Summary Under the proposed Cloud and AI Development Act (CADA), Ireland is required to designate one or more national competent authorities to enforce the EU's cloud sovereignty framework within one year of the regulation's entry into force. As proposed, Article 25 allows Ireland to designate an existing authority, while Article 25(4) establishes that the Member State where a cloud provider has its "main establishment" holds exclusive competence for enforcement. These authorities would wield significant investigative and enforcement powers under Article 26, including the ability to order the cessation of infringements, conduct inspections, and impose fines and periodic penalty payments.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized framework to strengthen the EU's cloud and AI ecosystem. A central pillar of this framework is the creation of a robust supervisory structure to ensure compliance with the Union cloud computing sovereignty framework (Title IV). For legal counsel, compliance officers, and cloud providers with a presence in Ireland, understanding the designation, powers, and jurisdictional scope of the Irish national competent authority is critical.
Designation of the Irish National Competent Authority
As proposed in Article 25(1) of CADA, Member States, including Ireland, are required to designate one or more national competent authorities responsible for enforcing the provisions of Title IV (Autonomy). This designation must occur no later than one year after the regulation enters into force.
The proposal offers flexibility in how Ireland fulfills this obligation. Article 25(1) explicitly states that "Member States may designate an existing authority or existing authorities." This suggests that Ireland could potentially assign these new responsibilities to an existing body, such as the Commission for Communications Regulation (ComReg), the Data Protection Commission (DPC), or the Central Bank of Ireland, rather than creating a new agency from scratch. The final choice will depend on the specific competencies, resources, and organizational structure of Irish public bodies at the time of implementation.
Once designated, the Irish authority must notify the European Commission of its name, tasks, and powers. In response, Article 25(2) requires the Commission to "maintain a public register of those authorities," ensuring transparency for cloud computing service providers and other stakeholders across the EU.
Exclusive Competence and the "Main Establishment" Rule
A crucial aspect of CADA's enforcement model is the principle of exclusive competence, designed to prevent regulatory fragmentation. Article 25(4) stipulates that "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."
The regulation defines the "main establishment" as the place where the provider has its "head office or registered office from which the principal financial functions and operational control are exercised." For multinational cloud providers with a significant operational presence in Ireland, this means the Irish national competent authority would act as the "lead supervisor" for the provider's entire EU-wide operations regarding cloud sovereignty compliance. This mechanism mirrors the "one-stop-shop" approach found in the GDPR, aiming to provide legal certainty for providers operating across borders while ensuring a single point of contact for enforcement.
Investigative and Enforcement Powers
The powers granted to national competent authorities are extensive, designed to ensure effective supervision and enforcement of the sovereignty framework. Article 26 of CADA outlines these powers, which the Irish authority would exercise in relation to cloud computing service providers established in Ireland.
Investigative Powers (Article 26(1)): To carry out their tasks, the competent authority would have the power to:
- Require information: Demand that cloud providers and any other persons acting for purposes related to their trade provide information regarding suspected infringements.
- Conduct inspections: Carry out inspections of any premises used for trade, business, or profession, or request a judicial authority to order such inspections. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."
- Request explanations: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.
Enforcement Powers (Article 26(2)): If an infringement is identified, the authority would have the power to:
- Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
- Impose fines: Impose fines for failure to comply with the regulation or with any investigative orders issued.
- Impose periodic penalty payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order.
These measures must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)).
Penalties and Compensation Framework
In addition to the administrative fines imposed by the competent authority, Article 24 of CADA introduces a compensation framework. Recipients of cloud computing services would have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter.
Furthermore, Article 24(2) provides a non-exhaustive list of criteria for imposing penalties, including:
- The nature, gravity, scale, and duration of the infringement.
- Any action taken by the infringing party to mitigate or remedy the damage.
- Any previous infringements by the infringing party.
- The financial benefits gained or losses avoided due to the infringement.
- The infringing party's annual turnover in the preceding financial year in the Union.
What this means for you
For in-house counsel and compliance officers at cloud computing service providers with a main establishment in Ireland, the implications are significant:
- Regulatory Engagement: You will need to engage closely with the designated Irish national competent authority. While the specific body is yet to be confirmed, preparing for interaction with an authority that possesses GDPR-like investigative powers is prudent.
- Compliance Readiness: Ensure your internal controls can withstand rigorous inspections. Article 26 allows authorities to access premises and data. Your compliance team must be able to demonstrate adherence to the Union Assurance Levels (as defined in Annex II of CADA) and provide evidence of third-country control assessments if applicable.
- One-Stop-Shop Advantage: If your main establishment is in Ireland, the Irish authority will be your primary point of contact for EU-wide sovereignty compliance. This simplifies regulatory reporting but concentrates risk in one jurisdiction. Ensure your Irish legal and compliance teams are adequately resourced and trained.
- Penalty Exposure: Be aware of the potential for significant fines and periodic penalty payments. Implement robust monitoring systems to detect and remediate infringements quickly, as Article 24 encourages mitigation as a factor in penalty determination.
- Transparency Obligations: Prepare to report material changes in circumstances that could affect your recognized Union Assurance Level (Article 23). Prompt notification to the auditing organization and the Irish competent authority is mandatory.
Common misconceptions
- "The Irish Data Protection Commission (DPC) will automatically be the competent authority." While the DPC is a likely candidate due to its existing expertise and GDPR one-stop-shop role, CADA allows for the designation of an existing authority, not necessarily the DPC. It could be ComReg, the Central Bank, or a new body. Do not assume until the official designation is published in the Commission's register.
- "Only Irish providers are subject to the Irish authority." No. Under Article 25(4), the authority of the Member State where the provider has its main establishment has exclusive competence. This means a US-based cloud provider with its European HQ in Ireland would be supervised by the Irish authority for its EU operations, not the authorities of every Member State where it has customers.
- "CADA replaces the GDPR." Incorrect. CADA complements existing data protection laws. The sovereignty framework focuses on operational autonomy, data confidentiality, and protection from third-country interference, which goes beyond the scope of GDPR's data privacy rules. Compliance with CADA does not exempt providers from GDPR obligations.
- "Penalties are fixed amounts." No. Article 24(2) lists criteria for imposing penalties, including the infringer's annual turnover. Fines are likely to be proportionate and dissuasive, similar to GDPR fines, rather than fixed statutory amounts.
Official sources
Related
- Who is Sweden's national competent authority under CADA?
- Who is Spain's national competent authority under CADA?
- Who is Slovenia's national competent authority under CADA?
- Who is Slovakia's national competent authority under CADA?
- Who is Romania's national competent authority under CADA?
This is general information about a draft EU regulation, not legal advice.