Summary Under the proposed Cloud and AI Development Act (CADA), Cyprus is required to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework within one year of the Regulation's entry into force. As of the proposal's publication, the specific authority has not yet been named, but Cyprus may designate an existing body to fulfill this role. The Commission will maintain a public register of these authorities. Crucially, if a cloud computing service provider has its main establishment in Cyprus, the Cypriot competent authority holds exclusive competence to enforce the sovereignty chapter. This authority would possess broad investigative powersβ€”including inspections and information requestsβ€”and enforcement powers to order the cessation of infringements, impose fines, and levy periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonized framework to strengthen the EU's cloud and AI ecosystem. A central pillar of this framework is the designation of national competent authorities to supervise and enforce the Union cloud computing sovereignty framework, particularly regarding the recognition of cloud services at various Union assurance levels.

Designation and Timeline

Article 25(1) of the CADA proposal mandates that Member States, including Cyprus, shall designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the Cloud computing sovereignty framework). This designation must occur by the date of entry into force plus one year. The text explicitly allows Member States to designate an existing authority or authorities, referred to as 'competent authorities', to perform these tasks, thereby potentially avoiding the creation of entirely new bureaucratic structures.

Public Register and Exclusive Competence

Once designated, Cyprus must notify the Commission of the names of its competent authorities, along with their specific tasks and powers. In response, the Commission shall maintain a public register of these authorities, ensuring transparency for market participants (Article 25(2)).

Crucially, Article 25(4) establishes the principle of exclusive competence. The Member State in which a cloud computing service provider has its main establishmentβ€”defined as the head office or registered office from which principal financial functions and operational control are exercisedβ€”has exclusive competence for enforcing the sovereignty chapter. This means that if a cloud provider's main establishment is in Cyprus, the Cypriot competent authority is the sole national authority responsible for supervision and enforcement, rather than authorities in other Member States where the provider may have branches or customers. This "one-stop-shop" approach is designed to prevent fragmented enforcement across the single market.

Investigative and Enforcement Powers

Article 26 of the CADA proposal outlines the specific powers granted to these national competent authorities to ensure effective enforcement. These powers are divided into investigative and enforcement categories.

Investigative Powers: To carry out their tasks under Article 17 (recognition of cloud computing service providers), competent authorities of establishment shall have the power to:

  • Information Requests: Require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession (including auditing organisations), to provide relevant information as soon as possible regarding suspected infringements (Article 26(1)(a)).
  • Inspections: Carry out, or request a judicial authority to order, inspections of any premises used for trade, business, craft, or profession. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium (Article 26(1)(b)).
  • Interviews: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means (Article 26(1)(c)).

Enforcement Powers: Where needed to carry out their tasks, national competent authorities of establishment shall have the power to:

  • Cessation Orders: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring it effectively to an end. They may also request a judicial authority to do so (Article 26(2)(a)).
  • Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including non-compliance with investigative orders (Article 26(2)(b)).
  • Periodic Penalty Payments: Impose a periodic penalty payment, or request a judicial authority to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with a cessation order, or for failure to comply with investigative orders (Article 26(2)(c)).

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)). Furthermore, the exercise of these powers must comply with general principles of Union law, including the right to respect for private life and the rights of defence, such as the right to be heard and access to the file (Article 26(4)).

Cross-Border Cooperation

While the main establishment Member State holds exclusive competence, CADA emphasizes cross-border cooperation. Article 27 outlines mutual assistance obligations, requiring competent authorities to cooperate closely and exchange information. Article 28 details cross-border cooperation for enforcement, allowing a competent authority in a destination Member State to request the authority of establishment to assess suspected non-compliance and take necessary investigatory and enforcement measures. The authority of establishment must communicate its assessment and any measures taken within two months of receiving the request (Article 28(4)).

What this means for you

For in-house counsel, compliance officers in Cyprus, and cloud providers with their main establishment in Cyprus, the implications of CADA are significant and require proactive preparation.

1. Identify Your Regulator Early

Although the specific Cypriot authority has not yet been named, you should monitor the Commission's public register once it is established. If your provider has its main establishment in Cyprus, the Cypriot authority will be your primary point of contact and regulator. If your main establishment is elsewhere in the EU, that Member State's authority is responsible, though Cypriot authorities may still engage in cross-border cooperation if your services are used in Cyprus.

2. Prepare for Enhanced Scrutiny

Under Article 26, competent authorities have broad investigative powers. Compliance teams should ensure that all documentation related to cloud service provision, subcontractor arrangements, and data residency is readily accessible. Authorities can inspect premises and seize information in any form. Ensure your internal processes allow for the rapid provision of information as required by Article 26(1)(a).

3. Understand the Penalty Landscape

The ability to impose fines and periodic penalty payments (Article 26(2)) underscores the seriousness of non-compliance. While Article 24 outlines the criteria for penalties (nature, gravity, duration, financial benefits gained, etc.), the enforcement powers in Article 26 give authorities the tools to enforce these. Regular internal audits against the Union assurance levels (Annex II of CADA) are essential to mitigate the risk of enforcement actions.

4. Engage in Cross-Border Cooperation

If you operate across multiple Member States, be aware that authorities in destination countries can trigger investigations in your home Member State under Article 28. Maintain clear lines of communication with your primary regulator to address any cross-border concerns swiftly.

5. Monitor National Strategy Developments

Cyprus is also required to adopt a national cloud and AI strategy under Article 7 of CADA. This strategy will likely inform the priorities and focus areas of the national competent authority. Aligning your compliance efforts with the strategic priorities outlined in Cyprus's national strategy may facilitate smoother interactions with the regulator.

Common misconceptions

Misconception 1: Cyprus has already designated its competent authority. Fact: As of the proposal's publication, no specific authority has been designated. The proposal requires designation within one year of entry into force. Until then, the existing data protection or cybersecurity authorities may not automatically assume these new responsibilities unless explicitly designated.

Misconception 2: Any Member State can enforce CADA sovereignty rules on a provider. Fact: Article 25(4) grants exclusive competence to the Member State of the provider's main establishment. While other Member States can request assistance under Article 28, the primary enforcement power lies with the home authority.

Misconception 3: The competent authority is only a supervisory body. Fact: Article 26 grants significant enforcement powers, including the ability to order cessation of infringements, impose fines, and levy periodic penalty payments. It is not merely an advisory or supervisory role but an active enforcement body.

Misconception 4: Only new authorities will be created. Fact: Article 25(1) explicitly allows Member States to designate an existing authority. This suggests that Cyprus may leverage its existing data protection or cybersecurity regulatory infrastructure, potentially reducing administrative burden for businesses already interacting with those bodies.

Related

This is general information about a draft EU regulation, not legal advice.