Who is Greece's national competent authority under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Greece is required to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework. As proposed in Article 25, this designation must occur within one year of the Regulation's entry into force. While the specific Greek authority has not yet been named, the Commission will maintain a public register of these authorities. Crucially, enforcement jurisdiction rests exclusively with the Member State where the cloud provider has its "main establishment," not necessarily where the Greek public sector body procuring the service is located.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), introduces a harmonised framework to strengthen the EU's cloud and AI ecosystem. A central pillar of this framework is the Union cloud computing sovereignty framework, which relies on national competent authorities to oversee compliance. For Greece, as with all Member States, the obligations regarding these authorities are detailed primarily in Article 25 and Article 26 of the proposal.

Designation and Register of Authorities (Article 25)

Article 25(1) mandates that Member States must designate one or more national competent authorities responsible for enforcing the sovereignty framework (Title IV, Chapter I) by a deadline of one year from the Regulation's entry into force. The text explicitly states that Member States "may designate an existing authority or existing authorities," meaning Greece is not required to create a new bureaucratic entity but can assign these tasks to an existing body, such as a cybersecurity agency, data protection authority, or market surveillance body, provided it meets the requisite criteria.

To ensure transparency and legal certainty, Article 25(2) requires Member States to notify the Commission of the names of these competent authorities, along with their specific tasks and powers. The Commission is then obligated to maintain a public register of these authorities. This register will serve as the primary reference point for cloud computing service providers seeking to understand where they must submit applications for recognition of Union assurance levels.

Exclusive Competence and Main Establishment (Article 25(4))

A critical aspect of CADA's enforcement mechanism is the principle of exclusive competence. Article 25(4) establishes that the Member State in which the cloud computing service provider has its "main establishment" has exclusive competence for enforcing this Chapter. The "main establishment" is defined in the text as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This means that if a cloud provider is headquartered in France but provides services to a Greek public sector body, the Greek national competent authority does not have primary enforcement jurisdiction over that provider. Instead, the French authority acts as the "competent authority of establishment." However, Greek authorities retain a role in cross-border cooperation. Under Article 28, if the Greek authority suspects a provider no longer fulfills the requirements, it can request the authority of establishment to assess the matter and take necessary investigatory or enforcement measures.

Investigative and Enforcement Powers (Article 26)

To ensure the sovereignty framework is effective, Article 26 grants national competent authorities significant investigative and enforcement powers. These powers are designed to be effective, dissuasive and proportionate.

Investigative Powers: Under Article 26(1), competent authorities can:

• Require cloud providers, auditing organisations, and other relevant persons to provide information as soon as possible regarding suspected infringements.
• Carry out inspections of premises used for trade or business purposes, or request judicial authorities to order such inspections, to examine or seize information related to suspected infringements.
• Ask staff or representatives of providers to give explanations regarding suspected infringements and, with consent, record their answers.

Enforcement Powers: Under Article 26(2), authorities can:

• Order the cessation of infringements and impose remedies proportionate to the infringement.
• Impose fines for failure to comply with the Regulation, including for failing to comply with investigative orders.
• Impose periodic penalty payments to ensure infringements are terminated in compliance with orders.

These powers must be exercised in accordance with national law and general principles of Union law, respecting the right to respect for private life and the rights of defence, including the right to be heard and access to an effective judicial remedy (Article 26(4)).

Penalties and Compensation (Article 24)

While Article 26 outlines the powers of the authorities, Article 24 details the penalties. Member States must lay down rules on penalties applicable to infringements by cloud service providers. These penalties must be effective, proportionate and dissuasive. When imposing penalties, authorities must consider factors such as the nature, gravity, and duration of the infringement, any previous infringements, and the financial benefits gained by the infringing party (Article 24(2)). Furthermore, recipients of cloud services have the right to seek compensation for damage or loss suffered due to a provider's infringement of their obligations under the sovereignty framework (Article 24(3)).

What this means for you

For in-house counsel and compliance officers in Greece, or for EU-based providers serving Greek public sector bodies, the implementation of CADA requires immediate attention to three key areas:

1. Monitor the Designation: Keep a close watch on the Greek government's announcement of its designated national competent authority. This will likely be published in the Official Journal of the Hellenic Republic and subsequently added to the Commission's public register. Until this designation is made, the specific point of contact for compliance queries remains undefined, but the legal obligations under the proposal are clear.
2. Determine Your Jurisdiction: If your organisation is a cloud computing service provider, identify your "main establishment." If this is in Greece, you will be subject to the direct investigative and enforcement powers of the Greek competent authority. If your main establishment is in another Member State, you will primarily deal with that Member State's authority, but you must still be prepared to cooperate with Greek authorities in the event of a cross-border cooperation request under Article 28.
3. Prepare for Audits and Inspections: Ensure your internal governance structures can support the rigorous investigative powers outlined in Article 26. This includes maintaining up-to-date documentation, ensuring premises are accessible for inspections, and having protocols in place for responding to information requests. Failure to cooperate can lead to fines and periodic penalty payments.

Common misconceptions

• "Greece will create a new 'Cloud Authority' from scratch."
  • Correction: Article 25(1) explicitly allows Member States to designate an existing authority. It is more likely that an existing body, such as the Hellenic Data Protection Authority or a cybersecurity agency, will be tasked with these additional responsibilities, rather than a new entity being created.
• "Greek authorities can directly fine a US-based cloud provider serving Greek ministries."
  • Correction: Article 25(4) grants exclusive competence to the Member State of the provider's main establishment. If the provider is established in the US (and not in the EU), different rules apply regarding third-country control (see Article 18). If the provider is an EU entity established in Germany, the German authority has exclusive competence, not the Greek one. Greek authorities can only request cooperation and assessment from the German authority.
• "The penalties are fixed and standardised across the EU."
  • Correction: Article 24(1) requires Member States to lay down their own rules on penalties, provided they are effective, proportionate and dissuasive. While the criteria for imposing penalties are harmonised (e.g., considering the gravity of the infringement), the specific fine amounts and procedural rules will be determined by national Greek law transposing these requirements.

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.