) is distinct from the legal expertise required for GDPR.

"All Member States enforce CADA equally." Incorrect. Article 25(4) assigns exclusive competence to the Member State of the provider's main establishment. While other Member States retain the right to object to recognition decisions (under Article 17(6)) and request cross-border cooperation (under Article 28), your home state authority is the primary point of contact and the sole entity responsible for the initial recognition. The quality of enforcement depends heavily on the resources of that specific authority.

"Resources only mean staff headcount." Incorrect. Article 25(3) explicitly includes "technical" and "financial" resources alongside human resources. This implies a requirement for investment in specialized IT systems, expert personnel with cloud architecture skills, and potentially external audit oversight capabilities, not just administrative staff. A team of lawyers without technical tools cannot effectively supervise a cloud provider.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.