Summary Under the proposed Cloud and AI Development Act (CADA), Germany is required to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework. As proposed in Article 25, this designation must occur within one year of the regulation's entry into force, and Germany may choose to designate an existing authority rather than creating a new body. The Commission will maintain a public register of these authorities. For cloud providers with their main establishment in Germany, the German competent authority holds exclusive competence for enforcement, wielding significant investigative and enforcement powers under Article 26, including the ability to order inspections, demand information, and impose fines or periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA) introduces a harmonised EU framework for cloud sovereignty, centred on a system of four "Union assurance levels." To enforce this framework, CADA mandates that each Member State, including Germany, designates a national competent authority. The specific obligations and powers of these authorities are detailed in Title IV, Chapter I, Sections 4 and 5 of the proposal.

Designation and Public Register (Article 25)

Article 25(1) stipulates that Member States must designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the sovereignty framework) by a date set as one year after the regulation's entry into force. The proposal allows flexibility in this designation; Member States "may designate an existing authority or existing authorities" (Article 25(1)). This suggests that Germany could potentially assign these duties to an existing regulatory body, such as the Federal Office for Information Security (BSI) or a newly formed digital agency, rather than establishing a wholly new entity from scratch.

Once designated, these authorities must be notified to the European Commission. Article 25(2) requires Member States to notify the Commission of the names of the competent authorities, along with their specific tasks and powers. In turn, the Commission is obligated to "maintain a public register of those authorities." This register will serve as the primary reference point for cloud service providers and public sector bodies to identify the correct regulatory contact in Germany.

Article 25(3) imposes strict operational standards on these authorities. Germany must ensure that its designated competent authority performs its tasks in an "impartial, transparent and timely manner." Furthermore, the authority must be equipped with "all necessary resources," including sufficient technical, financial, and human resources, to adequately supervise all cloud computing service providers within its competence.

Exclusive Competence Based on Main Establishment (Article 25(4))

A critical feature of CADA's enforcement mechanism is the "main establishment" rule. Article 25(4) states that the Member State in which a cloud computing service provider has its main establishment has "exclusive competence for enforcing this Chapter."

The proposal defines the main establishment as the place where the provider has its head office or registered office from which the "principal financial functions and operational control are exercised." For a cloud provider with its main establishment in Germany, the German national competent authority is the sole regulator responsible for overseeing compliance with the sovereignty framework (Union assurance levels 1–4). This prevents fragmented enforcement where a provider might face simultaneous investigations in multiple Member States for the same sovereignty-related infringement.

However, this exclusivity does not mean other Member States are passive. Article 27 outlines mutual assistance obligations, allowing competent authorities to request information and collaborate on investigations. Article 28 further details cross-border cooperation, enabling a "competent authority of destination" (e.g., France) to request the German authority (the "competent authority of establishment") to assess suspected infringements and take necessary investigatory and enforcement measures.

Investigative and Enforcement Powers (Article 26)

The national competent authority in Germany will be granted robust powers to ensure compliance with the sovereignty framework. Article 26 categorises these into investigative and enforcement powers.

Investigative Powers (Article 26(1)) To carry out its tasks under Article 17 (recognition of assurance levels), the German competent authority will have the power to:

  • Request Information: Require any cloud computing service provider, and other persons acting for trade or business purposes who may be aware of suspected infringements (including auditing organisations), to provide relevant information "as soon as possible" (Article 26(1)(a)).
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of premises used by providers or related persons. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium" (Article 26(1)(b)).
  • Interview Staff: Ask members of staff or representatives to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means (Article 26(1)(c)).

Enforcement Powers (Article 26(2)) If investigations reveal non-compliance, the German competent authority will have the power to:

  • Order Cessation: Order the cessation of infringements and impose remedies proportionate to the infringement, necessary to bring it effectively to an end. This can be done directly or by requesting a judicial authority to do so (Article 26(2)(a)).
  • Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the regulation, including non-compliance with investigative orders (Article 26(2)(b)).
  • Impose Periodic Penalty Payments: Impose periodic penalty payments, or request a judicial authority to do so, in accordance with Article 24, to ensure an infringement is terminated or to compel compliance with investigative orders (Article 26(2)(c)).

Proportionality and Safeguards (Article 26(3)–(4)) Measures taken by the German authority must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)). Furthermore, the exercise of these powers must be subject to adequate safeguards under applicable national law, respecting the right to respect for private life, the rights of defence (including the right to be heard and access to the file), and the right to an effective judicial remedy (Article 26(4)).

Penalties and Compensation (Article 24)

While Article 26 grants the powers to impose fines, Article 24 sets out the framework for penalties. Member States must lay down rules on penalties applicable to infringements by cloud service providers, ensuring they are "effective, proportionate and dissuasive" (Article 24(1)). When imposing penalties, authorities must consider factors such as the nature, gravity, scale, and duration of the infringement; any action taken to mitigate damage; previous infringements; financial benefits gained; and the infringing party's annual turnover in the Union (Article 24(2)).

Additionally, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers with their main establishment in Germany, the implications are significant:

  1. Identify Your Regulator: Monitor the European Commission's public register (established under Article 25(2)) to identify Germany's designated national competent authority. Once published, this authority becomes your primary point of contact for all sovereignty-related regulatory matters.
  2. Prepare for Inspections: Ensure your internal processes are ready to accommodate sudden inspections and information requests under Article 26(1). This includes having clear protocols for preserving data, granting access to premises, and coordinating with legal counsel during interviews with staff.
  3. Main Establishment Scrutiny: If your company's "principal financial functions and operational control" are exercised in Germany, you are subject to exclusive German enforcement. Ensure your corporate governance documents clearly reflect this, as mischaracterisation could lead to jurisdictional disputes.
  4. Compliance Documentation: Maintain rigorous documentation to demonstrate compliance with Union assurance levels. In the event of an investigation, the burden of proof will largely rest on the provider to demonstrate conformity or justify any deviations.
  5. Engage Early: Given the "one year" deadline for designation, engage with German digital policy circles and potential regulatory bodies early to understand their interpretation of "impartial, transparent and timely" enforcement.

Common misconceptions

  • "Germany will create a brand-new agency." Article 25(1) explicitly allows Member States to "designate an existing authority." It is highly probable that Germany will leverage existing structures, such as the BSI or a designated digital ministry, rather than building a new bureaucracy from scratch.
  • "Only Germany can investigate a German-based provider." While Germany has exclusive competence for enforcement (Article 25(4)), other Member States can trigger investigations. Under Article 28, a competent authority in another country can request the German authority to assess suspected infringements. The German authority must then act, but the initial suspicion may come from abroad.
  • "Fines are automatically imposed by the authority." Article 26(2) notes that the authority can impose fines or "request a judicial authority in their Member State to do so." The specific procedural law in Germany will determine whether the competent authority has direct fining power or must seek court approval, depending on the severity and nature of the infringement.

Related

This is general information about a draft EU regulation, not legal advice.