Summary Under the proposed Cloud and AI Development Act (CADA), Italy is required to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework within one year of the regulation's entry into force, as mandated by Article 25(1). As CADA is currently a proposal, the specific Italian authority has not yet been named; however, the law explicitly permits Italy to designate an existing body rather than creating a new agency. The European Commission will maintain a public register of these designated authorities to ensure transparency. Crucially, enforcement jurisdiction is determined by the provider's "main establishment": the Italian authority would have exclusive competence only over providers established in Italy, while providers established elsewhere would fall under the exclusive competence of their home Member State, subject to cross-border cooperation mechanisms.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonised framework to strengthen Europe's cloud and AI ecosystem. A cornerstone of this framework is the creation of a robust supervisory architecture in each Member State to enforce the Union cloud computing sovereignty framework (Title IV, Chapter I). For Italy, as for all Member States, this involves the designation, empowerment, and operation of a national competent authority.

Designation of Italy's Competent Authority

Article 25(1) of the proposed regulation imposes a strict timeline on Member States. Italy must designate one or more national competent authorities responsible for enforcing the sovereignty chapter by [date of entry into force plus one year].

The proposal offers significant flexibility regarding which body fulfills this role. Article 25(1) states that Member States "may designate an existing authority or existing authorities." This provision suggests that Italy is not required to establish a new, standalone regulatory entity. Instead, it could assign these responsibilities to an existing body with relevant expertise, such as the Italian Data Protection Authority (Garante per la protezione dei dati personali), the Agency for Digital Italy (AgID), or a specialized cybersecurity body, provided that body is granted the necessary resources.

Once designated, Italy must notify the European Commission of the names of these authorities, along with their specific tasks and powers, pursuant to Article 25(2). The Commission is then obligated to maintain a public register of these authorities. This register serves as the definitive source for cloud service providers and public sector bodies to identify the correct regulator for any given service provider.

Exclusive Competence and the "Main Establishment" Principle

A critical feature of the CADA framework is the principle of exclusive competence, designed to prevent regulatory fragmentation and ensure legal certainty. Article 25(4) stipulates that the Member State in which a cloud computing service provider has its "main establishment" has exclusive competence for enforcing the sovereignty chapter.

The regulation defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

  • Italian Providers: If a cloud provider has its main establishment in Italy, the Italian national competent authority will have exclusive jurisdiction over its sovereignty compliance.
  • Non-Italian Providers: If a provider established in Germany or the United States serves Italian public sector bodies, the Italian authority generally does not have primary enforcement power. Instead, the authority of the provider's main establishment (e.g., Germany) holds exclusive competence.

However, this does not leave Italian public bodies without recourse. Article 27 (Mutual Assistance) and Article 28 (Cross-border Cooperation) allow the Italian authority to request information, investigations, or enforcement measures from the competent authority of the provider's main establishment if a suspected infringement affects Italian public order or sovereignty.

Investigative and Enforcement Powers

The national competent authorities designated by Italy will be vested with significant powers under Article 26 to ensure the integrity of the sovereignty framework. These powers are designed to be effective, dissuasive, and proportionate.

Investigative Powers (Article 26(1)): The Italian competent authority would have the power to:

  • Require Information: Demand that cloud computing service providers, auditing organisations, and other relevant persons provide specific information related to suspected infringements as soon as possible.
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used for trade, business, or profession related to the suspected infringement. This includes the power to examine, seize, or obtain copies of information in any form, irrespective of the storage medium.
  • Request Explanations: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): To address non-compliance, the authority would have the power to:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose Fines: Impose fines for failure to comply with the regulation, including for failure to comply with investigative orders.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with a cessation order or to compel compliance with investigative orders.

These measures must be taken in accordance with the right to respect for private life, the rights of defence (including the right to be heard and access to the file), and the right to an effective judicial remedy, as outlined in Article 26(4).

Penalties and Compensation Framework

While Article 26 grants the authority the power to impose fines, the specific rules on penalties are laid down by Member States under Article 24. Italy must lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

When determining penalties, Italian authorities must consider non-exhaustive criteria listed in Article 24(2), including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) establishes a right to compensation: recipients of cloud computing services shall have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter, in accordance with Union and national law.

What this means for you

For in-house counsel, compliance officers, and strategic planners at cloud computing service providers operating in or targeting the Italian public sector, the designation of Italy's national competent authority under CADA will trigger several immediate obligations and strategic considerations.

1. Identify the Regulator Early Once Italy designates its competent authority, you must determine whether your company's "main establishment" falls within Italian jurisdiction. If your head office and operational control are in Italy, the Italian authority will be your primary regulator. Monitor the Commission's public register (maintained under Article 25(2)) to confirm the designation. If your main establishment is outside Italy, you must still understand the cooperative mechanisms; while the Italian authority lacks exclusive competence, it can trigger cross-border investigations under Article 28 if your services impact Italian public order.

2. Prepare for Enhanced Scrutiny Article 26 grants Italian authorities broad investigative powers, including on-site inspections and the ability to seize data and records. Your internal compliance programs must be robust enough to withstand such scrutiny. Ensure that your documentation regarding Union assurance levels (self-assessments for Level 1, audit reports for Levels 2-4) is readily accessible and verifiable. Implement strong data governance and record-keeping practices to demonstrate compliance with the sovereignty criteria in Annex II of CADA, particularly regarding data localisation and third-country control.

3. Audit and Assurance Readiness If you are seeking recognition for Union Assurance Levels 2, 3, or 4, you must undergo independent third-party audits. The Italian competent authority (if you are an Italian provider) will evaluate the evidence submitted, including the audit report and opinion. Ensure your chosen auditing organisation meets the strict independence and competence requirements of Article 20. Be prepared to provide the authority with all necessary evidence, including software bills of materials (SBOMs), data flow diagrams, and proof of data localisation, as detailed in Annex III.

4. Risk of Fines and Reputational Damage Non-compliance can lead to significant financial penalties under Article 24 and enforcement actions under Article 26. Beyond fines, a negative audit opinion or revocation of recognition can be devastating for your ability to serve public sector clients in Italy and the rest of the EU. The central repository of recognised services (Article 22) will publicly list your status, so any revocation or penalty will be visible to potential clients. Proactively address any material changes in your service offering or control structures to avoid inadvertent non-compliance.

5. Engage with National Strategy Italy will also be developing a national cloud and AI strategy under Article 7. While this is separate from the competent authority's enforcement role, alignment with national strategic priorities may influence how the authority interprets certain risk assessments or prioritizes inspections. Stay informed about Italy's national strategy to anticipate potential shifts in regulatory focus.

Common misconceptions

Misconception 1: Italy will create a brand-new regulatory agency. Reality: Article 25(1) explicitly allows Member States to designate existing authorities. Italy is likely to assign these duties to an existing body such as AgID or the Data Protection Authority, rather than creating a new entity from scratch, provided it has the necessary resources.

Misconception 2: The Italian authority regulates all cloud providers operating in Italy. Reality: Article 25(4) establishes that the Member State of the provider's main establishment has exclusive competence. If a US or German provider serves Italian clients but has its main establishment elsewhere, the Italian authority does not have primary enforcement power, though it can cooperate via mutual assistance under Article 27.

Misconception 3: Only cybersecurity issues are regulated. Reality: CADA's sovereignty framework goes beyond technical cybersecurity. It addresses operational autonomy, data localisation, and protection from third-country legal extraterritoriality. The competent authority's role is to enforce these broader sovereignty criteria, not just technical security standards.

Misconception 4: Penalties are fixed and standardized across the EU. Reality: While CADA sets out criteria for penalties in Article 24, it is up to individual Member States, including Italy, to lay down the specific rules on penalties. The fines and periodic penalty payments will be determined within the Italian legal framework, subject to the proportionality and dissuasiveness requirements of EU law.

Related

This is general information about a draft EU regulation, not legal advice.