What should a startup cloud provider know about CADA penalties?

Summary Under the proposed Cloud and AI Development Act (CADA), startup cloud providers seeking recognition for Union assurance levels face enforcement measures explicitly designed to be proportionate. While the regulation grants national competent authorities the power to impose fines and order the cessation of infringements, Article 24(2)(f) mandates that penalties consider the provider's annual turnover, and Article 26(3) requires authorities to account for the provider's "economic, technical and operational capacity." This ensures that smaller providers are not disproportionately crushed by penalties, though they remain fully liable for compliance and must expect corrective orders if they fail to meet sovereignty criteria.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous sovereignty framework for cloud computing services in the EU. To serve public sector bodies, providers must be audited and recognized at specific "Union assurance levels" (1 through 4). For a startup cloud provider, navigating this enforcement landscape is critical. The regulation does not apply a rigid, one-size-fits-all penalty structure; instead, it embeds principles of proportionality directly into the enforcement powers of national authorities, acknowledging that a penalty existential for a startup might be negligible for a hyperscaler.

The Enforcement Authority and Jurisdiction

As proposed, the primary enforcer of the sovereignty framework is the national competent authority in the Member State where the cloud computing service provider has its main establishment. Article 25(4) establishes that this Member State has "exclusive competence for enforcing this Chapter." This centralizes enforcement responsibility, ensuring that a startup is not subjected to fragmented or conflicting enforcement actions across different EU jurisdictions. The authority in the country of establishment is responsible for recognizing providers, supervising compliance, and imposing penalties.

Investigative and Enforcement Powers

Under Article 26, national competent authorities are granted significant powers to ensure compliance with the sovereignty framework. If an authority suspects an infringement of the sovereignty criteria, it possesses the following investigative and enforcement tools:

• Information Requests: The authority can require the provider, and any person acting for them, to provide information relating to a suspected infringement (Article 26(1)(a)).
• Inspections: Authorities can carry out, or request a judicial authority to order, inspections of any premises used for the provider's trade or business to examine or seize information (Article 26(1)(b)).
• Cessation Orders: Authorities have the power to order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end (Article 26(2)(a)).
• Fines and Penalty Payments: Authorities can impose fines for failure to comply with the Regulation or investigative orders, as well as periodic penalty payments to ensure compliance with orders (Article 26(2)(b) and (c)).

Proportionality: The Startup Safeguard

Crucially for startups, Article 26(3) explicitly states that measures taken by national competent authorities must be "effective, dissuasive and proportionate." The article mandates that authorities consider specific factors when determining the appropriate measure, including:

• The nature, gravity, recurrence, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements.
• The financial benefits gained or losses avoided.
• The economic, technical and operational capacity of the service provider concerned.

This "capacity factor" is the primary safeguard for smaller entities. A fine that might be a minor operational cost for a global hyperscaler could be existential for a startup. The regulation acknowledges this disparity, requiring authorities to calibrate their response to the provider's actual ability to pay and operate. This ensures that enforcement does not inadvertently stifle innovation or market entry by smaller players who are genuinely attempting to comply.

Penalty Calculation Criteria

Article 24 further details how penalties for infringements of the sovereignty chapter (Title IV, Chapter I) should be structured. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive" (Article 24(1)). When imposing these penalties, authorities must take into account a non-exhaustive list of criteria in Article 24(2).

Most notably for startups, Article 24(2)(f) requires authorities to consider the "infringing party's annual turnover in the preceding financial year in the Union." This turnover criterion ensures that financial penalties are scaled relative to the provider's size. A startup with limited revenue will not face the same absolute financial burden as a multinational corporation for similar infractions, provided the nature and gravity of the infringement are comparable. This prevents a scenario where a fixed fine could bankrupt a small provider while leaving a large one unscathed.

Consequences Beyond Fines

For a startup, the operational consequences of non-compliance may be more severe than the financial penalty itself.

• Revocation of Recognition: If a provider intentionally or negligently supplies incorrect or misleading information, the competent authority may revoke its recognition (Article 17(11)). Similarly, an auditing organisation may revoke its audit report and opinion (Article 20(7)). Losing recognition effectively bars the provider from serving public sector contracts that require a specific Union assurance level, potentially destroying their business model if they rely on public procurement.
• Compensation Liability: Under Article 24(3), recipients of the cloud services (e.g., public sector bodies) have the right to seek compensation from cloud computing service providers for any damage or loss suffered due to an infringement. This creates a direct civil liability risk alongside administrative penalties.

What this means for you

For a startup cloud provider aiming to serve the EU public sector, the penalty regime under CADA is both a warning and a safeguard.

1. Compliance is Non-Negotiable, but Fair: You cannot ignore the sovereignty criteria. If you claim to offer Union assurance level 2, 3, or 4, you must undergo independent audits (Article 20) and submit to recognition procedures (Article 17). However, if you are a smaller player, you can expect enforcement actions to be scaled to your size. Authorities must look at your turnover and capacity before imposing a massive fine.
2. Document Everything: Because penalties depend on the "nature and gravity" of the infringement, having robust documentation of your compliance efforts is your best defense. If an audit fails, showing that you acted in good faith and had technical measures in place can mitigate the severity of the penalty.
3. Monitor Your Turnover Reporting: Since your annual turnover in the Union is a statutory criterion for penalty calculation (Article 24(2)(f)), ensure your financial reporting is accurate. This figure will be a key data point in any enforcement discussion.
4. Prepare for Cessation Orders: Fines are not the only tool. Authorities can order you to stop offering a service if it doesn't meet the assurance level you claimed. For a startup, losing a key public sector contract due to a revocation of recognition could be more damaging than a fine. Ensure your technical infrastructure and subcontractor chains strictly adhere to the localization and control requirements of your claimed assurance level.
5. Engage Early: If you are unsure about your compliance status, engage with the national competent authority early. The regulation encourages cooperation, and demonstrating a willingness to remedy issues can be a mitigating factor under Article 24(2)(b) (action taken to mitigate damage).

Common misconceptions

"Startups are exempt from CADA penalties." This is false. CADA applies to all cloud computing service providers seeking recognition under the sovereignty framework, regardless of size. The regulation does not exempt startups from audits, reporting, or compliance. It only ensures that penalties are proportionate to their size.

"Penalties are fixed amounts." Incorrect. Article 24 does not set fixed euro amounts for sovereignty infringements (unlike the AI Act's specific caps). Instead, it provides a framework of criteria (including turnover and capacity) for Member States to apply. The actual fine will vary based on the specific circumstances of the infringement and the provider's financial situation.

"Only fines matter." While fines are visible, the loss of recognition is often more critical. If your audit report is revoked or your recognition withdrawn, you can no longer legally market your service as meeting a specific Union assurance level. This can lead to contract breaches and loss of revenue, which may outweigh the financial penalty itself.

"Proportionality means lower standards." No. The technical and legal criteria for Union assurance levels (set out in Annex II of the proposal) are the same for all providers. Proportionality applies only to the enforcement response (penalties and remedies), not to the compliance requirements themselves. A startup must meet the same strict sovereignty standards as a larger provider to gain recognition.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA Enforcement: What Compliance Officers Must Know About Penalties & Powers
• What records should a provider keep for CADA enforcement?
• How should a cloud provider prepare for a CADA investigation?
• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?

This is general information about a draft EU regulation, not legal advice.