Summary Under the proposed Cloud and AI Development Act (CADA), enforcement against a cloud computing service provider is exclusively the responsibility of the Member State where the provider has its main establishment. Article 25(4) grants this "Member State of establishment" sole jurisdiction to supervise and enforce the Union cloud computing sovereignty framework, preventing fragmented national oversight. While other Member States can trigger investigations if they suspect non-compliance via Articles 27 and 28, the actual enforcement action, including fines and remedial orders, must be coordinated and executed by this single competent authority.

Detail

The Cloud and AI Development Act (CADA) establishes a unified governance model for cloud sovereignty to avoid the regulatory fragmentation that currently plagues the EU market. A central pillar of this model is the designation of a single lead regulator for each cloud computing service provider. This mechanism ensures legal certainty and administrative efficiency by assigning exclusive enforcement powers to one Member State, mirroring the "one-stop-shop" principle found in other EU digital regulations.

Exclusive Competence of the Member State of Establishment

The cornerstone of CADA's enforcement architecture is found in Article 25(4), which explicitly defines the scope of jurisdiction:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This provision creates a "single point of entry" for regulatory oversight. It means that a cloud provider operating across multiple EU countries does not face simultaneous, potentially conflicting enforcement actions from every Member State in which it has customers or data centres. Instead, the provider interacts primarily with the national competent authority of the Member State where its main establishment is located.

To qualify as the "main establishment" under this rule, the location must satisfy a dual test. First, it must be the location of the provider's head office or registered office. Second, and crucially, it must be the place where the principal financial functions and operational control are exercised. This definition prevents providers from artificially shifting their main establishment to a jurisdiction with perceived laxer oversight if the actual strategic decisions, financial management, and operational control are exercised elsewhere. The regulation targets the substance of control, not just the legal registration.

Role of National Competent Authorities

Each Member State must designate one or more national competent authorities responsible for enforcing the sovereignty framework by the date specified in Article 25(1) (one year after entry into force). These authorities are granted significant investigative and enforcement powers under Article 26, including the ability to:

  • Require providers to provide information and explanations.
  • Conduct inspections of premises and seize information.
  • Order the cessation of infringements and impose remedies.
  • Impose fines or periodic penalty payments.

However, these powers are exercised exclusively by the authority in the Member State of establishment. Other Member States do not have direct enforcement powers over the provider's sovereignty compliance regarding the Union assurance levels. While they retain oversight regarding the specific use of cloud services within their own territories (e.g., ensuring public procurement rules under Article 30 are met), they cannot independently initiate enforcement proceedings against the provider's overall compliance with the assurance criteria.

Cross-Border Cooperation and Triggering Investigations

While the Member State of establishment holds exclusive enforcement competence, other Member States play a critical role in identifying potential breaches. Article 28 establishes the framework for cross-border cooperation, allowing a "competent authority of destination" (the Member State where the cloud service is used) to trigger an investigation if it suspects non-compliance.

If a destination authority has reason to suspect that a cloud computing service provider no longer fulfills the requirements of the Union assurance levels, it may request the competent authority of establishment to assess the matter. The process is strictly defined:

  1. Request for Assessment: The destination authority sends a duly reasoned request to the establishment authority.
  2. Assessment and Action: The establishment authority must assess the suspected infringement and take necessary investigatory or enforcement measures.
  3. Timeline: The establishment authority must communicate its assessment and any measures taken to the requesting authority and the Commission within two months of receiving the request. This timeline can be suspended if the establishment authority requests additional information, but the clock resumes once that information is provided.

This mechanism ensures that local concerns about sovereignty risks or non-compliance are addressed without bypassing the centralised enforcement structure. It balances the need for local vigilance with the efficiency of centralised oversight, ensuring that the provider faces a unified regulatory front.

Mutual Assistance for Investigations

To support the enforcement actions of the establishment authority, Article 27 provides for mutual assistance between Member States. If the establishment authority needs to investigate information or evidence located in another Member State, it can request specific information or assistance from the competent authorities in that country.

The receiving authority must comply with the request and inform the establishment authority of the action taken as soon as possible, and no later than two months after receipt of the request, unless duly justified. This cooperation is essential for auditing cloud providers with distributed infrastructure. For example, if a provider's main establishment is in Germany but its data centres or subcontractors are in Poland, the German authority can request Polish authorities to facilitate inspections or provide data necessary to verify compliance with the Union assurance levels. The establishment authority retains the lead, but the investigation can span the entire Union.

What this means for you

For cloud service providers and data centre operators, understanding the enforcement landscape is critical for compliance strategy, resource allocation, and risk management.

  • Identify Your Main Establishment Accurately: You must determine clearly where your "principal financial functions and operational control" are exercised. This location dictates your primary regulator. If your headquarters and board-level decision-making are in one country, but you have a large operational office in another, ensure that your corporate structure and documentation align with the legal definition of "main establishment" to avoid disputes over jurisdiction. Regulators may scrutinise whether a declared main establishment is genuine or a "letterbox" entity.
  • Engage with One Lead Regulator: Focus your compliance efforts, audits, and communication on the national competent authority of your Member State of establishment. This authority will be your primary point of contact for the recognition of Union assurance levels and for addressing any enforcement issues. Do not assume you need to manage separate compliance streams for every Member State where you operate.
  • Prepare for Cross-Border Requests: While you report to one authority, be prepared for investigations triggered by other Member States. If a public sector body in France raises concerns about your service's sovereignty compliance, the French authority may contact your German establishment authority. You should expect your lead regulator to coordinate with foreign counterparts, potentially requiring you to provide information or access to facilities across the EU.
  • Maintain Transparent Governance: To avoid challenges regarding the location of your main establishment, maintain clear documentation of where strategic financial and operational decisions are made. This includes board minutes, financial control records, and operational management charts. Regulators may look beyond the registered office to the reality of where control is exercised.

Common misconceptions

"Every Member State where I have customers can enforce CADA against me." This is incorrect. Under Article 25(4), only the Member State of the main establishment has exclusive competence to enforce the sovereignty framework. Other Member States can raise concerns and trigger investigations, but they cannot independently impose fines or enforcement measures regarding the provider's overall compliance with the assurance levels.

"My registered office is always my main establishment." Not necessarily. The definition requires that the principal financial functions and operational control are exercised at the location of the head office or registered office. If a company registers in a low-tax jurisdiction but makes all strategic decisions and financial controls from another country, the latter may be deemed the main establishment for CADA purposes. The regulation prioritises the substance of control over the form of registration.

"Cross-border cooperation means I have to answer to multiple regulators simultaneously." While you may receive inquiries from multiple jurisdictions during an investigation, the enforcement action is coordinated by the establishment authority. The mutual assistance framework (Article 27) and cross-border cooperation (Article 28) are designed to streamline this process, ensuring that the establishment authority leads the investigation, even if it relies on support from other Member States. You are not subject to parallel enforcement proceedings.

Related

This is general information about a draft EU regulation, not legal advice.