Who is Luxembourg's national competent authority under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Luxembourg is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the Regulation's entry into force. As proposed, these authorities would hold exclusive competence over cloud computing service providers whose main establishment is located in Luxembourg, granting them sole power to investigate infringements, order cessation, and impose fines. The specific body has not yet been named in the proposal; however, the Commission will maintain a public register of all designated authorities once they are appointed.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union framework for cloud computing sovereignty. To ensure this framework is effectively applied across the single market, the proposal mandates that each Member State appoint national competent authorities. For Luxembourg, the obligations, powers, and scope of these authorities are defined primarily in Article 25 and Article 26 of the proposal.

Designation and Scope of Competence

Article 25(1) mandates that Luxembourg designate one or more national competent authorities responsible for enforcing Chapter IV of the Regulation, which contains the cloud computing sovereignty framework. The proposal offers flexibility in this designation: Member States may designate an existing authority or authorities, rather than being forced to create a new body from scratch. This designation must be completed by the deadline of one year after the Regulation enters into force.

Once designated, these authorities must be formally notified to the European Commission. Article 25(2) requires Luxembourg to notify the Commission of the names of the competent authorities and their specific tasks and powers. In response, the Commission is required to maintain a public register of these authorities, ensuring transparency for cloud providers and public sector bodies across the Union.

Crucially, Article 25(4) establishes the principle of exclusive competence based on the provider's main establishment. The Member State in which a cloud computing service provider has its main establishment—defined in the proposal as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised—has exclusive competence for enforcing the sovereignty chapter.

For providers headquartered in Luxembourg, this means the Luxembourgish competent authority would be the sole EU regulator responsible for supervising their compliance with CADA's sovereignty requirements. This includes the critical task of assessing applications for recognition as offering a Union assurance level (under Article 17), reviewing conformity self-assessments for Level 1, or validating audit reports for Levels 2, 3, and 4. Other Member States' authorities would not have direct enforcement power over these providers; they would be required to seek assistance from the Luxembourgish authority.

Investigative and Enforcement Powers

To ensure effective supervision, Article 26 grants Luxembourg's competent authorities robust investigative and enforcement powers. These powers are designed to be effective, dissuasive, and proportionate to the infringement.

Investigative Powers (Article 26(1)): The competent authority would have the power to:

• Require information: Demand that any cloud computing service provider, or any other person reasonably expected to hold relevant information (including auditing organisations), provide specific information as soon as possible.
• Conduct inspections: Carry out, or request a judicial authority to order, inspections of any premises used by providers or related persons. This includes the power to examine, seize, take, or obtain copies of information relating to suspected infringements in any form, irrespective of the storage medium.
• Request explanations: Ask any member of staff or representative of those providers to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): If an infringement is identified, the authority would have the power to:

• Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
• Impose fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including with any of the investigative orders issued.
• Impose periodic penalty payments: Impose a periodic penalty payment, or request a judicial authority to do so, to ensure that an infringement is terminated in compliance with an order, or for failure to comply with investigative orders.

These measures must be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, and must be subject to the right of all affected parties to an effective judicial remedy, as outlined in Article 26(4).

Penalties and Compensation Framework

While Article 26 outlines the powers to impose fines and penalty payments, Article 24 sets the broader framework for penalties applicable to infringements of the sovereignty chapter. Luxembourg would be required to lay down the rules on penalties applicable to infringements by cloud computing service providers within its competence and take all measures necessary to ensure they are implemented. These penalties must be "effective, proportionate and dissuasive."

When imposing penalties, the authority would be required to take into account non-exhaustive criteria, including:

• The nature, gravity, scale and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) establishes that recipients of cloud computing services would have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under the sovereignty chapter.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers with their main establishment in Luxembourg, the designation of a national competent authority under CADA would create a direct and exclusive supervisory relationship with a specific Luxembourgish regulator.

1. Identify the Authority Early Although the specific body is not named in the proposal, you should monitor the Commission's public register of competent authorities once the Regulation is adopted. Given Luxembourg's status as a major hub for cloud and data services, it is likely that an existing regulator (such as the Commission de Surveillance du Secteur Financier, the ILR, or a dedicated digital agency) may be designated. You must ensure your compliance protocols align with the specific procedures and administrative culture of the designated body.

2. Prepare for Enhanced Scrutiny As the exclusive competent authority for providers based in Luxembourg, the national body would be the sole entity responsible for assessing your application for recognition as offering a Union assurance level (under Article 17). This includes reviewing your conformity self-assessments (for Level 1) or audit reports (for Levels 2-4). You must be prepared to cooperate fully with investigative powers under Article 26, including providing access to premises, data, and staff for questioning. Failure to cooperate could trigger periodic penalty payments.

3. Understand the Risk of Fines and Penalties Non-compliance with the sovereignty framework could lead to significant financial repercussions. The competent authority could impose fines and periodic penalty payments. Additionally, under Article 24, your customers (particularly public sector bodies) could seek compensation for damages resulting from your non-compliance. Ensure your risk management frameworks account for these potential liabilities, which are distinct from the penalties under the AI Act or GDPR.

4. Cross-Border Cooperation While the Luxembourg authority would have exclusive competence for providers established there, Article 27 and Article 28 require mutual assistance and cross-border cooperation. If a provider established in Luxembourg offers services in other Member States, the Luxembourg authority may need to collaborate with other national authorities upon request. Compliance officers should ensure their documentation is robust enough to satisfy cross-border scrutiny and that they can respond to information requests from other Member States via their national authority.

Common misconceptions

Misconception 1: Any EU authority can investigate a Luxembourg-based provider. Correction: Article 25(4) explicitly states that the Member State of the main establishment has exclusive competence for enforcing the sovereignty chapter. Other Member States' authorities cannot directly enforce against a Luxembourg-based provider; they must request assistance from the Luxembourgish competent authority.

Misconception 2: The national competent authority is automatically the data protection authority. Correction: While the authority must cooperate with data protection authorities (Article 25(3)), CADA allows Member States to designate any existing authority or create a new one. It is not necessarily the same body that enforces the GDPR, though there may be overlap in functions or personnel.

Misconception 3: Penalties are fixed amounts set by the EU. Correction: CADA does not set fixed penalty amounts. Instead, Article 24 requires Luxembourg to lay down its own rules on penalties, which must be effective, proportionate, and dissuasive. The specific fines will depend on Luxembourg's national implementation of the Regulation, taking into account the criteria listed in the proposal.

Misconception 4: The authority only handles technical cybersecurity. Correction: The authority's mandate under CADA is focused on sovereignty (e.g., establishment, control, data location, personnel citizenship), not just technical cybersecurity. While they must cooperate with cybersecurity authorities, their primary role is to enforce the Union assurance levels defined in Annex II.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.