Summary The proposed Cloud and AI Development Act (CADA) does not currently name a specific Lithuanian body as the national competent authority. Instead, Article 25 obliges Lithuania to designate one or more authorities within one year of the Regulation's entry into force, potentially designating an existing regulator. The Commission will maintain a public register of these designated authorities. For cloud providers with their main establishment in Lithuania, the Lithuanian authority would hold exclusive competence for enforcement, wielding significant investigative and punitive powers under Article 26, including the ability to order inspections, impose fines, and levy periodic penalty payments.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonized EU framework for cloud sovereignty, but it deliberately leaves the specific identification of national regulators to the Member States. For Lithuania, this means that while the legal obligations are defined at the EU level, the specific entity responsible for enforcement will be determined by Lithuanian law within a strict statutory deadline.

Designation of the National Competent Authority

Under Article 25(1) of the CADA proposal, Member States, including Lithuania, are required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework (Title IV of the Regulation). This designation must occur by the date of entry into force plus one year. The proposal provides flexibility, allowing Member States to designate an existing authority or authorities rather than creating a new regulatory body from scratch. This is particularly relevant for Lithuania, which may look to existing digital, cybersecurity, or competition regulators to assume these new responsibilities.

Once designated, Lithuania must notify the European Commission of the names of the competent authorities and their specific tasks and powers, as mandated by Article 25(2). The Commission is then obligated to maintain a public register of these authorities. This transparency measure ensures that cloud computing service providers, auditing organizations, and public sector contracting authorities can easily identify the correct regulatory contact point in Lithuania.

Exclusive Competence and the "Home Country" Principle

A critical aspect of the CADA framework is the principle of exclusive competence based on establishment. Article 25(4) states that the Member State in which the cloud computing service provider has its main establishmentβ€”defined as the head office or registered office from which principal financial functions and operational control are exercisedβ€”has exclusive competence for enforcing the sovereignty framework.

For a cloud provider with its main establishment in Lithuania, the Lithuanian national competent authority would be the sole regulator responsible for overseeing compliance with the Union assurance levels, auditing procedures, and transparency obligations. This "home country" control model is designed to prevent fragmented enforcement and ensure consistent supervision across the EU single market.

Investigative and Enforcement Powers

The powers granted to the Lithuanian competent authority are robust, detailed in Article 26. These powers are divided into investigative and enforcement categories, ensuring that the authority can effectively monitor and sanction non-compliance.

Investigative Powers (Article 26(1)) To carry out their tasks, particularly regarding the recognition of cloud services under Article 17, the Lithuanian authority would have the power to:

  • Require cloud providers, and any persons acting for them, to provide specific information related to suspected infringements as soon as possible.
  • Carry out inspections, or request a judicial authority to order inspections, of premises used by providers. This includes the power to examine, seize, or obtain copies of information in any form, regardless of the storage medium.
  • Ask staff or representatives of providers to give explanations regarding suspected infringements and, with consent, record their answers.

Enforcement Powers (Article 26(2)) If violations are found, the Lithuanian authority could:

  • Order the cessation of infringements and impose remedies proportionate to the infringement to bring it to an end.
  • Impose fines for failure to comply with the Regulation or investigative orders.
  • Impose periodic penalty payments to ensure that infringements are terminated in compliance with cessation orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic and technical capacity of the provider (Article 26(3)).

Penalties and Compensation

While Article 26 outlines the powers to impose fines, Article 24 specifies the criteria for penalties. Lithuania would lay down the specific rules on penalties applicable to infringements by cloud providers within its competence. These penalties must be effective, proportionate, and dissuasive. Factors considered in imposing penalties include the nature and gravity of the infringement, any previous infringements, financial benefits gained, and the provider's annual turnover in the Union.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of the sovereignty framework obligations. This creates a private right of action alongside public enforcement, increasing the legal risk for non-compliant providers.

Transparency and Reporting Obligations

Cloud providers recognized under the CADA framework have ongoing transparency obligations. Under Article 23, providers must notify the auditing organization and the national competent authority of establishment (in this case, the Lithuanian authority) as soon as they become aware of any material change in circumstances that may affect their audit report or recognition status. The Lithuanian authority would then assess whether its recognition needs to be amended or revoked.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers established in Lithuania, or those with a main establishment in Lithuania, the implications of CADA are significant and operational.

1. Identify the Regulator Early Although the specific Lithuanian authority is not yet named, you should monitor the Commission's public register (to be established post-entry-into-force) and Lithuanian legislative transposition efforts. Prepare your compliance team to engage with whichever body is designated, whether it is a new digital agency or an existing regulator like the State Data Protection Inspectorate or the Communications Regulatory Authority.

2. Prepare for Enhanced Scrutiny The investigative powers under Article 26(1) are extensive. Ensure your data governance and record-keeping systems are robust. You must be able to produce documentation, grant access to premises, and provide explanations regarding your sovereignty compliance (e.g., data localization, subcontractor oversight, third-country control measures) on short notice.

3. Audit and Recognition Readiness If you seek recognition for Union Assurance Levels 2, 3, or 4, you would undergo independent audits. The Lithuanian competent authority would evaluate the audit reports and your application. Ensure your internal controls align with the criteria in Annex II of CADA. For Level 1, you would issue a self-assessment statement, which must also be scrutinized by the authority unless you are an SME benefiting from automatic recognition derogations.

4. Financial Risk Management Be aware that non-compliance carries financial penalties. Article 24 mandates that Lithuania impose effective and dissuasive fines. Consider the potential impact on your annual turnover and the possibility of periodic penalty payments for ongoing violations. Additionally, factor in the risk of compensation claims from clients (Article 24(3)) if your service fails to meet the assured sovereignty levels.

5. Continuous Monitoring Compliance is not a one-time event. Article 23 requires you to report material changes to the Lithuanian authority. Establish internal processes to detect and report changes in your infrastructure, subcontracting arrangements, or corporate control that could affect your sovereignty status.

Common misconceptions

Misconception 1: The EU Commission will directly enforce CADA in Lithuania. While the Commission maintains the central repository of recognized services and the register of authorities, Article 25(4) grants exclusive enforcement competence to the Member State of the provider's main establishment. For providers in Lithuania, the national competent authority would be the primary enforcer, not the Commission.

Misconception 2: Any existing Lithuanian regulator can automatically act as the competent authority. While Article 25(1) allows for the designation of an existing authority, it is not automatic. Lithuania must formally designate the authority and notify the Commission. Until this designation is made and published, there is no legally recognized competent authority for CADA purposes in Lithuania.

Misconception 3: Fines are fixed by the EU Regulation. CADA does not set fixed fine amounts for Member State enforcement. Article 24(1) requires Member States to lay down their own rules on penalties, which must be effective, proportionate, and dissuasive. The specific fine levels would depend on Lithuanian national law implementing the Regulation.

Misconception 4: Only public sector contracts are affected. While the sovereignty framework heavily influences public procurement, the obligations for cloud providers to obtain recognition and comply with assurance levels apply to any provider seeking to offer services to Union entities or public sector bodies. The regulatory oversight by the Lithuanian competent authority would cover all providers established in Lithuania that seek such recognition.

Related

This is general information about a draft EU regulation, not legal advice.