When must Member States designate a CADA competent authority?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States must designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the Regulation's entry into force. As set out in Article 25(1), this designation is mandatory to ensure the framework is operational before the substantive rules apply. Member States must notify the European Commission of the names, tasks, and powers of these authorities, after which the Commission will maintain a public register of them. This designation is the foundational step for the cross-border recognition of Union assurance levels.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework. This framework relies on a decentralised enforcement model where national bodies verify compliance with the assurance levels defined in Annex II. Article 25 of the proposal establishes the legal architecture for these bodies, defining their designation timeline, composition, notification duties, and the principle of exclusive competence.

The Designation Deadline: One Year from Entry into Force

The timing of the designation is critical for the regulatory timeline. Article 25(1) explicitly states:

"By [P.O. insert date of entry into force plus 1 year], Member States shall designate one or more national competent authorities responsible for enforcing this Chapter."

To understand this deadline, one must distinguish between the entry into force and the date of application of the Regulation. Article 48 clarifies that the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union" and "shall apply from [same day and month as date of entry into force plus 1 year]."

Consequently, the clock for designating authorities starts on the 20th day after publication. Member States have exactly one year from that date to formally appoint their authorities. This deadline is strategically set to occur before the Regulation becomes applicable to cloud providers and public bodies. This ensures that the supervisory infrastructure is in place and ready to receive applications for recognition (under Article 17) the moment the sovereignty framework becomes legally binding.

Flexibility in Structure: One or More Authorities

The proposal does not mandate a single, monolithic authority for each Member State. Article 25(1) permits Member States to designate "one or more national competent authorities." Furthermore, the text clarifies that Member States "may designate an existing authority or existing authorities."

This flexibility allows Member States to leverage existing institutional frameworks, such as national cybersecurity agencies, data protection authorities, or digital ministries, rather than creating entirely new bureaucratic entities. However, the designation is not merely a formality; the chosen body (or bodies) must be explicitly empowered with the specific tasks and powers required by Title IV of the Regulation.

Notification Duty and the Public Register

Once designated, the authorities cannot operate in the dark. Article 25(2) imposes a strict notification obligation:

"Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers."

Following this notification, the Commission is mandated to "maintain a public register of those authorities." This register serves as the central transparency mechanism for the entire Union. It ensures that:

1. Cloud providers know exactly which authority to contact for their application for recognition.
2. Other Member States can identify the "evaluating national competent authority" for the purpose of mutual assistance and cross-border cooperation under Articles 27 and 28.
3. The public can verify the legitimacy and scope of the supervisory bodies.

The register is a prerequisite for the functioning of the central repository of recognised services under Article 22, as the national authority of establishment is the entity responsible for registering services in that repository.

Resource and Operational Requirements

Designation alone is insufficient; the authorities must be capable of performing complex technical assessments. Article 25(3) imposes a dual obligation on Member States:

1. Performance Standard: Authorities must perform their tasks in an "impartial, transparent and timely manner."
2. Resource Guarantee: Member States must ensure authorities have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

This requirement is particularly significant given the technical nature of the sovereignty criteria in Annex II. Authorities must be equipped to audit software supply chains, verify data localisation, assess third-country control structures, and evaluate cybersecurity certifications. The "sufficient technical... resources" clause implies that Member States cannot designate an underfunded body that lacks the expertise to verify Annex II criteria, such as the "substantial" cybersecurity certification required for Levels 2 and 3, or the "high" certification for Level 4.

Exclusive Competence: The "Main Establishment" Rule

To prevent regulatory fragmentation and ensure legal certainty for cross-border providers, Article 25(4) establishes a clear rule of exclusive competence:

"The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The proposal defines "main establishment" as the location where the provider has its "head office or registered office from which the principal financial functions and operational control are exercised."

This "single point of entry" model means that a provider operating in 20 Member States only needs to be supervised by the authority in the Member State of its main establishment for the purposes of the sovereignty framework. That authority is responsible for the initial recognition and ongoing supervision. Other Member States retain the right to raise objections during the recognition process (under Article 17) or request mutual assistance if they suspect non-compliance (under Article 28), but they cannot independently enforce the Chapter against a provider whose main establishment is elsewhere.

What this means for you

For legal counsel, compliance officers, and cloud service providers, the designation of competent authorities is a pivotal event that triggers the operational phase of CADA.

1. Track the Timeline: Monitor the Official Journal for the publication of the Regulation. Calculate the 20-day entry into force period, then add one year. This is the deadline by which your Member State must have designated its authority.
2. Identify Your Regulator: Once the Commission publishes the public register, verify which authority holds competence for your main establishment. Do not assume it is your national data protection authority; it may be a cybersecurity agency or a newly designated digital regulator.
3. Prepare for the "One-Stop-Shop": If your main establishment is in a Member State that has designated multiple authorities, ensure you engage with the specific one holding exclusive competence for your establishment. You generally do not need to apply for recognition in every Member State where you operate; the recognition granted by the authority of your main establishment is valid Union-wide.
4. Assess Resource Readiness: If your national authority appears under-resourced or lacks technical expertise in cloud sovereignty, this may delay the recognition process. While the obligation to designate lies with the State, providers should be prepared to provide robust evidence to support the authority's assessment.
5. Plan for Cross-Border Objections: Even with exclusive competence, be aware that authorities in other Member States can raise reasoned objections during the 60-day review period of your application (Article 17(6)). Your compliance strategy should account for potential cross-border scrutiny.

Common misconceptions

"Any existing regulator automatically becomes the CADA authority." No. While Member States may designate existing authorities, they must formally designate them and notify the Commission of their specific tasks and powers under Article 25(2). An existing data protection authority does not automatically have the mandate to enforce cloud sovereignty unless explicitly designated and resourced for this specific Chapter.

"If a Member State designates multiple authorities, I must apply to all of them." Incorrect. Article 25(4) grants exclusive competence to the authority in the Member State of the provider's "main establishment." Even if a country has multiple designated bodies, the provider deals only with the one responsible for its main establishment for the purpose of recognition and enforcement.

"The deadline is one year after the law is published." The deadline is one year after the Regulation enters into force, which occurs 20 days after publication. The distinction is minor but legally precise. The designation must be complete before the Regulation becomes applicable (which is also one year after entry into force), ensuring authorities are ready on day one of application.

"The Commission designates the authorities." The Commission does not designate the authorities; Member States do. The Commission's role is limited to receiving the notification and maintaining the public register under Article 25(2).

Related

• How do I find the CADA competent authority for my Member State?
• Can a Member State designate more than one CADA authority?
• CADA Cross-Border Requests: What the Establishment Authority Must Report
• What is the competent authority of establishment under CADA?
• What is the competent authority of destination under CADA?

This is general information about a draft EU regulation, not legal advice.