Who is Estonia's national competent authority under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Estonia is required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. As the proposal is currently a draft, the specific Estonian authority has not yet been named; however, Member States may designate an existing body rather than creating a new one. These authorities will hold exclusive competence for providers with their main establishment in Estonia and possess extensive investigative and enforcement powers, including the ability to inspect premises, request information, order the cessation of infringements, and impose fines and periodic penalty payments.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous governance structure to oversee the sovereignty and security of cloud computing services within the EU. Central to this framework is the role of national competent authorities, which are tasked with supervising cloud computing service providers and ensuring compliance with the Union's assurance levels.

Designation of Authorities in Estonia

According to Article 25(1) of the proposed Regulation, Estonia, like all Member States, must designate one or more national competent authorities responsible for enforcing the provisions of Title IV, Chapter I (the Cloud Computing Sovereignty Framework). This designation must occur by the date of entry into force plus one year. The proposal offers flexibility in this process: Article 25(1) explicitly states that "Member States may designate an existing authority or existing authorities." This suggests that Estonia could assign these responsibilities to an existing body, such as the Estonian Information System Authority (RIA) or the Estonian Competition Authority, depending on their current mandates and capacity, rather than establishing a new entity from scratch.

Once designated, Estonia must notify the European Commission of the names of these authorities and their specific tasks and powers. In turn, Article 25(2) mandates that the Commission maintain a public register of these authorities, ensuring transparency for cloud providers and public sector bodies across the Union.

Exclusive Competence and Main Establishment

A critical aspect of CADA's enforcement mechanism is the principle of exclusive competence based on the provider's main establishment. Article 25(4) states that the Member State in which the cloud computing service provider has its main establishment—defined as the head office or registered office from which principal financial functions and operational control are exercised—has "exclusive competence for enforcing this Chapter."

This means that if a cloud provider is headquartered in Estonia, the Estonian national competent authority is the primary regulator for that provider's compliance with the sovereignty framework, even if the provider offers services in other Member States. This "single point of control" model is designed to reduce regulatory fragmentation and administrative burden for providers operating cross-border.

Investigative and Enforcement Powers

The powers granted to Estonia's designated authority under Article 26 are extensive, enabling effective supervision and enforcement. These powers are divided into investigative and enforcement categories.

Investigative Powers: Under Article 26(1), the competent authority has the power to:

• Require information: Demand that cloud providers, and other persons acting for business purposes, provide specific information related to suspected infringements "as soon as possible."
• Conduct inspections: Carry out, or request a judicial authority to order, inspections of any premises used by providers for business purposes. This includes the power to examine, seize, take, or obtain copies of information relating to suspected infringements in any form, irrespective of the storage medium.
• Request explanations: Ask any member of staff or representative of those providers to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers: If an infringement is identified, Article 26(2) empowers the authority to:

• Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
• Impose fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including with any of the investigative orders issued.
• Impose periodic penalty payments: Impose a periodic penalty payment, or request a judicial authority to do so, in accordance with Article 24 to ensure that an infringement is terminated in compliance with an order issued, or for failure to comply with any of the investigative orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)). Furthermore, Article 25(3) requires Estonia to ensure that its competent authorities have all necessary resources, including sufficient technical, financial, and human resources, to adequately supervise all cloud computing service providers within their competence.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers established in Estonia, or those with a main establishment in Estonia, the implications of CADA are significant.

1. Regulatory Preparedness: You must prepare for direct engagement with Estonia's designated national competent authority. While the specific body is not yet named, you should begin identifying which existing Estonian authority is most likely to be designated (e.g., RIA) and establish lines of communication. Monitor the Commission's public register of authorities as soon as it is established.
2. Compliance Audits: Ensure your cloud services meet the criteria for the relevant Union assurance level (1–4) as outlined in Annex II of the proposal. The Estonian authority will have the power to inspect your premises and request detailed information to verify compliance. Maintain robust documentation of your conformity self-assessments (for Level 1) or audit reports (for Levels 2–4).
3. Response Protocols: Develop internal protocols for responding to investigative requests. Under Article 26(1), you are obligated to provide information "as soon as possible." Delays or non-cooperation could lead to severe enforcement actions, including fines and periodic penalty payments.
4. Risk of Penalties: Be aware that non-compliance carries substantial financial risks. The Estonian authority can impose fines and periodic penalty payments. Ensure your legal and compliance teams are familiar with the criteria for penalties outlined in Article 24 and the enforcement powers in Article 26.
5. Cross-Border Coordination: If your provider operates in multiple Member States, remember that the Estonian authority has exclusive competence if Estonia is your main establishment. However, you must still cooperate with other Member States' authorities if they suspect non-compliance, as Article 28 outlines cross-border cooperation mechanisms. The Estonian authority may request assistance from or provide assistance to other national competent authorities.

Common misconceptions

• Misconception: "CADA creates a new EU-wide supervisory authority that replaces national regulators."
  • Reality: CADA relies on national competent authorities designated by each Member State, including Estonia. The European Commission plays a coordinating and oversight role, but enforcement is primarily national, based on the provider's main establishment (Article 25(4)).
• Misconception: "Estonia must create a brand-new agency to handle CADA compliance."
  • Reality: Article 25(1) explicitly allows Member States to designate "an existing authority or existing authorities." Estonia can leverage its current regulatory infrastructure, potentially assigning these tasks to an agency like the RIA or the Estonian Competition Authority.
• Misconception: "Only providers offering services in Estonia are subject to its competent authority."
  • Reality: Jurisdiction is based on the provider's "main establishment" (Article 25(4)). A provider headquartered in Estonia falls under Estonian supervision for the entire EU, even if it has no physical presence or customers in Estonia. Conversely, a provider headquartered in Germany is supervised by Germany, even if it serves Estonian clients.
• Misconception: "The powers of the competent authority are limited to issuing warnings."
  • Reality: Article 26 grants substantial investigative and enforcement powers, including on-site inspections, seizure of information, orders to cease infringements, and the imposition of fines and periodic penalty payments. These powers are designed to be "effective, dissuasive and proportionate."

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.