Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) requires Finland, like all Member States, to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework within one year of the Regulation's entry into force (Article 25(1)). The specific Finnish authority has not yet been named in the proposal, but it will be listed in a public register maintained by the European Commission (Article 25(2)). Crucially, enforcement jurisdiction rests exclusively with the Member State where the cloud computing service provider has its "main establishment," not necessarily where the Finnish public sector body is located (Article 25(4)). Consequently, if a provider is established in another Member State, the Finnish authority acts primarily as a "competent authority of destination" relying on cross-border cooperation mechanisms rather than direct enforcement.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous governance framework to ensure that cloud computing services used by the EU public sector meet strict sovereignty and security standards. Central to this framework is the designation of national competent authorities tasked with recognizing services against the four Union assurance levels and enforcing compliance. The proposal deliberately centralizes enforcement power to prevent regulatory fragmentation and ensure a level playing field for providers across the single market.

Designation and Timeline (Article 25)

Under Article 25(1), each Member State, including Finland, must designate one or more national competent authorities responsible for enforcing Title IV of the Regulation (the autonomy and sovereignty chapter). The deadline for this designation is set for one year after the entry into force of the Regulation. The proposal explicitly states that Member States may designate an existing authority, such as a data protection authority, cybersecurity agency, or a newly created body, provided it meets the necessary criteria.

Once designated, Finland must notify the European Commission of the names, tasks, and powers of these authorities. Pursuant to Article 25(2), the Commission is required to maintain a public register of these competent authorities. This register ensures transparency for cloud providers and public sector bodies seeking to understand the enforcement landscape across the Union. The Commission will publish the names of the authorities and their tasks, ensuring that all stakeholders know which body holds jurisdiction over specific providers.

Exclusive Competence and Main Establishment (Article 25(4))

A critical aspect of the CADA proposal is the principle of exclusive competence. Article 25(4) stipulates that the Member State in which the cloud computing service provider has its main establishment holds exclusive competence for enforcing this Chapter. The "main establishment" is defined in the proposal as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This means that if a cloud provider is headquartered in Ireland but serves a Finnish government agency, the Irish competent authorityโ€”not the Finnish oneโ€”is primarily responsible for investigating infringements and enforcing the sovereignty criteria against that provider. Finland's competent authority would act as a "competent authority of destination" rather than the enforcing authority of establishment. This "one-stop-shop" mechanism is designed to avoid duplicate investigations and conflicting decisions across the EU.

Investigative and Enforcement Powers (Article 26)

To ensure the sovereignty framework is not merely advisory, Article 26 grants national competent authorities significant investigative and enforcement powers. These powers are designed to be effective, dissuasive and proportionate.

Investigative Powers: Under Article 26(1), the competent authority of establishment has the power to:

  • Require cloud computing service providers, auditing organizations, and other relevant persons to provide specific information related to suspected infringements.
  • Carry out inspections of premises used by providers or related persons to examine, seize, or obtain copies of information related to suspected infringements, regardless of the storage medium.
  • Request explanations from staff or representatives of the provider regarding suspected infringements and record their answers with consent.

Enforcement Powers: Under Article 26(2), the competent authority can:

  • Order the cessation of infringements and impose proportionate remedies to bring the infringement to an end.
  • Impose fines for failure to comply with the Regulation, including for non-compliance with investigative orders.
  • Impose periodic penalty payments to ensure that an infringement is terminated in compliance with a cessation order or to enforce investigative orders.

These measures must respect the rights of defense, the right to be heard, and the right to an effective judicial remedy, as outlined in Article 26(4). The proposal requires that any exercise of these powers be subject to adequate safeguards under applicable national law.

Cross-Border Cooperation (Articles 27 and 28)

Because cloud services are inherently cross-border, the proposal includes robust mechanisms for cooperation. Article 27 outlines mutual assistance, allowing a competent authority to request specific information from another Member State's authority if it is located there. Article 28 facilitates cross-border cooperation where a "competent authority of destination" (e.g., Finland) suspects that a provider no longer fulfills the requirements. In such cases, Finland can request the authority of establishment to assess the matter and take necessary investigatory or enforcement measures. The authority of establishment must respond within two months, communicating its assessment and any measures taken. If the authority of establishment fails to act or the destination authority is unsatisfied, the matter can be referred to the Commission for a binding decision.

What this means for you

For in-house counsel and compliance officers in Finland, the designation of the national competent authority under CADA will define your primary regulatory contact for cloud sovereignty issues. However, the practical implications depend heavily on whether you are a public sector body procuring services or a cloud provider operating in the EU.

For Finnish Public Sector Bodies: You will be required to conduct risk assessments under Article 29 to determine the appropriate Union assurance level for your activities. If your activities are deemed to contribute to public order, you must procure services recognized at assurance levels 2, 3, or 4 (Article 30(3)). While the Finnish competent authority will oversee your compliance with procurement rules, it cannot directly sanction a foreign cloud provider for failing to meet sovereignty criteria. Instead, you must rely on the central repository (Article 22) to verify a provider's recognized status. If you suspect a provider is non-compliant, you must notify the Finnish competent authority, which will then trigger the cross-border cooperation mechanism under Article 28 to alert the provider's home Member State.

For Cloud Service Providers: If your main establishment is in Finland, you will be directly supervised by the Finnish competent authority. You must prepare for rigorous audits and inspections under Article 26. This includes granting access to premises, data, and personnel to demonstrate compliance with the sovereignty criteria in Annex II. If your main establishment is outside Finland, you are subject to the authority in your home state, but you must cooperate with Finnish authorities if they raise concerns about your service's compliance in the context of serving Finnish public sector clients.

Deadlines and Penalties: Be aware that the designation of authorities is due one year after entry into force. Once operational, the investigative powers under Article 26 are immediate. Non-compliance can lead to fines and periodic penalty payments. While CADA itself does not set fixed fine amounts for sovereignty breaches (unlike the AI Act), it requires Member States to lay down rules on penalties that are effective, proportionate and dissuasive (Article 24(1)). You should monitor Finnish national law transposing these requirements once the Regulation is adopted.

Common misconceptions

Misconception 1: The Finnish authority will audit all cloud providers serving Finland. This is incorrect. Under Article 25(4), enforcement is based on the provider's main establishment. If a US or German provider serves Finnish agencies, the US or German competent authority is responsible for the audit and enforcement. The Finnish authority's role is limited to mutual assistance and cross-border cooperation requests.

Misconception 2: CADA replaces national cybersecurity or data protection authorities. Not necessarily. Article 25(1) allows Member States to designate existing authorities. It is highly likely that Finland will designate an existing body, such as the Finnish Transport and Communications Agency (Traficom) or the Finnish Data Protection Ombudsman, or a combination thereof. The key is that the designated body must have the specific powers outlined in Article 26.

Misconception 3: The central repository replaces national oversight. The central repository (Article 22) is a transparency tool maintained by the Commission, listing recognized services. It does not have enforcement powers. National competent authorities remain the entities responsible for granting recognition, conducting audits, and enforcing penalties.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.