Who is Bulgaria's national competent authority under CADA?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) requires Bulgaria, like all Member States, to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework. This designation must occur within one year of the Regulation's entry into force. Bulgaria may appoint existing bodies to fulfill this role, avoiding the need for new institutional creation. Crucially, Article 25(4) establishes that the Member State where the cloud provider has its "main establishment" holds exclusive competence for enforcement. The designated Bulgarian authority would wield significant investigative powers (inspections, information requests) and enforcement tools (fines, periodic penalty payments, cessation orders) under Article 26, subject to strict procedural safeguards.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026, establishes a harmonized EU-wide framework for cloud sovereignty. A central pillar of this framework is the governance structure defined in Title IV, Chapter I, Section 4, which outlines the roles, responsibilities, and powers of national competent authorities. For legal counsel and compliance officers operating in or with Bulgaria, understanding these provisions is critical for anticipating regulatory obligations, jurisdictional risks, and enforcement mechanisms.

Designation of National Competent Authorities

Under Article 25(1) of the proposed CADA, Member States are obligated to designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the Union cloud computing sovereignty framework). The deadline for this designation is explicitly set as "one year of entry into force" (indicated in the text as [P.O. insert date of entry into force plus 1 year]).

The proposal explicitly allows Member States to designate an existing authority or authorities, thereby minimizing the administrative burden of creating new regulatory bodies from scratch. This flexibility suggests Bulgaria could potentially leverage existing structures, such as the Commission for Personal Data Protection (CPDP) or the Commission for Protection of Competition (CPC), or a newly designated body within the Ministry of Digital Transformation, provided they are formally designated under the Regulation.

Once designated, Bulgaria must notify the European Commission of the names of these competent authorities, along with their specific tasks and powers, as per Article 25(2). The Commission is then required to maintain a public register of these authorities. This transparency measure ensures that cloud computing service providers and public sector bodies can easily identify the correct regulatory contact point for inquiries, applications for recognition, or enforcement matters.

Exclusive Competence Based on Main Establishment

A key feature of the CADA's enforcement model is the principle of exclusive competence based on the provider's main establishment. Article 25(4) stipulates that the Member State in which the cloud computing service provider has its main establishment has exclusive competence for enforcing Chapter I.

The Regulation defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This means:

• If a cloud service provider is established in Bulgaria: The Bulgarian competent authority will have primary and exclusive jurisdiction over that provider's compliance with the sovereignty framework, regardless of where the services are consumed within the EU.
• If a provider is established in Germany but provides services to Bulgarian public bodies: The German competent authority remains the primary enforcer. Bulgarian authorities cannot unilaterally impose fines or sanctions on the German provider; they must rely on cross-border cooperation mechanisms (see below).

Investigative and Enforcement Powers

Article 26 grants national competent authorities robust investigative and enforcement powers to ensure compliance. These powers are designed to be "effective, dissuasive and proportionate," as required by Article 26(3).

Investigative Powers (Article 26(1)): To carry out their tasks, particularly regarding the recognition of cloud computing service providers under Article 17, competent authorities may:

• Require information: Demand that any cloud computing service provider, auditing organization, or other relevant persons provide information as soon as possible.
• Conduct inspections: Carry out inspections of any premises used for trade, business, or profession. If necessary, they may request a judicial authority to order such inspections. This includes the power to examine, seize, or obtain copies of information in any form, irrespective of the storage medium.
• Request explanations: Ask any member of staff or representative to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): If infringements are identified, competent authorities can:

• Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
• Impose fines: Impose fines for failure to comply with the Regulation or with any investigative orders issued.
• Impose periodic penalty payments: Impose periodic penalty payments to ensure an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

These measures must respect the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, as outlined in Article 26(4). Any exercise of these powers is subject to adequate safeguards under applicable national law and the general principles of Union law.

Cross-Border Cooperation and Mutual Assistance

While the main-establishment Member State holds exclusive competence, Article 27 and Article 28 establish mechanisms for mutual assistance and cross-border cooperation.

If a competent authority in a Member State where services are consumed (e.g., Bulgaria) suspects a non-compliance by a provider established in another Member State, it may request the competent authority of establishment to assess the matter and take necessary investigatory and enforcement measures. The authority of establishment must communicate its assessment and any measures taken within two months. This ensures that local public sector bodies are protected even if the provider is not locally established, preventing regulatory gaps.

What this means for you

For in-house counsel and compliance officers, the establishment of national competent authorities under CADA represents a significant shift in the regulatory landscape for cloud services in Bulgaria.

1. Monitor Designations: Keep a close watch on the Commission's public register of competent authorities. Once Bulgaria designates its authority (within one year of CADA's entry into force), you must identify whether it is a new body or an existing one (such as a data protection or cybersecurity authority). This determines your primary point of contact for regulatory queries and recognition applications.
2. Prepare for Investigations: The investigative powers under Article 26(1) are extensive. Ensure your internal processes are ready to respond to information requests and facilitate inspections. This includes maintaining up-to-date documentation of your cloud services, subcontractor relationships, audit reports, and software supply chain data.
3. Understand Jurisdiction: If your company is established in Bulgaria, you are subject to the exclusive competence of the Bulgarian authority. If you are established elsewhere, you must still comply with the sovereignty framework, but enforcement actions will primarily originate from your home Member State's authority, albeit with potential input from Bulgarian authorities if your services are used there.
4. Risk of Fines and Penalties: The power to impose fines and periodic penalty payments under Article 26(2) underscores the seriousness of compliance. Ensure that your cloud services meet the relevant Union assurance levels and that you have robust internal controls to prevent infringements. Note that while CADA does not set a specific maximum fine amount (leaving this to Member States under Article 24), the powers to order cessation and impose periodic penalties are immediate and potent.
5. Cooperation with Auditors: Since the recognition process involves independent audits, ensure that your cooperation with auditing organizations is seamless and that you provide them with all necessary access and information. The competent authority will rely on these audit reports when assessing your compliance and may request further evidence directly.

Common misconceptions

• Misconception: Any national authority can enforce CADA.
  • Reality: Article 25(4) establishes exclusive competence for the Member State of the provider's main establishment. While other Member States can request assistance, the primary enforcement responsibility lies with the authority in the provider's home country.
• Misconception: CADA creates a new EU-wide regulator.
  • Reality: CADA relies on national competent authorities designated by each Member State. The Commission maintains a register and facilitates cooperation, but it does not replace national enforcement bodies.
• Misconception: Only large hyperscalers are subject to these powers.
  • Reality: The provisions apply to all cloud computing service providers seeking recognition under the Union assurance levels. SMEs are not exempt, although the proposal notes that their statements of conformity for Level 1 are automatically recognized.
• Misconception: Enforcement powers are limited to administrative fines.
  • Reality: Article 26(2) includes the power to order the cessation of infringements, impose remedies, and levy periodic penalty payments, providing a comprehensive toolkit for enforcement beyond simple monetary penalties.
• Misconception: Bulgaria can fine a German provider directly.
  • Reality: If a provider is established in Germany, the German authority has exclusive competence. Bulgaria must use the cross-border cooperation mechanism in Article 28 to request action, rather than imposing fines directly.

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.