Who is liable for a CADA infringement within a provider group?

Summary Under the proposed Cloud and AI Development Act (CADA), liability for infringements of the cloud sovereignty framework rests exclusively with the specific legal entity defined as the "cloud computing service provider." Competence to enforce these rules is assigned to the single Member State where that provider has its "main establishment"—defined as the location of its head office or registered office from which "principal financial functions and operational control are exercised" (Article 25(4)). When calculating penalties, authorities must consider the annual turnover of the specific infringing party within the Union (Article 24(2)(f)), meaning liability does not automatically aggregate across an entire corporate group unless the parent entity itself is the provider or the group structure is found to be a sham.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a precise territorial and structural framework for determining liability for breaches of the Union cloud computing sovereignty framework. Unlike broader EU regulations that may apply "undertaking" concepts to aggregate group-wide turnover for competition or data protection fines, CADA anchors enforcement and liability firmly in the concept of the "main establishment" and the specific legal entity providing the service. This distinction is critical for multinational groups operating through complex EU subsidiaries.

Exclusive Competence Based on Main Establishment

The cornerstone of CADA's enforcement mechanism is Article 25, which designates national competent authorities. Article 25(4) states unequivocally: "The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This provision creates a single point of regulatory contact for a provider operating across the EU. If a multinational group provides cloud services through an EU subsidiary, the liability for sovereignty framework infringements—such as failing to meet Union assurance levels, providing misleading audit evidence, or violating data localisation rules—falls to that subsidiary, provided it meets the "main establishment" criteria.

The definition of "main establishment" is functional, not merely formal. It requires the exercise of "principal financial functions and operational control." This prevents providers from designating a hollow shell company with no operational reality as their main establishment to fragment liability or obscure regulatory oversight. If a provider is registered in Member State A but its principal financial functions and operational control are exercised from Member State B, the competent authority in Member State B has exclusive competence. This ensures that the regulator with the most direct access to the decision-making centre of the provider is the one enforcing the rules.

Liability of the Infringing Party and Penalty Calculation

Article 24 of CADA outlines the penalties and compensation rules applicable to infringements by cloud computing service providers. Paragraph 1 requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Crucially, Article 24(2) lists non-exhaustive criteria for imposing these penalties, which include:

• The nature, gravity, scale, and duration of the infringement (Article 24(2)(a));
• Any action taken by the infringing party to mitigate damage (Article 24(2)(b));
• Previous infringements by the infringing party (Article 24(2)(c));
• Financial benefits gained or losses avoided by the infringing party (Article 24(2)(d));
• The infringing party's annual turnover in the preceding financial year in the Union (Article 24(2)(f)).

The reference to "the infringing party's annual turnover" in Article 24(2)(f) is a defining feature of CADA's liability regime. It explicitly ties the penalty base to the specific legal entity that committed the infringement, rather than the global or EU-wide turnover of the parent group, unless the parent group itself is the provider. This stands in contrast to regulations like the GDPR or the AI Act, which often reference the total worldwide annual turnover of the "undertaking."

For in-house counsel, this implies that structuring EU operations through distinct, smaller legal entities could theoretically limit the penalty base to the turnover of that specific entity, provided the entity is genuinely independent in its financial and operational control and is the actual provider of the service. However, this is not a "safe harbour" for evasion. If the "main establishment" criteria are not met by the subsidiary, or if the subsidiary is merely a conduit for a parent entity that exercises operational control, the competent authority may determine that the parent or a different entity is the true provider, shifting the liability and penalty base accordingly.

Operational Control and Group Structures

The definition of "main establishment" in Article 25(4) ties liability directly to "operational control." This creates a significant compliance risk for groups that centralize operational decision-making in a third country or in a different EU Member State than where the service provider is legally registered.

If a group structures its EU operations such that the legal provider in Member State A is merely a passive holding company or a local sales office, while the actual cloud infrastructure management, security operations, and financial control are directed from Member State B, the competent authority in Member State B has exclusive competence. This ensures that the regulator overseeing the entity that actually controls the service is the one enforcing the rules.

Furthermore, if the "main establishment" is found to be outside the Union, the provider may not have a designated competent authority under Article 25 within the EU. This creates a critical vulnerability: under Article 17(1), a provider must submit an application for recognition to the "national competent authority of establishment." Without a valid main establishment within the Union, a provider may be unable to obtain recognition for any Union assurance level, effectively barring it from serving public sector bodies under CADA.

Compensation and Recipient Rights

Article 24(3) further clarifies liability by stating that "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This civil liability is also directed at the "cloud computing service provider," reinforcing the principle that the legal entity contracting with the public sector or private recipient bears the risk. The text does not provide for automatic joint and several liability across a corporate group. Liability rests with the specific entity that infringed the rules. However, this does not preclude national laws from piercing the corporate veil in cases of fraud or abuse, nor does it prevent a public body from seeking recourse against a parent company if the parent is found to be the actual provider under the "main establishment" test.

What this means for you

For in-house counsel and compliance officers, CADA's liability framework requires a rigorous audit of your group's EU corporate structure.

1. Map Your Main Establishment: Identify which legal entity in your group exercises "principal financial functions and operational control." This entity will be the sole target for enforcement actions regarding sovereignty framework infringements. Ensure this entity has the resources to handle regulatory investigations and potential penalties.
2. Assess Penalty Exposure: When calculating potential fines, focus on the annual Union turnover of the specific infringing entity, not the global group, unless the parent is the provider. However, ensure that your internal compliance programs are robust, as "previous infringements by the infringing party" (Article 24(2)(c)) can escalate penalties.
3. Avoid Shell Structures: Do not use passive shell companies as your main establishment. Authorities will look for genuine operational control. Misrepresenting your main establishment could lead to enforcement challenges and reputational damage, even if it does not directly alter the penalty calculation formula.
4. Contractual Risk Allocation: Review contracts with public sector bodies. Since the provider bears civil liability for damages (Article 24(3)), ensure that your insurance coverage and indemnity clauses reflect this exposure. If you are part of a group, consider whether inter-company indemnities are necessary to protect the specific provider entity from losses incurred due to group-wide operational failures.

Common misconceptions

Misconception 1: Group-wide turnover determines fines. Many assume that CADA penalties will be calculated based on the global turnover of the parent company, similar to competition law fines. Article 24(2)(f) specifically references "the infringing party's annual turnover in the preceding financial year in the Union." This limits the penalty base to the specific legal entity's Union turnover, not the group's global turnover.

Misconception 2: Any EU office can be the main establishment. Some providers believe they can choose any EU office as their main establishment for regulatory convenience. Article 25(4) defines it strictly as the place of "head office or registered office from which the principal financial functions and operational control are exercised." A local sales office without operational control does not qualify.

Misconception 3: Liability is shared across the group. CADA does not impose joint and several liability across a corporate group for sovereignty framework infringements. Liability rests with the specific "cloud computing service provider" that infringed the rules. However, if the group structure is used to deliberately evade these rules, authorities may look through the corporate veil under general EU law principles, though CADA itself focuses on the specific provider.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Who pays compensation if a cloud provider breaches CADA?
• Does CADA protect whistleblowers who report cloud-provider breaches?
• Can CADA authorities order a provider to stop an infringement?
• Who sets the penalty rules under CADA? Article 24 explained
• Who enforces CADA (the Cloud and AI Development Act)?

This is general information about a draft EU regulation, not legal advice.