Summary CADA is a proposal (COM(2026) 502 final) and is not yet in force. As proposed, enforcement of the cloud computing sovereignty framework would rest mainly with national competent authorities designated by each Member State (Article 25). The Member State where a cloud provider has its main establishment would have exclusive competence to enforce the rules against that provider — a single-point-of-contact model. The European Commission would support the system by maintaining a public register of authorities and the central repository of recognised services, and by coordinating cooperation under Article 27, but it would not police individual providers directly.
Detail
CADA, as proposed, would set up an EU-wide framework to strengthen the sovereignty and security of cloud services used by the public sector. Its enforcement is designed to be anchored at national level — to avoid a patchwork of overlapping regulators — while staying consistent across the Union through cooperation and a Commission backstop.
National competent authorities hold primary enforcement power (Article 25)
As proposed, Article 25 would require each Member State to designate one or more national competent authorities responsible for enforcing the sovereignty framework (Title IV, Chapter I — formally, "this Chapter"). These authorities would recognise providers that meet a given Union assurance level and supervise their ongoing compliance.
Member States would have flexibility in how they designate: they may set up a new authority or, more likely, designate an existing one such as a data-protection authority or cybersecurity agency, provided it has the necessary resources and can act impartially (Article 25(3)). Each designation would be notified to the Commission, which would maintain a public register of all national competent authorities.
The "main establishment" rule (Article 25(4))
The key organising principle is the "competent authority of establishment." As proposed, Article 25(4) would give the Member State in which a provider has its main establishment exclusive competence to enforce the chapter against that provider. The proposal defines main establishment as the head office or registered office "from which the principal financial functions and operational control are exercised."
This single-point-of-contact model is meant to simplify life for providers operating across several Member States: rather than answering to a different regulator in every country, a provider would deal mainly with the authority in its home Member State. That same authority would act as the "evaluating national competent authority" when the provider applies to have a service recognised at a Union assurance level (Article 17(2)).
Investigative and enforcement powers (Article 26)
To make oversight effective, Article 26 would give national competent authorities two kinds of power:
- Investigative powers: to require providers and other relevant persons — expressly including auditing organisations — to provide information; to inspect premises (carrying out the inspection themselves or via a judicial order); and to ask staff to explain information, recording answers with consent.
- Enforcement powers: to order the cessation of an infringement and impose proportionate remedies; to impose fines; and to impose periodic penalty payments — in each case directly or by asking a judicial authority to do so.
These powers would have to be exercised impartially, transparently and proportionately, with safeguards for the rights of defence and privacy and a right to an effective judicial remedy (Article 26(3)-(4)).
The role of the Commission and cross-border cooperation (Articles 22, 27-28)
National authorities would do the front-line enforcement, but the Commission would play a supporting and coordinating role:
- Mutual assistance (Article 27): the Commission and the national competent authorities "shall cooperate closely and provide each other with mutual assistance" to apply the chapter consistently, including by exchanging information. An authority could ask another, in whose Member State relevant information sits, to provide specific information; the receiving authority would have to comply and report back, normally within two months.
- Cross-border cooperation (Article 28): if a competent authority of destination (in a Member State where the service is used) suspects a provider no longer meets the Annex II requirements, it could ask the competent authority of establishment to assess the matter and take the necessary measures. The Commission could make the same request (Article 28(2)). The authority of establishment would have to respond, in any event within two months.
- Dispute resolution in recognition (Article 17(10)): where authorities disagree during a recognition procedure, the matter can be referred to the Commission, which would adopt a binding decision on whether recognition may be granted.
- Central repository (Article 22): the Commission would establish and maintain a publicly available repository of recognised cloud services, which contracting authorities could use to verify a provider's assurance level. The Commission would not audit providers itself, but it would ensure the repository's integrity.
In short: enforcement would be national and establishment-based; the Commission would coordinate, keep the public-facing registers, and act as referee in cross-border and recognition disputes.
What this means for you
For public-sector buyers and procurement officers, knowing who enforces CADA matters for how you act on concerns.
- Check who recognised the provider. Before relying on a provider, check the central repository to see which Union assurance level it holds and which national competent authority granted recognition — that authority is the primary regulator for that provider.
- Report suspected non-compliance to the right place. You would not investigate a provider yourself. You would notify the competent authority of the provider's establishment, or your own national authority, which could then seek assistance from the provider's home authority under Article 27 — or, as a destination authority, ask it to act under Article 28.
- Understand the single point of contact. Providers would be primarily accountable to the authority of their main establishment. That simplifies the landscape but means cross-border issues run through the cooperation mechanisms rather than parallel investigations.
- Watch the public register. Monitor the Commission's register of national competent authorities to know the correct contact points for raising concerns or seeking clarification.
Common misconceptions
"The European Commission audits every cloud provider." No. The Commission would not audit providers. Compliance for Levels 2-4 is verified by independent auditing organisations, and enforcement is done by national competent authorities. The Commission's role would be coordination (Article 27), the public register and central repository (Article 22), and binding decisions in recognition disputes (Article 17(10)).
"Every Member State where a provider operates enforces the rules." No. Under Article 25(4), enforcement is centralised in the Member State of the provider's main establishment, which holds exclusive competence. Other Member States can raise concerns but do not run parallel investigations or impose penalties themselves.
"Any authority can enforce CADA." Only the designated national competent authorities would have these powers. A body such as a data-protection authority would only enforce CADA if a Member State designates it as the competent authority under Article 25.
Related
- What penalties apply under the Cloud and AI Development Act (CADA)?
- Who sets the penalty rules under CADA? Article 24 explained
- Who pays compensation if a cloud provider breaches CADA?
- Who is liable for a CADA infringement within a provider group?
- Who can claim compensation under CADA? Recipients, damages and the right to seek redress
This is general information about a draft EU regulation, not legal advice.