Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities would possess significant investigative and enforcement powers, but these are strictly bounded by robust procedural safeguards. Article 26(4) of the proposal mandates that any exercise of these powers must comply with "adequate safeguards under applicable national law in compliance with the general principles of Union law." Specifically, these safeguards include the right to respect for private life, the rights of defence (including the right to be heard and the right to have access to the file), and the right of all affected parties to an effective judicial remedy. These protections ensure that investigations into cloud computing service providers remain proportionate, transparent, and legally contestable, preventing arbitrary enforcement while maintaining the integrity of the Union's sovereignty framework.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on sovereignty and strategic autonomy. A critical pillar of this framework is the empowerment of national competent authorities to supervise compliance with the Union assurance levels and enforce the Regulation's obligations. However, the proposal explicitly recognises that such intrusive powersβ€”ranging from on-site inspections to the imposition of finesβ€”require rigorous legal safeguards to protect the fundamental rights of the entities under investigation.

The Scope of Authority: Investigative and Enforcement Powers

To fully appreciate the necessity of the safeguards, one must first understand the breadth of the powers they constrain. Article 26 of the CADA proposal grants national competent authorities of establishment two distinct categories of powers: investigative and enforcement.

Under Article 26(1), competent authorities would be empowered to:

  • Require information: Demand that cloud computing service providers, auditing organisations, or any other persons acting for purposes related to their trade, business, craft, or profession provide information as soon as possible regarding a suspected infringement.
  • Conduct inspections: Carry out, or request a judicial authority to order, inspections of any premises used for trade, business, craft, or profession. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Request explanations: Ask any member of staff or representative of the provider to give explanations regarding information relating to a suspected infringement and, with their consent, to record their answers by any technical means.

Under Article 26(2), authorities would possess enforcement powers to:

  • Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including with any investigative orders issued pursuant to Article 26(1).
  • Impose periodic penalty payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

These powers are substantial, granting authorities the ability to access sensitive business data, physical premises, and operational records. Consequently, the proposal embeds specific procedural guarantees to prevent abuse, ensure fairness, and uphold the rule of law.

The Core Safeguards: Article 26(4)

The cornerstone of protection for cloud computing service providers lies in Article 26(4). This paragraph explicitly states that measures taken by national competent authorities in exercising their powers must be "effective, dissuasive and proportionate." More critically, it establishes a non-negotiable legal floor for procedural rights that Member States must respect.

Article 26(4) mandates that the exercise of these powers is subject to adequate safeguards under applicable national law in compliance with the general principles of Union law. It then enumerates specific fundamental rights that must be respected during any investigation or enforcement action:

  1. Right to respect for private life: Investigations must not disproportionately intrude into the private lives of individuals or the confidential business secrets of the provider beyond what is strictly necessary for the investigation. This ensures that the pursuit of regulatory compliance does not violate fundamental privacy rights.
  2. Rights of defence: This is a fundamental principle of EU administrative law, ensuring that the provider has a fair opportunity to defend itself against allegations. It serves as the overarching principle that governs the entire investigative process.
  3. Right to be heard: Before a final decision imposing penalties, restrictive measures, or other adverse outcomes is made, the provider must be given the opportunity to present its views, evidence, and arguments. This prevents decisions from being made based solely on the authority's initial findings or unilateral assessment.
  4. Access to the file: The provider must have access to the evidence held by the competent authority that forms the basis of the investigation. This allows the provider to verify the accuracy of the evidence, challenge its relevance, and prepare an effective defence. Without access to the file, the right to be heard would be rendered hollow, as the provider could not meaningfully respond to the specific allegations.
  5. Right to an effective judicial remedy: If a provider disagrees with the measures taken by the competent authority, it must have the right to challenge those measures before a court or tribunal. This ensures that the authority's power is not absolute and is subject to independent judicial review, providing a final check on administrative overreach.

Proportionality and the Assessment of Measures

Beyond the specific procedural rights, Article 26(3) adds another layer of protection by requiring that all measures taken by competent authorities be "effective, dissuasive and proportionate." When determining the scope of an investigation or the severity of a penalty, authorities are required to consider specific criteria, including:

  • The nature, gravity, recurrence, and duration of the infringement or suspected infringement.
  • The economic, technical, and operational capacity of the service provider concerned.

This proportionality requirement ensures that the regulatory burden is tailored to the specific circumstances of the case. For instance, a small and medium-sized enterprise (SME) or a smaller cloud provider would not be subjected to the same scale of investigative intrusion or financial penalty as a hyperscaler for a minor technical breach, provided the breach is comparable in nature. The safeguards ensure that the regulatory framework does not crush smaller players while still holding large providers accountable for serious infringements.

Interaction with National Law and Competence

While CADA sets the EU-wide standard for these safeguards, Article 26(4) explicitly references "applicable national law." This means that Member States must transpose these safeguards into their domestic legal systems. If a Member State's existing administrative law already provides stronger protections than the minimums set out in CADA, those stronger protections would remain applicable. However, no Member State can provide less protection than the rights listed in Article 26(4).

For in-house counsel, this creates a dual-compliance landscape: understanding both the specific procedural requirements of the CADA and the national administrative procedures of the Member State where the cloud computing service provider has its main establishment. As defined in Article 25(4), the Member State in which the provider has its main establishment (where the principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter. Therefore, the specific national laws implementing Article 26(4) will be those of the Member State of the main establishment.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the safeguards in Article 26 are not just abstract legal principles; they are actionable tools for managing regulatory risk and ensuring fair treatment during investigations.

1. Prepare for Inspections and Information Requests Develop clear internal protocols for responding to requests for information or premises inspections under Article 26(1). Ensure that your legal team is immediately notified when an authority exercises its power to require information or conduct an inspection. Verify that the authority follows the procedural steps required by national law and CADA, such as providing a clear legal basis for the request and respecting the scope of the inspection.

2. Actively Exercise the Right to Be Heard If your company is under investigation, do not treat the "right to be heard" as a mere formality. Actively exercise this right by submitting detailed written comments, evidence, and mitigating factors. Document all interactions with the competent authority. The right to be heard is your primary opportunity to influence the outcome before a penalty is imposed, and authorities are legally bound to consider your submissions.

3. Leverage Access to the File Request access to the file early in the process. Review the evidence thoroughly to identify any inaccuracies, irrelevant data, or procedural flaws. If the authority relies on technical audits or third-party reports, ensure you have the chance to challenge their methodology or findings. Access to the file is essential for preparing a robust defence.

4. Assess Proportionality in Penalties If facing penalties, argue proportionality based on the criteria in Article 26(3). Demonstrate your company's cooperation, any steps taken to mitigate the infringement, and your economic capacity. This is particularly relevant for SMEs, which may face disproportionate harm from large fines if the authority fails to consider their specific operational context.

5. Know Your Judicial Remedies Understand the timeline and procedure for appealing decisions in your jurisdiction. The right to an effective judicial remedy is crucial if you believe the competent authority has overstepped its powers, misapplied the law, or violated your rights of defence. Consult with local counsel to ensure you meet all deadlines for appeals and that the challenge is brought before the appropriate court.

Common misconceptions

Misconception 1: CADA gives authorities unlimited access to data. While Article 26(1) allows authorities to examine and seize information, this power is not unlimited. It is constrained by the right to respect for private life, the protection of trade secrets, and the principle of proportionality. Authorities must only request data that is strictly necessary for the investigation and cannot conduct "fishing expeditions."

Misconception 2: The right to be heard is merely a formality. The right to be heard is a substantive right. Authorities must genuinely consider the provider's arguments before making a final decision. Ignoring or inadequately addressing a provider's submissions can be grounds for challenging the decision in court, as it would constitute a violation of the rights of defence.

Misconception 3: Safeguards only apply to penalties. The safeguards in Article 26(4) apply to all measures taken by competent authorities, including investigative orders, inspections, and interim remedies, not just final penalties. This means you have procedural rights from the very beginning of an investigation, ensuring that the process itself is fair.

Misconception 4: National law is irrelevant if CADA exists. CADA sets minimum standards, but national law plays a crucial role in implementing these safeguards. The specific procedures for accessing the file, requesting hearings, and appealing decisions are governed by national administrative law. Compliance requires navigating both the EU framework and the domestic legal system of the Member State of establishment.

Related

This is general information about a draft EU regulation, not legal advice.