Summary Under the proposed Cloud and AI Development Act (CADA), Czechia is required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. As of now, CADA does not name a specific Czech body; it grants Member States the flexibility to designate existing authorities. Once designated, these authorities will hold exclusive enforcement competence over cloud providers with their main establishment in Czechia, wielding significant investigative and enforcement powers, including the ability to impose fines and periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised EU-wide framework for cloud computing sovereignty. This framework relies on a network of national competent authorities to supervise and enforce compliance. For Czechia, the key provisions governing this designation, the scope of authority, and the enforcement toolkit are found in Article 25 and Article 26 of the proposed Regulation.

Designation of the Authority (Article 25)

CADA does not pre-select a specific agency in Czechia to act as the competent authority. Instead, Article 25(1) mandates that Member States must designate one or more national competent authorities responsible for enforcing Chapter IV of the Regulation (the Autonomy chapter). This designation must occur by the date of entry into force plus one year.

Crucially, Article 25(1) explicitly states that "Member States may designate an existing authority or existing authorities." This suggests that Czechia may leverage an existing regulatory bodyβ€”such as the Office for Personal Data Protection (ÚOOÚ), the Czech National Cyber and Information Security Agency (NÚKIB), or a new unit within the Ministry of Industry and Tradeβ€”rather than creating an entirely new institution from scratch. The choice of authority will likely depend on which body currently holds the most relevant expertise in cybersecurity, data protection, or public procurement, though the final decision rests with the Czech government.

Once designated, these authorities must be notified to the European Commission. Article 25(2) requires Member States to notify the Commission of the names of the competent authorities and their tasks and powers. The Commission is then obligated to maintain a public register of these authorities, ensuring transparency for cloud computing service providers and public sector bodies across the EU.

Article 25(3) imposes strict operational requirements on these designated authorities. Czechia must ensure that its competent authority performs its tasks in an "impartial, transparent and timely manner." Furthermore, the authority must be equipped with "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence." This implies that the designated Czech body will need to undergo potential capacity building to handle the technical complexity of auditing cloud infrastructure and sovereignty claims.

Exclusive Competence and the "Main Establishment" Rule

A critical aspect of CADA's enforcement structure is the principle of exclusive competence based on the provider's location. Article 25(4) establishes that "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The "main establishment" is defined as the head office or registered office from which the principal financial functions and operational control are exercised. For Czechia, this means that if a cloud computing service provider (whether EU-based or third-country) has its main establishment in the Czech Republic, the Czech competent authority will be the sole enforcer of CADA's sovereignty rules for that provider across the entire Union. Conversely, Czech public sector bodies procuring services from a provider established in another Member State (e.g., Germany) would look to German authorities for enforcement issues, though they would cooperate under mutual assistance rules.

Investigative and Enforcement Powers (Article 26)

The teeth of the CADA framework lie in the powers granted to these national competent authorities under Article 26. To ensure effective supervision, the Czech competent authority would be granted robust investigative and enforcement tools.

Investigative Powers: Under Article 26(1), the competent authority would have the power to:

  • Request Information: Require cloud computing service providers, auditing organisations, and other relevant persons to provide information related to suspected infringements as soon as possible.
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used by providers. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Interview Staff: Ask any member of staff or representative of those providers to give explanations in respect of any information relating to a suspected infringement and, with their consent, to record their answers by any technical means.

Enforcement Powers: If infringements are found, Article 26(2) empowers the Czech competent authority to:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
  • Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including with any of the investigative orders issued pursuant to paragraph 1.
  • Periodic Penalty Payments: Impose a periodic penalty payment, or request a judicial authority to do so, to ensure that an infringement is terminated in compliance with an order issued pursuant to point (a), or for failure to comply with any of the investigative orders.

These measures must be "effective, dissuasive and proportionate," having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement, and, where relevant, the economic, technical and operational capacity of the service provider concerned (Article 26(3)).

What this means for you

For in-house counsel and compliance officers in Czechia, particularly those overseeing public sector IT procurement or managing cloud service providers with a main establishment in the Czech Republic, the designation of the national competent authority is a critical upcoming milestone.

1. Monitor the Designation Process Within one year of CADA's entry into force, the Czech government must formally designate its competent authority. You should monitor announcements from the Ministry of Industry and Trade, the Office for Personal Data Protection, and NÚKIB. Once designated, this authority will be listed in the Commission's public register (Article 25(2)). Until this designation is made, the specific contact point for CADA-related inquiries and compliance reporting remains undefined.

2. Prepare for Enhanced Scrutiny If your organisation is a cloud computing service provider with its main establishment in Czechia, you are subject to the exclusive competence of the Czech authority (Article 25(4)). You must prepare for rigorous oversight. The authority would have the right to inspect your premises, request detailed information on your sovereignty compliance (e.g., data localisation, third-country control), and interview staff (Article 26(1)). Ensure your internal documentation regarding Union assurance levels, audit reports, and subcontractor due diligence is readily accessible.

3. Understand the Enforcement Risks The new powers under Article 26(2) mean that non-compliance carries significant financial and operational risks. The Czech authority could issue cessation orders, imposing immediate operational changes. More critically, it could levy fines and periodic penalty payments. Compliance officers must integrate CADA's sovereignty criteria (Annex II of CADA) into their existing risk management frameworks. Failure to cooperate with investigative orders can itself trigger fines, making proactive engagement with the competent authority essential.

4. Cross-Border Cooperation Even if your provider is not established in Czechia, Czech public sector bodies must still procure services meeting specific Union assurance levels (Article 30). If a Czech authority suspects a non-Czech provider is non-compliant, it can request the provider's home-state authority to investigate (Article 28). Counsel should be prepared to facilitate this cross-border cooperation, providing evidence to foreign authorities to protect their provider's market access in Czechia.

Common misconceptions

Misconception 1: The Czech National Bank or a specific existing body is already named. CADA does not name specific national authorities. It provides a framework for Member States to choose. While bodies like ÚOOÚ or NÚKIB are likely candidates due to their existing mandates in data protection and cybersecurity, the final designation is a national political and administrative decision that will occur after the Regulation enters into force.

Misconception 2: Competence is shared among all Member States. No. Article 25(4) establishes exclusive competence for the Member State of the provider's main establishment. If a provider is headquartered in Prague, only the Czech competent authority can enforce CADA's sovereignty rules against that provider. Other Member States cannot directly fine or inspect that provider; they must request assistance from the Czech authority.

Misconception 3: The authority only has advisory powers. The powers under Article 26 are coercive. The Czech competent authority would be able to compel information, conduct physical inspections, and impose financial penalties. It is a regulatory enforcer, not just a guidance body.

Related

This is general information about a draft EU regulation, not legal advice.