Summary As proposed, the Cloud and AI Development Act (CADA) sets up a decentralised enforcement model built around national competent authorities designated by each Member State. Under Article 25, the authority of the provider's main establishment has exclusive competence to enforce the cloud sovereignty chapter; under Article 26 it can investigate, order cessation of infringements, and impose fines and periodic penalty payments. Mutual assistance (Article 27) and cross-border cooperation (Article 28) support consistency, while the Commission keeps specific roles such as monitoring and dispute resolution. CADA is a proposal and not yet in force.

Detail

CADA would place enforcement of the sovereignty framework primarily with the Member States, harmonising the criteria while relying on national bodies for oversight to limit market fragmentation.

Designation and scope of national competent authorities

Under Article 25, Member States must — by one year after entry into force — designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty chapter. They may designate an existing authority or create a new one, and must notify the Commission, which maintains a public register.

Article 25(4) establishes the country-of-establishment principle: the Member State where the provider has its main establishment — its head office or registered office from which principal financial functions and operational control are exercised — has exclusive competence for enforcing this chapter. This avoids multiple national authorities supervising one provider at once.

Investigative and enforcement powers

Article 26 grants competent authorities of establishment robust powers, where needed to carry out their tasks under Article 17.

Investigative powers include:

  • requiring providers and other relevant persons (including auditing organisations) to provide information as soon as possible;
  • carrying out — or asking a judicial authority to order — inspections of business premises to examine, seize, or copy information relating to a suspected infringement;
  • asking staff or representatives to explain information relating to a suspected infringement and, with their consent, recording the answers.

Enforcement powers include:

  • ordering the cessation of infringements and imposing proportionate remedies;
  • imposing fines (or requesting a judicial authority to do so) for failure to comply, including with investigative orders;
  • imposing periodic penalty payments to secure compliance.

These measures must be effective, dissuasive, and proportionate, having regard to the nature, gravity, recurrence, and duration of the infringement and the provider's economic, technical, and operational capacity (Article 26(3)). Penalties themselves are governed by Article 24, which also gives recipients of cloud services a right to seek compensation for damage caused by a provider's infringement.

Mutual assistance and cross-border cooperation

Article 27 (mutual assistance) requires competent authorities and the Commission to cooperate closely and exchange information. An authority may request specific information from another Member State's authority; the receiving authority must comply and report the action taken as soon as possible and no later than two months after receipt, unless duly justified.

Article 28 (cross-border cooperation) lets a competent authority of destination that suspects a provider no longer meets the Annex II requirements ask the authority of establishment to assess the matter and take necessary measures. The Commission may also make such a request. The authority of establishment must communicate its assessment and any measures as soon as possible and no later than two months after receipt.

The role of the European Commission

While national authorities handle day-to-day enforcement of the sovereignty framework, the Commission retains key roles:

  • Strategic projects (Article 14): designating data-centre projects as strategic where they meet at least two of the criteria, such as supporting essential public-sector functions or contributing to grid stability.
  • Monitoring (Article 15): monitoring the Union's compute capacity, demand, and capacity gap, and issuing recommendations.
  • Central repository (Article 22): establishing and maintaining the repository of recognised cloud services.
  • Dispute resolution (Article 17(10)): where national authorities disagree on a recognition decision, the matter may be referred to the Commission, which adopts a binding decision on whether recognition may be granted.

What this means for you

For in-house counsel and compliance officers, the enforcement landscape shapes regulatory risk:

  1. Identify your regulator: Determine where your "main establishment" sits; under Article 25(4) that Member State's authority has exclusive enforcement jurisdiction over the sovereignty chapter. Engage proactively on how it interprets the criteria.
  2. Prepare for investigations: Article 26 grants broad powers, including premises inspections and information requests. Build processes to respond swiftly; failure to cooperate can lead to further fines.
  3. Cross-border consistency: If you operate in several Member States, expect your authority of establishment to lead any assessment prompted by another authority under Articles 27 and 28. Keep clear communication channels to avoid conflicting actions.
  4. Monitor Commission action: Track strategic-project designations and capacity-gap monitoring, which may signal shifts in regulatory focus and recommendations.

Common misconceptions

  • "The Commission enforces CADA directly." Incorrect. The Commission coordinates, monitors, and resolves disputes; day-to-day enforcement of the sovereignty chapter rests with national competent authorities.
  • "Any Member State can investigate my company." Incorrect. Under the country-of-establishment principle (Article 25(4)), only the authority where your main establishment is located has exclusive enforcement competence; others cooperate through mutual assistance.
  • "NCAs have limited powers." Incorrect. Article 26 grants significant investigative and enforcement powers, including fines and periodic penalty payments.

Related

This is general information about a draft EU regulation, not legal advice.