What triggers a CADA investigation into a cloud provider?

Summary Under the proposed Cloud and AI Development Act (CADA), an investigation into a cloud computing service provider is not initiated randomly but is triggered by specific procedural mechanisms centered on the national competent authority of establishment. As proposed, this authority—located in the Member State where the provider has its main establishment—holds exclusive competence to enforce the sovereignty framework. Investigations are primarily triggered when: (1) the authority exercises its own powers under Article 26(1) upon identifying a suspected infringement; (2) a competent authority of destination (in another Member State) submits a duly reasoned request under Article 28(1) because it suspects the provider no longer meets Union assurance criteria; or (3) the European Commission directly requests an assessment under Article 28(2). These triggers ensure that while enforcement is centralized in the provider's home state, cross-border risks are effectively managed through mandatory cooperation.

Detail

The enforcement architecture of the proposed CADA is designed to prevent regulatory fragmentation while ensuring that cloud providers serving the entire Union are subject to consistent oversight. Unlike regulations that may allow multiple national authorities to act simultaneously, CADA establishes a "one-stop-shop" model for enforcement. The national competent authority of establishment is the sole entity empowered to carry out investigations, impose penalties, and revoke recognition for a specific provider. This authority is defined by the location of the provider's main establishment: the head office or registered office from which the principal financial functions and operational control are exercised (Article 25(4)).

However, the initiation of an investigation can originate from various sources, creating a network of triggers that ensure no suspected violation goes unaddressed, regardless of where the service is consumed.

1. The Foundation: Investigative Powers and Suspected Infringements (Article 26)

The primary engine of CADA enforcement is the power granted to the competent authority of establishment under Article 26. This article outlines the specific investigative tools available when a suspected infringement arises.

A "suspected infringement" is not limited to confirmed violations; it encompasses any situation where the authority has reason to believe a provider may be breaching the Regulation's obligations. These obligations primarily relate to the Union cloud computing sovereignty framework (Title IV), including adherence to the criteria for Union assurance levels (Annex II), transparency obligations (Article 23), and the accuracy of recognition applications.

Under Article 26(1), the competent authority of establishment may trigger an investigation by:

• Requiring Information: The authority can demand that the provider, or any person acting for them (including auditing organisations), provide information "as soon as possible" if they are "reasonably expected to be aware of information relating to a suspected infringement."
• Conducting Inspections: The authority has the power to carry out, or request a judicial authority to order, inspections of any premises used by the provider. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."
• Requesting Explanations: The authority may ask staff or representatives to give explanations regarding the suspected infringement and, with consent, record their answers.

These powers are activated when the authority identifies a potential breach. For instance, if a provider recognised at Union assurance level 3 is found to be using subcontractors outside the Union without the required safeguards, or if data is being transferred outside the EU contrary to Annex II criteria, the authority of establishment may immediately invoke Article 26 to investigate.

2. Cross-Border Triggers: Destination Authority Suspicion (Article 28)

Because cloud services are inherently cross-border, a provider established in one Member State may be used by public bodies in many others. To address this, Article 28 establishes a robust mechanism for cross-border cooperation. This is a critical trigger for investigations that originate outside the provider's home jurisdiction.

Article 28(1) specifically addresses the scenario where a competent authority of destination (the authority in a Member State where the cloud service is being used) has reason to suspect that a provider no longer fulfils the requirements under Annex II (the criteria for Union assurance levels).

The process is as follows:

1. Suspicion Arises: The destination authority identifies a potential issue, such as a change in the provider's ownership structure that introduces third-country control, or evidence that data is being processed outside the Union.
2. Duly Reasoned Request: The destination authority must submit a "duly reasoned" request to the competent authority of establishment.
3. Mandatory Assessment: Upon receiving this request, the authority of establishment is legally obligated to "assess the matter and to take the necessary investigatory and enforcement measures to ensure compliance."

This mechanism ensures that a provider cannot evade scrutiny by being established in a Member State with lax oversight while operating in others. The destination authority acts as the "eyes and ears" on the ground, but the investigation itself is conducted by the authority of establishment. If the authority of establishment considers the information insufficient, it may request additional details, but the suspension of the assessment period is limited, ensuring timely action.

3. The Commission's Direct Intervention (Article 28)

The proposed Regulation also empowers the European Commission to act as a central overseer and a backstop for enforcement. Article 28(2) provides a direct trigger for investigation that bypasses the standard destination-authority route.

The Commission may request the competent authority of establishment to "assess the matter and take the necessary investigatory and enforcement measures to ensure compliance." This power is particularly relevant in cases of:

• Systemic Risk: Where a potential infringement could affect the entire Union's cloud sovereignty framework.
• Cross-Border Complexity: Where multiple Member States are involved, and a coordinated approach is needed.
• Inaction: If the Commission suspects that a national authority is failing to act on a known infringement.

The request from the Commission must be "duly reasoned." Once received, the competent authority of establishment must communicate its assessment and the measures taken (or envisaged) to both the requesting Commission and the authority that may have initiated the original suspicion. This ensures that the Commission maintains a high-level view of enforcement consistency across the single market.

4. The Role of Mutual Assistance (Article 27)

While Article 27 focuses on mutual assistance rather than direct investigation triggers, it plays a supportive role. A competent authority may request other authorities to provide specific information in their possession to exercise their investigative powers under Article 26. The receipt of such information can itself reveal a "suspected infringement," thereby activating the full investigative powers of Article 26. For example, if Authority A requests data from Authority B regarding a provider's local operations, and that data reveals a breach of data localisation rules, Authority A (if it is the authority of establishment) can immediately launch an investigation.

What this means for you

For cloud service providers seeking recognition under the proposed CADA, understanding these triggers is vital for risk management and compliance strategy.

• Identify Your Single Point of Contact: You must clearly identify your competent authority of establishment. This is the only authority that can legally investigate you, inspect your premises, or revoke your recognition. Ensure your compliance team maintains a proactive, transparent relationship with this specific authority.
• Prepare for Cross-Border Scrutiny: Even if you are established in a single Member State, your operations are visible to authorities across the EU. A suspicion raised by a destination authority (e.g., in France or Italy) will trigger a mandatory investigation by your home authority. Ensure your operations are consistent with Annex II criteria in all Member States where you serve public bodies.
• Document Everything for Article 26: Under Article 26(1), authorities can demand information "as soon as possible." You must maintain robust, real-time record-keeping systems that allow you to instantly produce evidence of compliance regarding data localisation, personnel citizenship, and third-country control. Delays in providing information can be seen as non-cooperation.
• Monitor for "Reason to Suspect": Investigations do not require a formal audit failure. Any credible information—whether from a whistleblower, a competitor, or a destination authority's monitoring—can constitute a "reason to suspect" and trigger Article 26 powers.
• Respect the Commission's Role: Be aware that the Commission can intervene directly under Article 28(2). If the Commission identifies a systemic issue, your home authority will be compelled to act immediately, regardless of whether a specific destination authority has raised a complaint.

Common misconceptions

"Any Member State can investigate me directly." This is incorrect. Under the proposed CADA, only the competent authority of establishment has the exclusive competence to enforce the sovereignty framework (Article 25(4)). Authorities in other Member States (destination authorities) cannot directly inspect your premises, seize data, or impose fines. They can only trigger an investigation by submitting a "duly reasoned" request to your home authority under Article 28(1).

"An investigation only happens after a formal audit failure." While a negative audit opinion is a strong indicator, investigations can be triggered by any "reason to suspect" non-compliance under Article 26(1). This includes information received through mutual assistance (Article 27), whistleblower reports, or market intelligence. You do not need to have failed an audit to be investigated; a credible suspicion is sufficient to activate the authority's powers.

"The Commission conducts on-the-ground inspections." The Commission does not typically conduct physical inspections of providers itself. Instead, under Article 28(2), it requests the national competent authority of establishment to assess the matter and take the necessary measures. The Commission acts as a coordinator and overseer, ensuring that national authorities fulfill their duties, rather than replacing them as the primary investigator.

"If I am compliant in my home state, I am safe everywhere." Compliance must be verified against the criteria in Annex II for the specific assurance level you claim. If a destination authority suspects you are no longer meeting these criteria (e.g., due to a change in subcontracting or data flows), they can trigger an investigation under Article 28(1). Your home authority is then obligated to investigate, regardless of your previous compliance status.

Related

• How should a cloud provider prepare for a CADA investigation?
• Can a provider be penalised for obstructing a CADA investigation?
• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?
• Which Member State enforces CADA against a cloud provider?

This is general information about a draft EU regulation, not legal advice.