Who is Austria's national competent authority under CADA?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would require Austria to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the Regulation's entry into force (Article 25(1)). Austria may designate an existing authority rather than creating a new entity. The European Commission would maintain a public register of these designated bodies (Article 25(2)). Crucially, enforcement jurisdiction is exclusive to the Member State where the cloud computing service provider has its "main establishment" (Article 25(4)); therefore, Austrian authorities would only enforce the sovereignty framework against providers headquartered in Austria, not those merely serving Austrian clients. These authorities would wield significant investigative and enforcement powers, including the ability to order the cessation of infringements, conduct inspections, and impose fines and periodic penalty payments (Article 26).

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised governance framework to ensure the sovereignty, security, and resilience of cloud computing services across the EU. A cornerstone of this framework is the designation of national competent authorities in each Member State, including Austria. The specific obligations, jurisdictional limits, and powers of these authorities are detailed in Title IV, Chapter I, Section 4 of the proposal.

Designation and the Public Register

Under Article 25(1), Member States are obligated to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty chapter. This designation must occur by the date of entry into force plus one year. The proposal offers flexibility in this process: Austria is not required to create a new entity from scratch but may designate an existing authority or authorities ("competent authorities") to perform these tasks. This allows Austria to leverage existing regulatory infrastructure, potentially integrating these new duties into the mandates of current cybersecurity, data protection, or digital market regulators.

To ensure transparency and legal certainty for market participants, Article 25(2) mandates that Member States notify the European Commission of the names of their competent authorities, along with a description of their tasks and powers. The Commission is then required to maintain a public register of these authorities. This register will serve as the primary reference point for cloud computing service providers seeking to understand which Austrian body holds jurisdiction over their operations.

Exclusive Jurisdiction Based on Main Establishment

A critical aspect of CADA's enforcement architecture is the principle of exclusive competence based on the provider's location. Article 25(4) states that the Member State in which the cloud computing service provider has its "main establishment" has exclusive competence for enforcing the sovereignty chapter.

The proposal defines "main establishment" as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. This single-point-of-contact approach is designed to prevent fragmented enforcement, where a provider might face conflicting demands from multiple Member States. For Austria, this means that its competent authority will only have enforcement jurisdiction over cloud computing service providers that are headquartered or operationally controlled from within Austria. Providers headquartered in other Member States, even if they offer services to Austrian public bodies, will fall under the jurisdiction of the competent authority in their home Member State.

Investigative and Enforcement Powers

Once designated, Austria's competent authority would be granted substantial powers to ensure compliance with the Union assurance levels and other sovereignty requirements. These powers are outlined in Article 26.

Investigative Powers: Under Article 26(1), the competent authority of establishment (i.e., the Austrian authority for providers based in Austria) would have the power to:

• Require cloud computing service providers, auditing organisations, and other relevant persons to provide specific information related to suspected infringements.
• Carry out inspections of premises used for trade, business, or profession, or request a judicial authority to order such inspections. This includes the power to examine, seize, or obtain copies of information in any form.
• Ask staff or representatives to give explanations regarding suspected infringements and, with consent, record their answers.

Enforcement Powers: Under Article 26(2), if an infringement is confirmed or suspected, the Austrian competent authority would have the power to:

• Order the cessation of infringements and impose proportionate remedies to bring the infringement to an end.
• Impose fines for failure to comply with the Regulation or investigative orders.
• Impose periodic penalty payments to ensure compliance with cessation orders or investigative directives.

These measures must be effective, dissuasive and proportionate, taking into account the nature, gravity, recurrence and duration of the infringement, as well as the economic and technical capacity of the service provider (Article 26(3)). All exercises of these powers must respect the right to respect for private life and the rights of defence, including the right to be heard and access to an effective judicial remedy (Article 26(4)).

Cross-Border Cooperation

While Austria's authority would have exclusive competence over providers established in Austria, CADA recognises the cross-border nature of cloud services. Article 27 and Article 28 establish mechanisms for mutual assistance and cross-border cooperation. If an Austrian authority suspects a non-Austrian provider (established in another Member State) of non-compliance, it must request the competent authority of that provider's establishment to assess the matter and take necessary measures. The Austrian authority cannot directly enforce against the foreign provider but can trigger enforcement actions in the provider's home jurisdiction.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers operating in or from Austria, the designation of national competent authorities under CADA introduces a new layer of regulatory scrutiny and potential liability.

1. Identify Your Regulator: Monitor the European Commission's public register of competent authorities (established under Article 25(2)) to identify the specific Austrian body responsible for enforcing CADA. This will likely be an existing digital or cybersecurity regulator.
2. Establishment Location is Key: If your provider is headquartered in Austria, you will be subject to the exclusive jurisdiction of the Austrian competent authority. Ensure your compliance programs are robust enough to withstand direct inspections and information requests under Article 26(1).
3. Prepare for Audits and Inspections: The Austrian authority would have the power to conduct on-site inspections and demand information. Maintain up-to-date documentation regarding your Union assurance level claims, audit reports, and subcontractor arrangements to facilitate these processes.
4. Risk of Fines: Non-compliance with the sovereignty framework, including failure to cooperate with investigations, could lead to significant fines and periodic penalty payments. Ensure your internal governance structures include clear protocols for responding to regulatory inquiries.
5. Cross-Border Providers: If your provider is headquartered outside Austria but serves Austrian public sector clients, you are not directly subject to Austrian enforcement. However, you must comply with the Union assurance levels required by Austrian public procurement rules (Article 30). Austrian authorities may collaborate with your home Member State's authority if they suspect non-compliance.

Common misconceptions

• Misconception: Austria will create a brand-new regulator.
  • Reality: Article 25(1) explicitly allows Austria to designate an existing authority. This is likely to reduce administrative burden and leverage existing expertise.
• Misconception: Austrian authorities can enforce against any provider serving Austrian clients.
  • Reality: Article 25(4) grants exclusive competence to the Member State of the provider's main establishment. Austrian authorities can only directly enforce against providers headquartered in Austria.
• Misconception: The powers are limited to issuing warnings.
  • Reality: Article 26 grants strong enforcement powers, including fines, cessation orders, and periodic penalty payments, making non-compliance financially risky.
• Misconception: Providers can ignore requests from foreign authorities.
  • Reality: While enforcement is exclusive to the home state, cross-border cooperation mechanisms (Articles 27-28) mean that Austrian authorities can trigger investigations in other Member States if they suspect non-compliance by a provider serving Austrian interests.

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.