Which National Competent Authority Do I Apply to for CADA Recognition?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must submit its application for Union assurance recognition to the national competent authority (NCA) of its main establishment. As defined in Article 25(4), the "main establishment" is the location of the provider's head office or registered office from which the principal financial functions and operational control are exercised. This specific authority holds exclusive competence to enforce the sovereignty framework for that provider across the entire Union. You do not need to apply in every Member State where you operate; the recognition granted by this single authority is valid EU-wide.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework. This framework establishes four Union assurance levels (1 to 4) to ensure that cloud services used by Union entities and public sector bodies meet specific criteria regarding establishment, data localisation, personnel, and third-country control. For cloud service providers (CSPs), the first critical compliance step is identifying the correct regulatory body to initiate the recognition process.

The Single Point of Application: Article 17(1)

The proposal explicitly centralises the application process to prevent regulatory fragmentation and ensure a "single market" approach to cloud sovereignty. Article 17(1) of the proposal mandates that:

"A cloud computing service provider that aims to be recognised as offering a Union assurance level, shall submit an application for recognition to the national competent authority of establishment."

This provision eliminates the need for providers to navigate multiple national regimes. Whether a provider seeks recognition for the baseline Union assurance level 1 (via self-assessment) or the higher levels 2, 3, and 4 (via independent third-party audits), the application must be directed to a single authority.

When submitting this application, the provider is required to include all relevant evidence. For Union assurance level 1, this involves the EU statement of conformity and evidence required under Article 17(3). For Union assurance levels 2, 3, and 4, the application must include the audit report, the 'positive' audit opinion, and all evidence provided to the auditing organisation, as stipulated in Article 17(4).

Defining "Main Establishment": The Core of Article 25(4)

A common point of confusion in EU regulation is the distinction between a legal registered office and the actual centre of management. CADA resolves this by providing a precise, functional definition of "establishment" to determine jurisdiction.

Article 25(4) states:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This definition contains three critical elements for providers to verify:

1. Head Office or Registered Office: The location must be one of these two formal corporate seats.
2. Principal Financial Functions: The location must be where the core financial decisions (budgeting, funding, accounting) are made.
3. Operational Control: The location must be where the strategic and operational management of the cloud service is directed.

This "centre of gravity" test prevents providers from engaging in "regulatory shopping" by establishing a minor shell entity in a Member State with a perceived lighter regulatory touch. If a provider's registered office is in Ireland but its board meetings, financial control, and operational command centre are in Germany, the German NCA holds the exclusive competence.

Exclusive Competence and the "One-Stop-Shop" Effect

The designation of the NCA of establishment as the sole enforcer creates a "one-stop-shop" mechanism for the sovereignty chapter. Article 25(4) grants this authority exclusive competence. This means:

• Single Evaluation: The provider submits evidence only once to this authority.
• Union-Wide Validity: Once the evaluating NCA adopts a recognition decision, the service is recognised throughout the Union. There is no need for separate recognitions in France, Italy, or Spain, even if the provider's data centres or customers are located there.
• Single Enforcement: Any enforcement actions, penalties, or requests for remediation regarding the provider's compliance with the sovereignty framework are handled exclusively by this NCA.

However, "exclusive competence" does not mean "isolated competence." The proposal anticipates that cloud services often span borders. Article 17(2) provides a mechanism for collaboration:

"An evaluating national competent authority that has received an application for a candidate recognition, may, where necessary, request one or more competent authorities of the other Member States to collaborate in the procedure for a candidate recognition under this Article."

If the evaluating authority needs to verify specific facts located in another Member State (e.g., the physical location of a data centre or the residency of personnel), it can request collaboration. Other Member States must respond within 15 days, either confirming their agreement to collaborate or refusing the request. This ensures that the exclusive competence of the main establishment authority is supported by the factual reality of the provider's cross-border operations.

The Recognition Procedure: From Application to Union-Wide Validity

Once the application is submitted to the NCA of establishment, the process follows a strict timeline and review mechanism outlined in Article 17:

1. Acceptance and Assessment: The evaluating NCA has 60 days to assess the evidence. It may request further information (suspended for up to 30 days) or reject the request if evidence is insufficient.
2. Draft Decision and Notification: If the evidence is sufficient, the evaluating NCA prepares a draft recognition decision and notifies all other Member States' competent authorities.
3. Union Review Period: Other Member States have a 60-day review period to submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the assurance level criteria in Annex II.
4. Final Recognition: If no reasoned objection is raised, or if objections are resolved, the evaluating NCA adopts the recognition decision. The service is then recognised across the Union at the applicable assurance level.

This process ensures that while one authority leads, the entire Union has a veto mechanism to maintain the integrity of the sovereignty framework.

Designation and Resources

Member States are required to designate their NCAs by the date specified in Article 25(1) (one year after the Regulation's entry into force). These authorities must be equipped with "all necessary resources," including technical, financial, and human resources, to supervise providers effectively. The Commission will maintain a public register of these authorities to ensure providers can easily identify the correct body for their main establishment.

What this means for you

For cloud service providers, data centre operators, and their legal teams, the "main establishment" rule is the cornerstone of your CADA compliance strategy. It simplifies the administrative burden but demands rigorous internal governance.

1. Audit Your Corporate Structure: Before applying, conduct an internal audit of your corporate governance. Where are your principal financial functions exercised? Where does the board meet? Where are operational decisions made? If your legal registered office differs from your operational headquarters, you must be prepared to demonstrate which location constitutes your "main establishment" under Article 25(4).
2. Prepare for Centralised Scrutiny: Since a single authority will evaluate your entire EU footprint, your evidence package must be comprehensive. Do not assume that local compliance in one country satisfies the NCA of your main establishment. You must provide evidence covering all aspects of your service delivery across the Union, including data flows, personnel locations, and subcontractor arrangements.
3. Engage Early with the NCA: Once you have identified your NCA of establishment, initiate early contact. While Article 17 sets the procedural framework, national implementation measures may provide specific guidance on submission formats or local contact points.
4. Coordinate Cross-Border Teams: Be prepared for the evaluating NCA to request collaboration with other Member States under Article 17(2). Ensure your local teams in other EU countries are aware of the process and can respond promptly to information requests from foreign NCAs to avoid delays in your recognition timeline.
5. Understand the "Exclusive" Nature: Do not waste resources applying to other NCAs. If you have a subsidiary in a different Member State, that subsidiary does not need a separate recognition if it is part of the same provider entity. The recognition granted by your main establishment's NCA covers the entire group's service provision to public sector bodies.

Common misconceptions

• "I need to apply for recognition in every country where I have a data centre." Incorrect. Under Article 17(1) and Article 25(4), you apply only to the NCA of your main establishment. The resulting recognition is valid across the entire Union. Applying in multiple jurisdictions would be redundant and contrary to the proposal's harmonisation goals.

• "My local sales office or a minor branch counts as my establishment." Incorrect. Article 25(4) defines the main establishment strictly as the location of the head office or registered office from which principal financial functions and operational control are exercised. A sales office, a small data centre, or a subsidiary that does not exercise central control does not qualify.

• "The NCA of establishment works in isolation and ignores other countries." Incorrect. While the NCA has exclusive competence for enforcement, Article 17(2) explicitly allows it to request collaboration from other Member States' authorities. This is crucial for verifying cross-border elements like data localisation or personnel residency.

• "I can choose the most lenient Member State to register my company to get easier recognition." Incorrect. The definition of "main establishment" in Article 25(4) is functional, not just formal. If your financial and operational control is exercised in a different Member State than your registered office, the NCA of the actual control centre will have exclusive competence. Attempting to register in a different state without shifting control may lead to the application being rejected or transferred.

Related

• How does a Member State designate a national competent authority under CADA?
• How to respond to a CADA investigation by a national competent authority
• How do national competent authorities use mutual assistance under CADA?
• How to build a CADA evidence pack for national recognition
• How do I apply for recognition as a frontier AI priority project under CADA?

This is general information about a draft EU regulation, not legal advice.