Who can claim compensation under CADA? Recipients, damages and the right to seek redress

Summary As proposed in COM(2026) 502 final, Article 24(3) of the Cloud and AI Development Act (CADA) establishes a specific right to compensation for "recipients of the cloud computing services." This right is triggered only when a recipient suffers "damage or loss" directly caused by a cloud computing service provider's infringement of the regulation's sovereignty framework (Title IV). Crucially, CADA does not create a new EU court or a standalone civil procedure; instead, it grants a substantive right that must be enforced "in accordance with Union and national law." The term "recipient" in this context primarily refers to the public sector bodies and Union entities that contract for and use these services, rather than individual end-users, unless they are the direct contractual party.

Detail

The Cloud and AI Development Act (CADA) is designed to strengthen the EU's cloud and AI ecosystem by reducing dependencies on third-country providers and safeguarding public order. While the regulation imposes significant obligations on providers to meet specific "Union assurance levels," it also establishes a robust accountability mechanism to ensure these obligations are not merely theoretical. Article 24 serves as the enforcement backbone, covering both administrative penalties imposed by Member States and the civil right to compensation for injured parties.

The Legal Basis: Article 24(3)

The core provision for civil redress is found in Article 24(3), which states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a direct link between a provider's regulatory breach and their civil liability. It ensures that if a provider fails to meet the criteria for Union assurance levels (e.g., failing to maintain data locality, allowing unauthorized third-country control, or providing misleading audit evidence), and this failure causes harm, the affected party has a statutory right to be made whole.

Who Qualifies as a "Recipient"?

The term "recipient" is not explicitly defined in a standalone definition article within CADA, but its meaning is derived from the context of Title IV (Autonomy) and the definitions in Article 2. The regulation primarily targets the public sector and Union entities as the primary beneficiaries of the sovereignty framework.

Based on the text of the proposal and the scope of Article 30 (Public procurement), the "recipients" entitled to claim compensation are:

1. Union Entities: As defined in Article 2(7), these are the Union institutions, bodies, offices, and agencies. They are the primary actors in the common procurement framework and the EuroCloud Federation.
2. Public Sector Bodies: Defined by reference to Directive (EU) 2019/1024 in Article 2(6), this includes state, regional, and local authorities, as well as bodies governed by public law. These entities are the primary "contracting authorities" required to procure cloud services at specific assurance levels under Article 30.
3. Contracting Authorities: Defined in Article 2(22) by reference to Directive 2014/24/EU, these are the entities responsible for the procurement process.

Crucial Distinction: The right to compensation is generally limited to the entity that has entered into the contractual or legally binding arrangement with the provider. While the ultimate users of the service might be citizens or private businesses, they are typically not the "recipients" in the legal sense of CADA unless they are the direct contracting party. The regulation focuses on protecting the public interest and the integrity of public procurement, meaning the "recipient" is the public body that suffered the operational or financial loss due to the provider's non-compliance.

What Triggers the Right to Compensation?

To successfully claim compensation under Article 24(3), three cumulative conditions must be met:

1. An Infringement of Obligations: The cloud computing service provider must have infringed an obligation under Title IV, Chapter I (the sovereignty framework). This includes:

   • Failing to meet the cumulative criteria for a specific Union assurance level (Annex II).
   • Providing incorrect or misleading information during the recognition process (Article 17).
   • Failing to report material changes that affect the assurance status (Article 23).
   • Breaching the requirements for independent audits (Article 20) or transparency regarding subcontractors.
   • Violating the prohibition on third-country control where not derogated (Article 18).

2. Damage or Loss: The recipient must have suffered actual "damage or loss." While CADA does not provide an exhaustive list, the context of the sovereignty framework suggests damages could include:

   • Migration Costs: Expenses incurred to move data and services to a compliant provider after a breach.
   • Operational Disruption: Financial losses resulting from service degradation, interruption, or unavailability caused by third-country interference or provider non-compliance.
   • Data Breach Costs: Expenses related to responding to unauthorized access or data exfiltration that occurred because the provider failed to meet sovereignty criteria (e.g., failing to prevent third-country access).
   • Reputational or Compliance Losses: Costs associated with the public body failing its own legal obligations due to the provider's breach.

3. Causation: There must be a direct causal link between the provider's infringement and the damage suffered. The recipient must demonstrate that the loss would not have occurred "but for" the provider's failure to comply with CADA obligations.

The Role of National Law

A critical aspect of Article 24(3) is the phrase "in accordance with Union and national law." CADA does not establish a new, centralized EU court for these claims, nor does it define the specific procedural rules for filing a lawsuit. Instead, it creates a substantive right that must be enforced through the existing legal channels of the Member State where the claim is brought.

This means:

• Jurisdiction: Claims will likely be heard in the national courts of the Member State where the provider is established or where the damage occurred.
• Procedure: The rules for filing, evidence, statutes of limitation, and calculation of damages will follow the national civil procedure codes of the relevant Member State.
• Burden of Proof: The recipient will bear the burden of proving the infringement, the damage, and the causal link, subject to national rules on evidence and burden of proof.

What this means for you

For public-sector procurement officers, legal counsel, and IT directors, the compensation right in Article 24(3) transforms the sovereignty framework from a regulatory checklist into a tangible financial risk for providers.

1. Strengthening Contractual Leverage

When drafting cloud service contracts, you should explicitly reference Article 24(3) and the specific sovereignty obligations (e.g., adherence to Union assurance levels). This clarifies that a breach of these obligations is not just a regulatory violation but a direct trigger for civil liability. It shifts the risk profile, making providers more accountable for the integrity of their sovereignty claims.

2. The Importance of Due Diligence

Before procuring a service, verify the provider's recognition status in the central repository established under Article 22. If a provider is recognized at Level 2 but fails to meet the criteria (e.g., allowing unauthorized third-country access), and this causes you harm, you have a clear statutory basis for a claim. However, you must also ensure your own risk assessment under Article 29 was robust, as this forms the basis for determining the required assurance level.

3. Documentation is Key

To succeed in a compensation claim, you must be able to prove "damage or loss." Maintain detailed records of:

• Service level agreements (SLAs) and performance metrics.
• Incident reports regarding service disruption or data access issues.
• Costs incurred for migration, remediation, or legal advice.
• Evidence of the provider's infringement (e.g., audit reports showing non-compliance, notifications of material changes).

4. Strategic Multi-Cloud Planning

While Article 24(3) provides a safety net, it is not a substitute for resilience. If a provider infringes CADA obligations, the resulting service disruption could be severe. Diversifying your cloud providers and maintaining a multi-cloud strategy can minimize operational losses and strengthen your position in any compensation claim by demonstrating that you took reasonable steps to mitigate risk.

Common misconceptions

"Any EU citizen can claim compensation if a cloud provider fails."

• Fact: No. Article 24(3) grants the right specifically to "recipients of the cloud computing services." In the context of CADA, this refers to the contractual parties—primarily public sector bodies and Union entities. Individual citizens are generally not the direct "recipients" unless they are the direct contracting party, which is rare in the public sector context.

"CADA creates a new EU court to handle these claims."

• Fact: No. The regulation explicitly states that claims must be pursued "in accordance with Union and national law." This means claims are handled in national courts using existing civil procedure rules. CADA provides the right to compensation, but the process is national.

"Compensation is automatic once an infringement is found."

• Fact: No. The recipient must actively seek compensation and prove that they suffered "damage or loss" due to the infringement. An administrative finding of infringement by a competent authority (under Article 24(1)) is strong evidence, but it does not automatically result in a payout. The recipient must still demonstrate the causal link and the extent of the loss.

"Only financial penalties matter; compensation is secondary."

• Fact: While Article 24(1) requires Member States to impose "effective, proportionate and dissuasive" penalties (fines) on providers, the right to compensation under Article 24(3) is distinct. Fines go to the state treasury; compensation goes directly to the injured party (the public sector body) to cover their actual losses. Both mechanisms operate in parallel.

Related

• Can recipients claim compensation and report a breach at the same time under CADA?
• Who pays compensation if a cloud provider breaches CADA?
• What is the right to compensation under CADA (Article 24)?
• What damages can a cloud customer recover under CADA?
• Who is eligible for compensation under the proposed CADA?

This is general information about a draft EU regulation, not legal advice.