Which CADA obligations can lead to penalties?

Summary Under the proposed Cloud and AI Development Act (CADA), financial penalties and compensation rights are strictly confined to infringements of the Union cloud computing sovereignty framework (Title IV, Chapter I). Article 24(1) mandates that Member States impose "effective, proportionate and dissuasive" penalties on cloud computing service providers for breaching the assurance-level criteria, audit obligations, and transparency duties within this specific chapter. Crucially, the penalty regime does not automatically apply to other parts of the proposal, such as data centre deployment rules (Title III) or the Cloud and AI Leadership Initiatives (Title II), which rely on different administrative or permitting mechanisms. Key penalisable conduct includes failing to meet Union assurance level criteria (Annex II), submitting incorrect evidence during recognition, obstructing audits, and breaching the mandatory notification duties under Article 23 regarding material changes.

Detail

The proposed CADA establishes a dual-track regulatory structure: one focused on boosting capacity and innovation (Titles II and III) and another focused on sovereignty and autonomy (Title IV). The enforcement regime with specific financial penalties is exclusively tied to the latter. Article 24(1) explicitly states that "Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence." The phrase "this Chapter" refers to Chapter I of Title IV, which establishes the Union cloud computing sovereignty framework.

This distinction is vital for legal compliance. While the proposal encourages data centre acceleration and national strategies, the specific sanctions regime in Article 24 targets providers who fail to adhere to the sovereignty criteria required to serve public sector bodies and Union entities. The scope of penalisable conduct is broad within this chapter, covering the entire lifecycle of a provider's recognition and ongoing compliance.

1. Breach of Union Assurance Level Criteria

The core of the sovereignty framework is the four-tiered assurance system (Levels 1–4) detailed in Annex II. Article 24(1) captures any failure to meet these cumulative criteria.

• Level 1 (Baseline): Providers must be established in the Union, ensure infrastructure and data remain in the Union (unless explicitly required otherwise by the public sector), and demonstrate state-of-the-art cybersecurity. A breach occurs if a provider claims Level 1 status but allows data to be transferred outside the Union without the public sector body's explicit consent, or if they fail to implement necessary measures for subcontractors outside the Union.
• Levels 2, 3, and 4 (Enhanced): These levels impose stricter requirements, including independent third-party audits, specific personnel citizenship conditions (conditional for Level 2, mandatory for Levels 3 and 4), and prohibitions on third-country control.
  • Data Localisation: Under Annex II, customer data must remain exclusively within the Union. A provider allowing data to be processed or stored outside the Union without authorization commits an infringement.
  • Third-Country Control: For Levels 3 and 4, providers generally cannot be subject to third-country control. If a provider is controlled by a third country and fails to demonstrate the necessary safeguards (or if the Commission has not adopted an implementing act under Article 18 allowing such control for Level 3), this constitutes a breach.
  • Cybersecurity Certification: Providers must obtain a European cybersecurity certificate of at least "substantial" assurance (Levels 2 and 3) or "high" assurance (Level 4). Failure to maintain this certification or to demonstrate compliance with the highest cybersecurity standards where no scheme exists is an infringement.

2. Violation of Transparency and Notification Duties (Article 23)

Article 23 imposes a continuous obligation on recognised providers to maintain the accuracy of their status. Article 23(1) requires providers to notify the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion... or the recognition."

• Material Changes: This includes changes in infrastructure location, subcontractor arrangements, ownership structure, or data flows that could compromise the assurance level.
• Consequence of Silence: Failure to report these changes is a direct infringement of Article 23, triggering the penalty regime under Article 24. The law does not wait for a formal audit to catch these changes; the onus is on the provider to self-report immediately.

3. Audit Cooperation and Evidence Integrity

For assurance levels 2, 3, and 4, providers must undergo independent third-party audits under Article 20. The integrity of this process is protected by Article 24.

• Obstruction: Article 20(2) mandates that providers "cooperate with auditing organisations and provide them assistance necessary... including by giving them access to all relevant data and premises." Refusing access, hampering the audit, or providing misleading information constitutes an infringement.
• Incorrect Evidence: Submitting false or misleading audit evidence to the auditing organisation or the competent authority is a specific ground for penalty. Article 24(2)(d) explicitly lists "the financial benefits gained or losses avoided by the infringing party due to the infringement" as a criterion for setting penalties, acknowledging that providers might gain an unfair market advantage by hiding non-compliance.

4. Recognition Process Integrity

The application for recognition under Article 17 is a critical control point. Article 17(11) empowers competent authorities to revoke recognition if a provider "intentionally or negligently, supplied incorrect or misleading information."

• Link to Penalties: While revocation is an administrative measure, the act of supplying incorrect information is an infringement of the chapter's requirements. Article 24(2)(c) requires Member States to consider "any previous infringements" when imposing penalties, suggesting a pattern of dishonesty in the recognition process would aggravate sanctions.
• SME Specifics: Even for SMEs benefiting from the automatic recognition of Level 1 statements of conformity under Article 17(3), the substantive requirements of Annex II and the transparency duties of Article 23 remain fully applicable. An SME that submits a false self-assessment is subject to the same penalty regime as a large provider.

5. Criteria for Imposing Penalties

Article 24(2) provides a non-exhaustive list of factors Member States must consider when determining the severity of penalties. These include:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken to mitigate or remedy the damage.
• Previous infringements by the party.
• Financial benefits gained or losses avoided.
• The infringing party's annual turnover in the preceding financial year in the Union.
• Any other aggravating or mitigating factors.

This structure ensures that penalties are not merely symbolic but are calibrated to the economic impact of the infringement and the size of the provider, fulfilling the requirement in Article 24(1) that penalties be "effective, proportionate and dissuasive."

What this means for you

For legal counsel, compliance officers, and cloud service providers, the CADA proposal signals a shift from voluntary certification to a legally enforceable sovereignty regime with direct financial consequences.

1. Implement Real-Time Change Monitoring

The obligation under Article 23 is immediate. You cannot wait for an annual audit to report a change. Your internal governance must include automated or manual triggers that detect:

• Infrastructure Shifts: Any movement of servers, backups, or disaster recovery sites outside the Union.
• Subcontractor Changes: New or altered relationships with third-party providers, especially those outside the Union.
• Ownership/Control Changes: Shifts in shareholder structure or board composition that might introduce third-country control.
• Data Flow Alterations: Any new data transfer mechanisms or changes in where customer data is processed.
• Action: Establish a protocol where the legal/compliance team is notified immediately upon such events to trigger the Article 23 notification to the auditor and competent authority.

2. Audit Readiness is Continuous, Not Periodic

For providers targeting Levels 2–4, the audit is not a one-off event. Article 20(8) requires an annual review. Your documentation (Software Bill of Materials, data flow diagrams, subcontractor contracts, personnel records) must be kept in a state of "audit readiness" at all times.

• Action: Conduct internal mock audits quarterly. Ensure that your SBOM is up-to-date and that your migration plans for third-country software components are documented and tested.
• Cooperation: Train your technical teams on the obligation to provide full access to auditors. Refusal to grant access to premises or data logs is a direct infringement.

3. Scrutinize Subcontractor Contracts

Your assurance level is only as strong as your weakest subcontractor. Under Annex II, you are responsible for the actions of your subcontractors.

• Action: Review all contracts with third-party providers. Ensure they contain explicit clauses prohibiting data transfers outside the Union (unless authorized), restricting third-country access, and mandating immediate notification of any breach. Include audit rights for your own auditors to inspect your subcontractors.

4. Manage Recognition Claims Carefully

Misrepresenting your assurance level in marketing materials or tender documents is a high-risk activity.

• Action: Ensure that all public claims about your sovereignty status match your current recognition status in the central repository. If your recognition is revoked or amended, update your public communications immediately to avoid claims of misleading information under Article 17(11).

5. Prepare for Turnover-Based Penalties

Article 24(2)(f) explicitly ties penalties to your annual turnover in the Union.

• Action: Model potential financial exposure based on your EU revenue. Unlike some regulations with fixed caps, CADA's penalty structure is designed to be "dissuasive" relative to the provider's size, meaning large providers could face significant fines for systemic non-compliance.

Common misconceptions

"CADA penalties apply to all violations of the Act."

• Reality: No. Article 24(1) is specific: penalties apply to infringements of Title IV, Chapter I (the sovereignty framework). Violations of Title III (data centre acceleration zones) or Title II (Leadership Initiatives) are governed by different administrative rules, permitting conditions, or funding clawbacks, not the Article 24 penalty regime.

"Only intentional fraud leads to penalties."

• Reality: Incorrect. Article 17(11) explicitly states that recognition can be revoked if incorrect information was supplied "intentionally or negligently." Negligence is sufficient to trigger enforcement. Furthermore, Article 24(2) requires Member States to consider the "nature" of the infringement, which covers both intentional and negligent acts.

"SMEs are exempt from penalties because they get automatic recognition."

• Reality: While Article 17(3) allows SMEs to have their Level 1 statements of conformity automatically recognised without a prior review by the competent authority, this is a procedural simplification, not a substantive exemption. SMEs must still meet the Annex II criteria and comply with Article 23 transparency duties. A breach by an SME is an infringement subject to penalties.

"If I fix the error before the audit, I won't be penalised."

• Reality: Not necessarily. While Article 24(2)(b) allows Member States to consider "any action taken... to mitigate or remedy the damage," the infringement occurred the moment the obligation was breached (e.g., the moment data left the Union or the moment a material change went unreported). Mitigation may reduce the penalty, but it does not automatically erase the liability.

Related

• Do repeat infringements lead to higher CADA penalties?
• Can CADA penalties be imposed without a court?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Which Member State enforces CADA against a cloud provider?

This is general information about a draft EU regulation, not legal advice.