Summary As proposed in the Cloud and AI Development Act (CADA), France is required to designate one or more national competent authorities to enforce the cloud sovereignty framework within one year of the regulation's entry into force (Article 25(1)). The specific French authority has not yet been named, but the regulation permits the designation of an existing body rather than requiring a new entity. Once designated, the authority's details will be published in a public register maintained by the European Commission (Article 25(2)). For cloud providers with their "main establishment" in France, this authority will hold exclusive competence for enforcement across the EU, wielding significant investigative powersβ€”including inspections and information requestsβ€”and the ability to impose fines and periodic penalty payments (Article 26).

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous, decentralized enforcement mechanism for its cloud computing sovereignty framework, centered on the role of national competent authorities. For legal counsel and compliance officers operating in or with France, understanding the designation timeline, the scope of jurisdiction, and the specific powers of these authorities is critical for navigating the new assurance levels.

Designation and Registration of the French Authority

Under Article 25(1) of CADA, Member States are required to designate one or more national competent authorities responsible for enforcing Title IV (Autonomy) of the regulation. The deadline for this designation is strict: it must occur by the date that is one year after the regulation enters into force. The text explicitly allows Member States to designate an existing authority or authorities, suggesting that France may leverage its current regulatory infrastructureβ€”such as the AutoritΓ© de ContrΓ΄le Prudentiel et de RΓ©solution (ACPR) for financial entities, the Commission Nationale de l'Informatique et des LibertΓ©s (CNIL) for data protection aspects, or a dedicated digital sovereignty bodyβ€”rather than creating a new entity from scratch.

Once designated, the French authority must notify the European Commission of its name, tasks, and powers. In response, the Commission is obligated to maintain a public register of these authorities, as stipulated in Article 25(2). This register will serve as the primary reference point for cloud computing service providers to identify the correct supervisory body. The Commission is required to ensure this register is publicly available and updated.

Exclusive Competence and the "Main Establishment" Rule

A critical aspect of CADA's enforcement structure is the principle of exclusive competence, which prevents regulatory fragmentation for multinational providers. Article 25(4) states that the Member State in which the cloud computing service provider has its "main establishment" holds exclusive competence for enforcing Title IV. The regulation defines the main establishment as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

For multinational cloud providers, this means that if the main establishment is in France, the French national competent authority is the sole regulator for sovereignty compliance across the entire Union. If the main establishment is elsewhere (e.g., in Germany), the French authority would act as a "competent authority of destination," cooperating with the authority of establishment under the mutual assistance and cross-border cooperation frameworks outlined in Articles 27 and 28, but it would not hold primary enforcement power.

Investigative and Enforcement Powers

The French national competent authority, like its counterparts in other Member States, will be endowed with substantial investigative and enforcement powers under Article 26. These powers are designed to ensure effective supervision and deterrence of non-compliance with the Union assurance levels.

Investigative Powers (Article 26(1)) To carry out their tasks, particularly regarding the recognition of Union assurance levels, the competent authority has the power to:

  • Require Information: Demand that any cloud computing service provider, as well as auditing organizations and other persons reasonably expected to be aware of relevant information, provide data as soon as possible.
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used by the provider for trade, business, or professional purposes. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement, regardless of the storage medium.
  • Interview Staff: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)) If investigations reveal non-compliance, the authority can take several enforcement actions:

  • Cessation Orders: Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end.
  • Fines: Impose fines for failure to comply with the regulation, including for non-compliance with investigative orders.
  • Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with a cessation order or to compel compliance with investigative orders.

The measures taken must be effective, dissuasive and proportionate, taking into account the nature, gravity, recurrence and duration of the infringement, as well as the economic, technical and operational capacity of the service provider (Article 26(3)).

Penalties and Compensation Framework

In addition to the administrative fines imposed by the competent authority under Article 26, Article 24 outlines broader penalty rules applicable to infringements by cloud computing service providers. Member States must lay down rules on penalties that are effective, proportionate and dissuasive. When determining penalties, authorities must consider criteria such as the nature, gravity, scale and duration of the infringement, any previous infringements, financial benefits gained, and the infringing party's annual turnover in the Union.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty framework. This introduces a significant civil liability risk for providers found non-compliant, separate from the administrative fines.

What this means for you

For in-house counsel and compliance officers at cloud providers with a main establishment in France, or those providing services to French public sector bodies, the implications are immediate and operational.

  1. Monitor the Commission's Register: Keep a close watch on the European Commission's public register of national competent authorities. Once France designates its authority, you must update your regulatory contact maps. If France is your main establishment, this authority is your primary regulator for CADA compliance.
  2. Prepare for Audits and Inspections: Article 26(1) grants broad inspection powers. Ensure your internal governance allows for rapid production of documents and data related to sovereignty criteria (e.g., data localization, supply chain transparency, third-country control). Your IT and legal teams should be prepared for on-site inspections and interviews with staff.
  3. Assess Financial Exposure: The combination of administrative fines (Article 26), statutory penalties (Article 24), and private compensation claims (Article 24(3)) creates a multi-layered financial risk. Conduct a cost-benefit analysis of compliance versus potential fines, noting that penalties are tied to annual turnover in the Union.
  4. Engage Early: If your organization is designated as a "main establishment" in France, proactively engage with the designated authority. The regulation emphasizes impartial and transparent enforcement (Article 25(3)), and early dialogue can help clarify expectations regarding the submission of evidence for Union assurance levels.

Common misconceptions

  • Misconception: "Only the French authority matters if we serve French customers."
    • Correction: Under Article 25(4), exclusive competence lies with the Member State of the provider's main establishment. If your main establishment is in Germany, the German authority is your primary regulator, even if you serve French clients. The French authority would only act as a destination authority in cross-border cases.
  • Misconception: "France will create a brand new regulator for CADA."
    • Correction: Article 25(1) explicitly states that Member States may designate an existing authority. It is highly likely France will assign these duties to an existing body with relevant expertise in digital security or data protection, rather than building a new institution.
  • Misconception: "Fines are fixed amounts."
    • Correction: Article 24(2) and Article 26(3) indicate that penalties and fines are variable. They depend on the nature, gravity, duration, and financial impact of the infringement, as well as the provider's turnover. There are no flat rates; each case is assessed individually.
  • Misconception: "CADA penalties are the same as the AI Act."
    • Correction: CADA does not set fixed maximum fines like the AI Act (which uses Article 99). Instead, Article 24 requires Member States to set their own penalty rules, provided they are "effective, proportionate and dissuasive."

Official sources

Related

This is general information about a draft EU regulation, not legal advice.