Summary Under the proposed Cloud and AI Development Act (CADA), Belgium is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the regulation's entry into force, as stipulated in Article 25(1). While the specific Belgian authority has not yet been named in the proposal, Article 25(2) mandates that Belgium notify the European Commission of the designated authority's tasks and powers, which will then be published in a central public register maintained by the Commission. If a cloud computing service provider has its main establishment in Belgium, Belgian authorities would hold exclusive competence for enforcement across the entire EU, wielding significant investigative and punitive powers under Article 26, including the ability to order inspections, demand information, and impose fines.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework for cloud sovereignty, requiring Member States to establish robust oversight mechanisms. For in-house counsel and compliance officers operating in or with entities established in Belgium, understanding the designation, powers, and jurisdiction of the national competent authority is critical for navigating the new regulatory landscape. The proposal creates a "one-stop-shop" enforcement model where the authority of the provider's main establishment holds the primary regulatory burden.

Designation and Public Register (Article 25)

Article 25 of the CADA proposal places the onus on Member States to designate the bodies responsible for enforcing the cloud computing sovereignty framework. Specifically, Article 25(1) states that by the date of entry into force plus one year, "Member States shall designate one or more national competent authorities responsible for enforcing this Chapter." The proposal provides flexibility, noting that "Member States may designate an existing authority or existing authorities." This suggests that Belgium may appoint an existing regulatorβ€”potentially one already overseeing digital infrastructure, cybersecurity, or data protectionβ€”rather than creating a new entity from scratch.

Transparency is a core component of this designation. Article 25(2) requires Member States to "notify the Commission of the names of the competent authorities and of their tasks and powers." Following this notification, "The Commission shall maintain a public register of those authorities." This register will serve as the definitive source for identifying the correct Belgian point of contact for cloud service providers seeking recognition for Union assurance levels. Until this register is populated, the specific Belgian entity remains undefined in the text of the proposal.

Exclusive Competence and Main Establishment (Article 25(4))

A pivotal aspect of CADA's enforcement model is the principle of exclusive competence based on the provider's main establishment. Article 25(4) clarifies that "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The proposal defines "main establishment" as the place "where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised." For multinational cloud providers with a headquarters or primary operational control centre in Belgium, this means the Belgian national competent authority would be the sole regulator responsible for assessing compliance, conducting audits, and enforcing penalties across the entire European Union. This centralises regulatory risk for providers established in Belgium, making the Belgian authority's interpretation of CADA's technical criteria (such as those in Annex II) decisive for their EU-wide market access. Other Member States would generally defer to the Belgian authority for recognition decisions, though they retain rights to request information and raise objections under the mutual assistance framework.

Investigative and Enforcement Powers (Article 26)

Once designated, the Belgian national competent authority would be granted extensive powers to ensure compliance with the sovereignty framework. Article 26 outlines these capabilities, which are designed to be "effective, dissuasive and proportionate."

Investigative Powers (Article 26(1)) To carry out their tasks, particularly regarding the recognition of Union assurance levels under Article 17, the competent authority of establishment would have the power to:

  • Request Information: Require cloud computing service providers, as well as auditing organisations and other persons reasonably expected to be aware of information relating to a suspected infringement, to provide that information "as soon as possible."
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of premises used for trade or business purposes. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."
  • Record Explanations: Ask staff or representatives to give explanations regarding suspected infringements and, with consent, record these answers by any technical means.

Enforcement Powers (Article 26(2)) If infringements are identified, the competent authority would exercise the following enforcement powers:

  • Cessation Orders: Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end. They may also request a judicial authority to do so.
  • Fines: Impose fines, or request a judicial authority to impose them, for failure to comply with the Regulation, including non-compliance with investigative orders.
  • Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

These powers are not arbitrary; Article 26(3) requires that measures taken be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. Furthermore, Article 26(4) mandates that the exercise of these powers be subject to "adequate safeguards under applicable national law," respecting the right to respect for private life and the rights of defence, including the right to be heard and access to the file.

Penalties and Compensation (Article 24)

While Article 26 outlines the powers of the authority, Article 24 details the penalties themselves. Member States, including Belgium, must lay down rules on penalties that are "effective, proportionate and dissuasive." Article 24(2) lists non-exhaustive criteria for imposing penalties, such as the nature and gravity of the infringement, any previous infringements, financial benefits gained, and the infringing party's annual turnover in the Union. Additionally, Article 24(3) grants recipients of cloud services the right to seek compensation from providers for damage or loss suffered due to infringements of their obligations under the sovereignty framework.

What this means for you

For in-house counsel and compliance officers in Belgium, the designation of the national competent authority under CADA represents a significant shift in regulatory engagement.

  1. Monitor the Designation: Keep a close watch on the Commission's public register (as required by Article 25(2)) for the official designation of Belgium's authority. Until this is published, engage with existing digital regulators (such as the Belgian Commission for the Protection of Privacy or the National Bank of Belgium, depending on the sector) to anticipate the transition.
  2. Prepare for Main Establishment Scrutiny: If your cloud service provider is headquartered or has its main operational control in Belgium, you are subject to exclusive EU-wide enforcement by the Belgian authority. Ensure your internal compliance programmes are robust enough to withstand the investigative powers outlined in Article 26(1), including the ability to produce data and undergo premises inspections rapidly.
  3. Audit Readiness: The competence of the Belgian authority is tied to the recognition of Union assurance levels. Ensure that your conformity self-assessments (for Level 1) or third-party audit reports (for Levels 2–4) are meticulously documented, as the authority would use the powers in Article 26 to verify this evidence.
  4. Risk of Penalties: Understand that non-compliance could lead to substantial fines and periodic penalty payments under Article 26(2). Develop clear internal protocols for responding to information requests and cessation orders to mitigate these risks.

Common misconceptions

  • "Belgium has already named its CADA authority."
    • Correction: CADA is currently a proposal. Article 25(1) sets a deadline for designation within one year of entry into force. As the regulation is not yet in force, no authority has been formally designated under CADA, though existing bodies may be pre-positioned.
  • "Any EU authority can investigate a provider established in Belgium."
    • Correction: Article 25(4) establishes exclusive competence for the Member State of the main establishment. While cross-border cooperation exists (Article 27 and Article 28), the primary enforcement power and recognition decisions rest solely with the Belgian authority for providers main-established there.
  • "The competent authority only checks technical cybersecurity."
    • Correction: The CADA framework is distinct from the EU Cybersecurity Certification Scheme (EUCS). The national competent authority under CADA enforces sovereignty criteria (data location, personnel citizenship, absence of third-country control) as defined in Annex II, not just technical security standards.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.