Summary Under the proposed Cloud and AI Development Act (CADA), Hungary is required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. As of the proposal's publication on 3 June 2026, the specific Hungarian authority has not yet been named in the text; however, the Commission will maintain a public register of all designated authorities across the Union. If a cloud provider has its main establishment in Hungary, the Hungarian competent authority will hold exclusive competence to enforce the Regulation's sovereignty rules against that provider, wielding powers to inspect premises, order cessation of infringements, and impose fines.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonized framework to strengthen the EU's cloud and AI ecosystem. A core component of this framework is the "Union cloud computing sovereignty framework," which categorizes cloud services into four assurance levels based on their sovereignty and security guarantees. To enforce this framework, CADA relies on a network of national competent authorities, with specific rules governing their designation, scope, and powers.

Designation of Hungary's Competent Authority

Article 25(1) of CADA mandates that Member States, including Hungary, must designate one or more national competent authorities responsible for enforcing Chapter IV of the Regulation (which covers the sovereignty framework, assurance levels, and audits). This designation must be completed by the date of entry into force plus one year.

The proposal explicitly allows Member States to leverage existing administrative structures to avoid unnecessary bureaucratic duplication. Article 25(1) states: "To that effect, Member States may designate an existing authority or existing authorities ('competent authorities')." This suggests Hungary is not required to create a new regulatory body from scratch but can assign these tasks to an existing agency, such as a data protection authority, a cybersecurity agency, or a market surveillance body, provided it has the necessary technical, financial, and human resources as required by Article 25(3).

Once designated, Hungary must notify the European Commission of the names of these authorities and their specific tasks and powers. Article 25(2) requires: "The Commission shall maintain a public register of those authorities." This register will serve as the definitive source for cloud providers and public sector bodies to identify the correct regulatory contact point in Hungary.

Exclusive Competence: The Main Establishment Rule

A critical feature of CADA's enforcement mechanism is the principle of exclusive competence based on the provider's location, designed to prevent regulatory fragmentation. Article 25(4) stipulates: "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The "main establishment" is defined in Article 25(4) as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. This means:

  • If a cloud provider is headquartered in Budapest, the Hungarian competent authority is the sole regulator for its CADA sovereignty compliance across the entire EU.
  • If a provider is headquartered in Germany but operates in Hungary, the German authority leads enforcement, though Hungarian authorities may cooperate under mutual assistance provisions (Article 27) and cross-border cooperation (Article 28).

This "single point of contact" approach aims to reduce the administrative burden on providers operating cross-border and ensure consistent application of the sovereignty framework.

Investigative and Enforcement Powers

The Hungarian competent authority, once designated, will be granted significant powers to ensure compliance with the sovereignty framework. These powers are detailed in Article 26 and are designed to be "effective, dissuasive and proportionate" (Article 26(3)).

Investigative Powers (Article 26(1)): To carry out its tasks, the authority may:

  • Require cloud providers, subcontractors, and auditing organizations to provide specific information regarding suspected infringements "as soon as possible."
  • Carry out inspections of premises used for trade or business purposes, including examining, seizing, or copying information in any form, or request a judicial authority to order such inspections.
  • Ask any member of staff or representative of those providers to give explanations regarding suspected infringements and, with their consent, record their answers.

Enforcement Powers (Article 26(2)): If violations are found, the authority can:

  • Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose fines for failure to comply with the Regulation, including with any of the investigative orders issued.
  • Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order issued, or for failure to comply with investigative orders.

Penalties and Compensation

Article 24 outlines the penalties for infringements by cloud computing service providers. Hungary must lay down rules on penalties that are "effective, proportionate and dissuasive." When determining the amount of penalties, Article 24(2) requires authorities to consider a non-exhaustive list of criteria, including:

  • The nature, gravity, scale and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) grants recipients of cloud services the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under the sovereignty chapter.

What this means for you

For in-house counsel, compliance officers, and cloud providers operating in or targeting the Hungarian market, the following steps are critical under the proposed CADA framework:

  1. Monitor the Public Register: As soon as CADA enters into force (expected to be one year after publication), check the Commission's public register under Article 25(2) to identify Hungary's designated competent authority. This entity will be your primary regulatory counterpart for sovereignty assurance applications and enforcement matters.
  2. Verify Main Establishment Location: If your organization is headquartered in Hungary, you are subject to the exclusive jurisdiction of the Hungarian authority for all CADA sovereignty matters. Ensure your compliance team establishes a direct line of communication with this authority. If your main establishment is elsewhere, coordinate with your home-country regulator while preparing for potential cross-border cooperation requests from Hungarian authorities under Article 28.
  3. Prepare for Audits and Inspections: Under Article 26, the Hungarian authority has broad investigative powers, including the right to inspect premises and seize information. Ensure your internal controls, audit trails, and documentation regarding subcontractors, data localization, and third-country control are readily accessible. You must be prepared to provide information "as soon as possible" upon request.
  4. Assess Liability Exposure: Article 24 introduces significant financial risks, including fines based on global turnover and potential civil compensation claims from clients. Review your cloud service contracts to ensure clear allocation of liability and compliance responsibilities, particularly regarding the provision of accurate information for Union assurance level applications.
  5. Engage Early with National Strategy: While Article 25 deals with enforcement, Hungary is also required to adopt a national cloud and AI strategy under Article 7. Engage with the Hungarian government's digital policy teams to understand how national priorities might influence the practical application of sovereignty risk assessments under Article 29.

Common misconceptions

  • "Hungary's authority is already named in CADA." Incorrect. CADA is a framework Regulation that sets out obligations for Member States to designate authorities. The specific Hungarian body is not named in the proposal text; it will be determined by Hungarian national implementation measures and published in the EU register.
  • "Any EU authority can enforce CADA against a provider." Incorrect. Article 25(4) establishes exclusive competence for the Member State of the provider's main establishment. While mutual assistance (Article 27) and cross-border cooperation (Article 28) exist, the primary enforcement power rests with the home country's authority.
  • "CADA penalties are fixed fines." Incorrect. Article 24(2) provides a non-exhaustive list of criteria for imposing penalties, including turnover and gravity. There are no fixed penalty amounts specified in the proposal; these will be defined in Hungarian national implementing laws.
  • "Only public sector bodies are affected by the competent authority." Incorrect. While the sovereignty framework primarily targets public procurement, the obligations on cloud providers (such as transparency and accurate reporting) apply to any provider seeking recognition for Union assurance levels. The competent authority oversees these providers regardless of whether their current clients are public or private, as the recognition is Union-wide.

Related

This is general information about a draft EU regulation, not legal advice.