Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission does not directly enforce the regulation or impose penalties on cloud service providers. Enforcement powers are exclusively vested in national competent authorities designated by each Member State. The Commission's role is strictly coordinating and supervisory: it maintains a public register of these authorities, facilitates mutual assistance and cross-border cooperation, and possesses the power to request assessments when compliance is suspected. While the Commission ensures the sovereignty framework is applied consistently across the Union, the actual investigative powers, orders to cease infringements, and the imposition of fines remain a national competence.

Detail

The enforcement architecture of the proposed CADA is deliberately decentralized to respect the administrative competencies of Member States while ensuring a uniform Union-wide framework for cloud sovereignty. This structure creates a clear division of labor: national authorities act as the "boots on the ground" for investigation and sanctioning, while the Commission acts as the central hub for consistency, information exchange, and systemic oversight.

The Commission's Coordinating and Supervisory Mandate

The Commission's powers under CADA are defined by its ability to ensure that national authorities act in a consistent manner and that information flows freely across borders. It does not possess direct investigative powers over cloud computing service providers.

Maintaining the Register of Authorities Transparency is the first pillar of the Commission's supervisory role. Under Article 25(2), Member States are required to notify the Commission of the names of their designated competent authorities, along with a detailed description of their tasks and powers. The Commission is then mandated to maintain a public register of these authorities. This register serves as the definitive reference point for cloud providers, auditing organizations, and public sector bodies to identify which national body holds jurisdiction. This is critical because, under Article 25(4), the Member State where the provider has its "main establishment" (head office or registered office where principal financial functions and operational control are exercised) holds exclusive competence for enforcing the sovereignty framework.

Facilitating Cooperation and Mutual Assistance The Commission acts as the facilitator for cross-border enforcement. Article 27(1) explicitly states that competent authorities and the Commission shall cooperate closely and provide each other with mutual assistance to apply the sovereignty framework in a consistent and efficient manner. This cooperation includes the exchange of information. If a competent authority in one Member State requires specific information located in another Member State to exercise its investigative powers, it can request this through the mutual assistance framework. The Commission oversees this process to ensure that information flows are timely and that national authorities support one another in applying the Regulation.

Triggering Assessments and Investigations While the Commission cannot initiate its own investigations into a specific provider, it holds a powerful "trigger" mechanism to address systemic risks or potential non-compliance. Under Article 28(2), the Commission may request the competent authority of establishment to assess a matter and take the necessary investigatory and enforcement measures if it suspects that a cloud computing service provider no longer fulfills the requirements of the Union assurance levels.

Once such a request is made, the competent authority of establishment is obligated to assess the matter. It must communicate its assessment and any investigatory or enforcement measures taken (or envisaged) to the Commission and the requesting authority within two months. If the authority of establishment finds the information insufficient, it may request additional details, which suspends the two-month deadline until the information is provided. This mechanism ensures that the Commission can intervene when a national authority might be slow to act or when a risk spans multiple jurisdictions.

The Role of National Competent Authorities

The substantive burden of enforcement falls entirely on the national competent authorities designated by Member States. These bodies are the only entities with the power to investigate, sanction, and order remedies.

Designation and Exclusive Competence Member States must designate one or more national competent authorities by one year after the Regulation's entry into force (Article 25(1)). Crucially, Article 25(4) establishes that the Member State where the provider has its main establishment has exclusive competence for enforcing the sovereignty framework. This prevents a "race to the bottom" or conflicting enforcement actions by multiple Member States against the same provider.

Investigative and Enforcement Powers National authorities are granted robust powers under Article 26 to ensure effective enforcement.

  • Investigative Powers: Authorities can require providers and auditing organizations to provide information, carry out inspections of premises, seize or obtain copies of information, and ask staff for explanations.
  • Enforcement Powers: Authorities can order the cessation of infringements, impose remedies proportionate to the infringement, and impose fines or periodic penalty payments for failure to comply.

Imposing Penalties The Commission plays no role in setting or imposing specific fines. Article 24(1) mandates that Member States shall lay down the rules on penalties applicable to infringements by cloud computing service providers within their competence. These penalties must be "effective, proportionate and dissuasive." Member States must notify the Commission of these rules and any subsequent amendments.

When determining penalties, national authorities must consider non-exhaustive criteria listed in Article 24(2), including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken to mitigate damage.
  • Previous infringements by the provider.
  • Financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the Union.

Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation for damage or loss suffered due to a provider's infringement, a right enforceable under national law.

Cross-Border Enforcement Mechanisms

To prevent providers from exploiting jurisdictional gaps, CADA establishes specific mechanisms for cross-border interaction, all coordinated but not executed by the Commission.

Cross-Border Cooperation (Article 28) If a competent authority in a Member State (the "destination") suspects that a provider no longer complies with the Union assurance level requirements, it may request the competent authority of establishment to assess the matter. The authority of establishment must then take necessary investigatory and enforcement measures. This ensures that a provider recognized in one Member State cannot ignore risks identified in another.

Mutual Assistance (Article 27) Under Article 27, a competent authority may request another to provide specific information in its possession to exercise its investigative powers. The receiving authority must comply and inform the requesting authority of the action taken no later than two months after receipt of the request, unless duly justified. This ensures that investigative powers are not limited by national borders, with the Commission acting as the central node for facilitating these exchanges.

What this means for you

For public-sector procurement officers, cloud providers, and legal counsel, understanding this enforcement structure is vital for compliance strategy and risk management.

  • Identify the Correct Authority: When evaluating a cloud provider's compliance with Union assurance levels, you must refer to the Commission's public register of competent authorities (maintained under Article 25(2)) to identify the specific national body responsible for that provider. Enforcement actions will originate from this national authority, not the Commission.
  • Expect National Enforcement: If a provider fails to meet its obligations, the investigation, fines, and remedial orders will come from the national competent authority in the provider's home Member State. The Commission will not issue a fine directly.
  • Rely on the Central Repository: The Commission maintains a central repository of recognized services (Article 22). This is the definitive source for checking a provider's recognized Union assurance level. Procurement decisions should be based on the status listed here, which is updated based on national authority recognitions and any revocations.
  • Monitor for Commission Guidance: While the Commission does not enforce directly, it provides guidance and methodologies for risk assessments (Article 29). Stay informed of Commission implementing acts that specify how risk assessments should be conducted, as these will influence your procurement requirements and the criteria national authorities will use.
  • Leverage Cross-Border Mechanisms: If you are a public body in one Member State using a provider established in another, and you suspect non-compliance, you can trigger a request for assessment through your national authority, which can then engage the authority of establishment under Article 28.

Common misconceptions

"The Commission fines non-compliant providers."

  • Reality: The Commission does not impose fines. Penalties are laid down by Member States and imposed by national competent authorities under Article 24. The Commission's role is limited to monitoring and coordinating.

"The Commission directly investigates cloud providers."

  • Reality: The Commission has no direct investigative powers over providers. It cannot inspect premises or seize data. It can only request the competent authority of establishment to assess a matter and take measures under Article 28(2). The actual investigation is conducted by the national authority.

"Any Member State can enforce against a provider."

  • Reality: Enforcement competence is exclusive to the Member State where the cloud computing service provider has its main establishment (Article 25(4)). Other Member States can request assistance or trigger investigations, but they cannot directly enforce penalties against a provider established elsewhere.

"The Commission's role is passive."

  • Reality: The Commission plays an active coordinating role. It maintains the register of authorities, facilitates mutual assistance, can request assessments to trigger national investigations, and ensures consistency across the Union. Its role is crucial for the uniform application of the sovereignty framework, even if it does not hold the "gavel" for penalties.

Related

This is general information about a draft EU regulation, not legal advice.