Summary As proposed in the Cloud and AI Development Act (CADA), Croatia must designate one or more national competent authorities to enforce the cloud sovereignty framework within one year of the Regulation's entry into force, pursuant to Article 25. These authorities would hold exclusive investigative and enforcement powers over cloud providers established in Croatia, including the power to order inspections, cease infringements, and impose fines under Article 26. The Commission would maintain a public register of these designated authorities to ensure transparency across the Union. Crucially, under the "main establishment" rule in Article 25(4), the Croatian authority would have exclusive competence for providers headquartered in Croatia, even if their services are used across the EU.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised EU-wide framework for cloud computing sovereignty. A cornerstone of this framework is the requirement for Member States to appoint national bodies responsible for supervising and enforcing compliance with the Union assurance levels. For Croatia, as for all Member States, the core obligations regarding these authorities are set out in Article 25 and Article 26 of the proposal.

Designation and the Public Register (Article 25)

Article 25(1) mandates that Member States designate one or more national competent authorities responsible for enforcing the cloud sovereignty chapter of the Regulation. The proposal sets a strict deadline for this designation: it must occur by the date of entry into force plus one year. The text explicitly allows Member States to designate an existing authority, thereby avoiding the creation of redundant bureaucratic structures where possible. This means Croatia could assign these tasks to an existing cybersecurity agency, data protection authority, or digital market regulator, rather than establishing a new body from scratch.

Once designated, the authority's primary role is to supervise cloud computing service providers established within its territory. To facilitate transparency and cross-border cooperation, Article 25(2) requires Member States to notify the European Commission of the names, tasks, and powers of these authorities. The Commission, in turn, is required to maintain a public register of these competent authorities. This register ensures that cloud providers, public sector bodies, and other stakeholders can easily identify the correct regulatory contact point in Croatia and verify the authority's status.

Crucially, Article 25(3) requires that these authorities perform their tasks in an impartial, transparent, and timely manner. Member States must ensure that their competent authorities have all necessary resources to carry out their tasks, including sufficient technical, financial, and human resources to adequately supervise all cloud computing service providers within their competence.

Exclusive Competence and the "Main Establishment" Rule (Article 25(4))

A key feature of CADA's governance model is the principle of exclusive competence based on the provider's "main establishment." Article 25(4) states that the Member State in which a cloud computing service provider has its main establishment has exclusive competence for enforcing the sovereignty chapter.

The proposal defines "main establishment" as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. For a cloud provider operating across the EU but headquartered in Croatia, the Croatian competent authority would be the primary enforcer. This "one-stop-shop" approach is designed to reduce regulatory fragmentation and ensure that providers face a single primary regulator rather than conflicting demands from multiple Member States.

This exclusivity means that if a Croatian provider is suspected of non-compliance, the Croatian authority is the sole entity empowered to take enforcement action under this Regulation, even if the infringement affects users in other Member States. Other Member States must cooperate by referring matters to the authority of establishment, as outlined in Article 28.

Investigative and Enforcement Powers (Article 26)

To ensure effective supervision, Article 26 grants Croatian competent authorities significant investigative and enforcement powers. These powers are necessary to verify compliance with the Union assurance levels and to address infringements effectively.

Investigative Powers (Article 26(1)): The competent authority would have the power to:

  • Require information: Demand that any cloud computing service provider, or other persons reasonably expected to hold relevant information (including auditing organisations), provide information as soon as possible.
  • Conduct inspections: Carry out, or request a judicial authority to order, inspections of any premises used for trade or business purposes related to the suspected infringement. This includes the power to examine, seize, take, or obtain copies of information in any form, irrespective of the storage medium.
  • Request explanations: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): If an infringement is identified, the authority would have the power to:

  • Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including with any of the investigative orders issued.
  • Impose periodic penalty payments: Impose a periodic penalty payment to ensure that an infringement is terminated in compliance with an order issued, or for failure to comply with any investigative orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)).

Penalties Framework (Article 24)

While Article 26 outlines the powers to impose penalties, Article 24 sets the overarching framework. Member States must lay down the rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

When determining penalties, authorities must consider non-exhaustive criteria including the nature, gravity, scale, and duration of the infringement; any action taken to mitigate damage; previous infringements; financial benefits gained; and the infringing party's annual turnover in the Union. Additionally, Article 24(3) ensures that recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers operating in or from Croatia, the establishment of a national competent authority under CADA introduces several critical operational changes:

  1. Identify Your Regulator: Once the Croatian authority is designated and registered, it becomes your primary regulatory counterpart for sovereignty compliance. You must monitor the Commission's public register to identify the specific office and contact details. If Croatia designates an existing body (e.g., the Agency for Electronic Communications and Postal Services or the Data Protection Agency), you must prepare for a regulator that may already have experience in your sector.
  2. Prepare for "One-Stop-Shop" Enforcement: If your main establishment is in Croatia, your local authority handles all enforcement. However, this also means you are the primary target for cross-border issues. If a provider established in Croatia is suspected of non-compliance in another Member State, the Croatian authority will be asked to assess and enforce. Compliance issues in any EU market can trigger action by your home regulator.
  3. Audit Readiness and Inspections: Under Article 26, the authority can inspect premises and seize data. Your internal compliance procedures must include protocols for responding to such inspections, ensuring that relevant documentation (audit reports, conformity statements, subcontractor lists, and SBOMs) is readily accessible. Failure to cooperate with an inspection is a direct infringement.
  4. Cooperation Obligations: You are legally required to cooperate with the authority's information requests. Failure to provide information or providing misleading information can trigger fines and periodic penalty payments. Ensure your legal and technical teams are aligned on who is authorised to respond to regulatory inquiries.
  5. Resource Allocation for Compliance: The authority must be adequately resourced, but as a provider, you must also budget for the administrative costs of ongoing compliance. This includes the costs of independent audits for Union assurance levels 2–4 and the potential costs of responding to regulatory inquiries or remedying infringements.

Common misconceptions

  • "CADA creates a new authority in every Member State." Incorrect. Article 25(1) explicitly allows Member States to designate an existing authority. Croatia may assign these tasks to an existing cybersecurity, data protection, or digital market regulator rather than creating a new body.
  • "Only the authority in the country where the data is stored has jurisdiction." Incorrect. Article 25(4) establishes exclusive competence based on the provider's main establishment. If a provider is headquartered in Croatia, the Croatian authority is the primary enforcer, even if data is processed in other Member States (subject to Union assurance level requirements).
  • "Penalties are fixed amounts set by the EU." Incorrect. Article 24 requires Member States to lay down their own rules on penalties. While the EU sets criteria (effectiveness, proportionality), the specific fine structures and maximums will be defined in Croatian national law implementing CADA.
  • "Auditing organisations are the only ones checking compliance." Incorrect. While independent audits are required for Union assurance levels 2–4, the national competent authority has direct investigative and enforcement powers under Article 26. They can investigate suspected infringements independently of the audit process and can revoke recognition if a provider supplies incorrect information.

Related

This is general information about a draft EU regulation, not legal advice.